qakbot | d71d1b53db8a84f458dd0e1d09753e566da818fa792c2ea4d2e89fb59d83939a

Analysis

max time kernel
150s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

resource	yara_rule
behavioral2/memory/4348-0-0x0000026544850000-0x000002654487F000-memory.dmp	family_qakbot_v5
behavioral2/memory/4348-3-0x0000026543050000-0x000002654307D000-memory.dmp	family_qakbot_v5
behavioral2/memory/4348-5-0x0000026544880000-0x00000265448AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4348-6-0x0000026544880000-0x00000265448AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-8-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-15-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4348-14-0x0000026544880000-0x00000265448AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-24-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-25-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-26-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-27-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-28-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4916-30-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\8cc57fed = 471657f0fc7631f275c3f69934a0a35cbbb142b9545aa84916998c017c0dcab62a81d5534f1907c48062be04a0f1d217bd09c998d2c27b8c0141136792c373cc40676221dbcfe28091d4baf2b63fadc667	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\5f206458 = 04733e0c2570e66a44b4d3936c361374270156f1651ecc7e519c81f0a4cad8a798d3bf461db63a0150b3fe41cd3e0fe59277ba55c9d9d6b5e527b196fea4b9569ec7d3c097add7d6e7628ee625735247792d3e67d9fc70b1fb1ddeee1427bb8fba203a76aaf16d3af157bc811677e4615e0809413adc2e27da0f376222647384a8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\5ea739df = 07f3e24f1ac1a18d0669212ab218663798a536be2fd17dbddb11cb8ee8c9ea4a9eb6bd4029e3c114756fef46ea34295dde5fbc84adef24ab464cbbda14dbcd1bafffe4f070b4a43757967d3065cb1ead1301674d04ef9fbf8a0ce2c4144e3bed36	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\c5a22c0e = 46d3b841b8c3571eb90ab229be8d5f6bafe928862674414ce3a398b152f712cf171d51d99bc32837d9fecc78f0ef62dc3407e6c5141346a46ea96d360527f3a263f2ca854bd830ba349d5da2abc5a42b7f05d324061c9dafdb832d5adcd6cfa910105cf73cf6de58b6b0fe2ee3924c47a1	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\920d3941 = 841f03cc4db0d39c03a8172e2da042f737154d8db94fa5451ce2e313346939e19a5c64be4289f3243eaf692473f9d953c4b549eecd6f4332d444f9efc91f9b2d112d59d3f87f9a08d2780602169f5199b9187dda462361f61ad5b7e06e1fbc321716266c8a43f1a76589a616a768a5f77b98abc87bf3d8d998662cc8b117ae9fe6edbbdf01900c89879aa8e6ee23ce73a7817c854cf49b906616489cade3d12de8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\938a64c6 = 65fac8a6463e16ce0c411acef935543fabbb752b7152de7ef128604a1696ed445e6f6a332c31875bb1b5d9266ff2624686	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\c4257189 = 261a20b8acc19a3922acb3209cbe53ff36865ecb565a425bc420192b7a7d7ea93eeff74ed75ce188be2e9250aecf7d589b4bb2808cedce4410482f6e3a37017b20	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\c4257189 = 87d8ad1f95e6e540bcdaf57ab401a4f2b0ce7a838f0ee048c0e3bb9a1eb36cede24c795d5cfe023065dfb2fcf70dfd3630	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\jngqylfcyimvplu\406f7f73 = e4bdb04d187febed9a761b385783f095401903479e99314a21f5db99c00baedcfd8cde70c7c42299096b6c674cf5967801	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	rundll32.exe
4348	rundll32.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe
4916	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4916	4348	rundll32.exe	87
PID 4348 wrote to memory of 4916	4348	rundll32.exe	87
PID 4348 wrote to memory of 4916	4348	rundll32.exe	87
PID 4348 wrote to memory of 4916	4348	rundll32.exe	87
PID 4348 wrote to memory of 4916	4348	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4348-0-0x0000026544850000-0x000002654487F000-memory.dmp

Filesize
188KB

Download
memory/4348-3-0x0000026543050000-0x000002654307D000-memory.dmp

Filesize
180KB

Download
memory/4348-5-0x0000026544880000-0x00000265448AE000-memory.dmp

Filesize
184KB

Download
memory/4348-6-0x0000026544880000-0x00000265448AE000-memory.dmp

Filesize
184KB

Download
memory/4348-14-0x0000026544880000-0x00000265448AE000-memory.dmp

Filesize
184KB

Download
memory/4916-15-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-8-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-7-0x00000249A2C00000-0x00000249A2C02000-memory.dmp

Filesize
8KB

Download
memory/4916-24-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-25-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-26-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-27-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-28-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download
memory/4916-30-0x00000249A2BD0000-0x00000249A2BFE000-memory.dmp

Filesize
184KB

Download