qakbot | 51ff536b1f12c59753e3d3344b8df232c3fd7aafb49bf782e54058fc8f220e3f

General

Target

t.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1828-0-0x0000028B8E580000-0x0000028B8E5AF000-memory.dmp	family_qakbot_v5
behavioral2/memory/1828-1-0x0000028B8E550000-0x0000028B8E57D000-memory.dmp	family_qakbot_v5
behavioral2/memory/1828-5-0x0000028B8E5B0000-0x0000028B8E5DE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1828-6-0x0000028B8E5B0000-0x0000028B8E5DE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-8-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-14-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1828-21-0x0000028B8E5B0000-0x0000028B8E5DE000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-27-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-26-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-25-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-24-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-28-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-30-0x00000268A0250000-0x00000268A027E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\86fe9dc6 = 8454065e5605cdb447d2315bc375343f2b7b386abcfa6e8b2f57bc77ea247b359612cc1a730833e06ab338f0ae13d288bcd1ba0adea0d804dca197fe70ebca9797	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\1c7cd590 = 67fa87d8efd4f53430c7f916ca11eae1f95615b2eecc3149d36c0344c896b82aba85b2b283c016d4882321b1e31bbec15bb34f016de7eef3ba344c8c08573f51a8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\4a549d58 = e6391600f9a486af6a5c67526e29248e394c2e654d65d924eeaef2c0f045ffa5aaf4c6a659d68bc5dd132dc1c036618ed4731fd17e022a8f808768b8ad0ed1054ed8dcaf8b4ec0a4c7067914bc8b6c46b4828a6d774fd2207fb1a80c65e691131638fc8f49aea0b2aa5a79bb9d427ee18faa397b91b3122e5a119635148eeb9b14	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\549cdbf4 = a7d43701675a8982add85c44adefb80a1061a409342e486fa6facb60297579c4f5ae0c6a67c2bf3d95fb7bed3aa0647438	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\9836db6a = c48f538c9ea2d99d2465207b6a34407d819c118f2c2cb944f73f0c47646173c82471b0ca47f3f80486acfdb8d9ec0e5e388d66b0a5bde71129f631cc2aeae60c329598cdb81a5c314da4ceb3d0a727a0e56854caa3c710ca79117a07c96499129c76a7c0a45fc217386dc09ff6836bfbd9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\8779c041 = 6788b4e6101600b89a7d108f8a7eb471ca8e4222fdf9005f04495184b65e54ed22d35420a46b89adef959e060b0f936645b8eb866e77a4d14834017af3da73b46f17fd16c49bb957e03a6458fd1335df82b936bed02bb5edf421799fc8e7f36dc163c565cd0beae9bba860911017ceaad23219d19b4be3d9fac02da8cf142ad060	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\4bd3c0df = a5816edd47c7f553d1ea6494836c3557e249b4ee26f96c1947e74d664bb884a3bdc10dd7b97e67664848ae258b56b11d0c933e77e0744db5d2ce1f7aff40d185e6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\1dfb8817 = 8500c5e055388fe8bd92ff41c66ab7d156588d7e109cf33612a983060d9aef52c830bc0d4759d789bba41480b11340f111	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\pofeydaeiznszm\1c7cd590 = e7c3c0df4db2e61366e555daddba3d0336fc9920f63da2c68f40a8bfea9086abc57cf80714350cc339a0b4ab69af9309c28997200d564450359cc8e5e9b0cac21eafc99be92db4bf8d21d5f79b576b993f1973e04343da787518ebf445f8306e3a	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1828	rundll32.exe
1828	rundll32.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1828 wrote to memory of 3548	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 3548	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 3548	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 3548	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 3548	1828	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\t.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-0-0x0000028B8E580000-0x0000028B8E5AF000-memory.dmp

Filesize
188KB

Download
memory/1828-1-0x0000028B8E550000-0x0000028B8E57D000-memory.dmp

Filesize
180KB

Download
memory/1828-5-0x0000028B8E5B0000-0x0000028B8E5DE000-memory.dmp

Filesize
184KB

Download
memory/1828-6-0x0000028B8E5B0000-0x0000028B8E5DE000-memory.dmp

Filesize
184KB

Download
memory/1828-21-0x0000028B8E5B0000-0x0000028B8E5DE000-memory.dmp

Filesize
184KB

Download
memory/3548-14-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-7-0x00000268A0280000-0x00000268A0282000-memory.dmp

Filesize
8KB

Download
memory/3548-8-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-27-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-26-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-25-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-24-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-28-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download
memory/3548-30-0x00000268A0250000-0x00000268A027E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads