qakbot | 881cb11ffc66771dbaa00ac3f530395a53309206407b78d79cbc9c8215611754

General

Target

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4120-5-0x0000019D93E60000-0x0000019D93E8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4120-4-0x0000019D93E00000-0x0000019D93E2D000-memory.dmp	family_qakbot_v5
behavioral2/memory/4120-6-0x0000019D93E60000-0x0000019D93E8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4120-0-0x0000019D93E30000-0x0000019D93E5F000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-9-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-15-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4120-14-0x0000019D93E60000-0x0000019D93E8E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-27-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-26-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-25-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-24-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-28-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1780-30-0x000002D82D540000-0x000002D82D56E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\74ee61ed = 64a91dbcab1c46bef6fb0a4acd810ec358545529dfc1dfe4ff8ef6d570325bd796e1c8ccd8de8588b1ef6914a56a0d824b891adf1bf65523419d09677255e565ded24d185633bbe27d443348e474625a25f0183ac6f039ca61d146c79b47e73f1a90cdeafeb3378013d0f40616eef174ad8456b6af7c09a0afb224b6f0c3838adb6b7d7d5dd8c21d4f4f49f1409fbbbd47	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\efeb743c = 84c932909b7d08e150af49d2b34a036c3a65a74dde33ebbaea16e2dbb71b029ca50ec1ea491ec612d73c760ecd50c53cd9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\74ee61ed = 847a3a7bdc0614cb0e2a7481d06ddd750a0f486b2541508ae08300d8f212028649d8aebf25b586296028c2c73d7cbbf1eaac1fc77bf70216bcdaeb62708fa82059f7785459052496c9a9f40170bacb0ed7aab7eef33b709e19307d33d8d173ae06b45c7a757eec96b412b9bf4dce2068ce	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\22c62925 = c71081d466e93c5a19900feb0cf511ecf4e24d1e08dabfeceace0f8a48c42813c0123878e60b4aa413ba92baaa9f76bf30dd1a2d9f98c4cc7f3d879dd93a0a588531b05e4619fdcd57b47cf20862cf62570ec127b8bd0c942ad15ed40a7ba46a4e48ec7121a109c15502b82803cdccbff380ca8df9172eb3a2b1c99fc5ae906f713fb38e5774d124568b90c57351d33518	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\3c0e6f89 = 07c77a67bd75c6f908d69d7158011875720a3ed494139f946eb51452c282b84684eca1a805edd0f0ced82fd836012b3bc5bfc82475f1c975458db1134479654708e59b0900b932d44fd8e416ef10eec40b96a71e372f958806c510994abaa5d4d4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\f0a46f17 = 8671241d07acbadeff85785fad01415df0d16f0c5b21abc1e0017a936b45dcca3fd508ce2ecba2fb28eb119f068b92650b3cb6cc70cf531101c9929b3f9b75a32861eb941f80d9651bf059bf3998115c6a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\234174a2 = 0456ebfef7d891eac15eb38fd776290e3363936efc1914935c546c54128312369b54106fe9ed316fb6d393c46711a837fa82b721846b18d4ecf6b538f328a721a5dfaaec0cc248cdb169d79b90ee50c2727b64d41718a7c0b3d5e3fe7349e61a69284cb4cf3aa256b3c4479c8680ac628b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\ee6c29bb = 2415af38b12f8c5c31487a01ca4c3eb2ba93af594a40bf8ee83d88d3556c033e1e6906dec7396d195db9531282847ae2c322ce2d52d69be2093ca93c8f0cd3bc41f265bc11b364a170c932128f161a625b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq\75693c6a = 047df2cde35c0e5a90c647d4001e406e05ebbbf615f495e3e263c721456629de4f1d73c06e8ba71cc648d3ab9385a5f946127f4dbe044f5e117988a387f4b9d02acc060e05a8f6d5051b6c2604c21939f3	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\jxemmebvdrajtq	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
4120	rundll32.exe
4120	rundll32.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe
1780	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4120 wrote to memory of 1780	4120	rundll32.exe	wermgr.exe
PID 4120 wrote to memory of 1780	4120	rundll32.exe	wermgr.exe
PID 4120 wrote to memory of 1780	4120	rundll32.exe	wermgr.exe
PID 4120 wrote to memory of 1780	4120	rundll32.exe	wermgr.exe
PID 4120 wrote to memory of 1780	4120	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-26-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-15-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-30-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-28-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-7-0x000002D82D570000-0x000002D82D572000-memory.dmp

Filesize
8KB

Download
memory/1780-9-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-24-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-27-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/1780-25-0x000002D82D540000-0x000002D82D56E000-memory.dmp

Filesize
184KB

Download
memory/4120-5-0x0000019D93E60000-0x0000019D93E8E000-memory.dmp

Filesize
184KB

Download
memory/4120-14-0x0000019D93E60000-0x0000019D93E8E000-memory.dmp

Filesize
184KB

Download
memory/4120-4-0x0000019D93E00000-0x0000019D93E2D000-memory.dmp

Filesize
180KB

Download
memory/4120-0-0x0000019D93E30000-0x0000019D93E5F000-memory.dmp

Filesize
188KB

Download
memory/4120-6-0x0000019D93E60000-0x0000019D93E8E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads