qakbot | 2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd

General

Target

2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll
Size

881KB
MD5

f8832c9c2d532586a6a27c18b1618d1c
SHA1

ad9ab0a5676f563357329fb97ab8ae037e0690a1
SHA256

2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd
SHA512

3a6503c6d1b98e9833bd83ef27289211b778cb0cbbe6acf8a59d114b92f6bd2f998f9f5fef5d31fef23cbecd2ed44d480f3c19dbb6036ac670c5cb4abf029750

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1736 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

788 schtasks.exe

pid	process
1736	regsvr32.exe

pid	process
788	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\d80f710b = 490d7a110b5fe6cdbf921153e24884390269607499fb12a86dd88a8b2b862a35f9a712	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\ed90a145 = a926b0a37b3cf401a7b3489caaf542fe119f913c7d92d2aae84cc8ae42b1db30847291c7bed5db244eda36fd9a7657a9d79a15731a885d600c1fc2309e18956e9358d23108c182c39632db64358d76a4c3d4bbe3207c5d0db98f0f1eb7e649b220d445fea10633c3b4151383dd499d4c261ee6936545d7cd2852df4fa3de4668b53d064406304041ee96b64694d52fbc56ff8d563ab26192789a72a49d699de00ffa292f1ee65acc70a736cbd623138c76aa948fc9a460	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\576de65c = 0bb3c811d60af7eb38fd067539b6fb83323c0e2a0293d26043d83b78ba438e0cb73fcedd73e7d9a7c4318e9cd22fb34f0921f81c64ba42f4c6e13aef91da0efcf4da406729a3238b2744411c39a2624b73e20cc9d6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\92d9ceb3 = 7f1c166de5ae8f2b23a01caa257e4c20e1985f63fc72776b851fa5ffc72190ab56e137b9b5f9d79289a1d913224ff365a1c82a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\552cc620 = 6a6f4ac7da6eff8884c8052a2d8cc22170da13430de6eb2ba50da79e3608b2c165ecd46144a4fdc50e5cc3ef0660539bc3c0ed78ef94b67092fe9fd14ccea23eba3796bb889e477e37ad5ffddcc245add345e4491a69ebbb056e56d8592f4b7ad2c04d6ae04f7d3ca1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\d80f710b = 490d6d110b5fd366d7e146fad963eaa51009e865e40afc2223e6bd52fcacbfd9f0a31b81d6f9e916d60b70ee09874a3213da05952d74af7a	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\2a65a9d6 = ba637baa2cb8a15e19b3f51b17dbcda1ff905e865f238f2c60509d1793736dd63ccbf2e9595e193b3a0b02c2c9bc26c16d9c7497e4bbaea8ea68df1dce61fb2b1c203aa844f4e44ce0f0b0adf6c59d1beded9e97e3227686d6c886d227b3069fbc4adceb7016287183bbe5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\a7461efd = 911db457ebcdb99e39b1863273223ea33f381c0af5b982b7623e77c79c826d407cd5bebef48ed270dca621f7632d9b95d5b17e32d6d62d019ab9f9a4e6ba84279fd906c58202819914d0e2a6d56c4082e8d11b3bc762db4ab904af9001caff0cda9ba95ababebe71ab9e36628cf309	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Caqbkxwrv\efd18139 = fd0cb3d093a1dd9ad349f7e2f0c6e66d7506870187f0311e41862fcde2529183881d08c31350d566dbe5ed60ce7d7c4f8f4116969c36fd89	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1616 regsvr32.exe
1736 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1616 regsvr32.exe
1736 regsvr32.exe

pid	process
1616	regsvr32.exe
1736	regsvr32.exe

pid	process
1616	regsvr32.exe
1736	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 956 wrote to memory of 1616	956	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1872	1616	regsvr32.exe	explorer.exe
PID 1616 wrote to memory of 1872	1616	regsvr32.exe	explorer.exe
PID 1616 wrote to memory of 1872	1616	regsvr32.exe	explorer.exe
PID 1616 wrote to memory of 1872	1616	regsvr32.exe	explorer.exe
PID 1616 wrote to memory of 1872	1616	regsvr32.exe	explorer.exe
PID 1616 wrote to memory of 1872	1616	regsvr32.exe	explorer.exe
PID 1872 wrote to memory of 788	1872	explorer.exe	schtasks.exe
PID 1872 wrote to memory of 788	1872	explorer.exe	schtasks.exe
PID 1872 wrote to memory of 788	1872	explorer.exe	schtasks.exe
PID 1872 wrote to memory of 788	1872	explorer.exe	schtasks.exe
PID 1224 wrote to memory of 1816	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 1816	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 1816	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 1816	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 1816	1224	taskeng.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1816 wrote to memory of 1736	1816	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1200	1736	regsvr32.exe	explorer.exe
PID 1736 wrote to memory of 1200	1736	regsvr32.exe	explorer.exe
PID 1736 wrote to memory of 1200	1736	regsvr32.exe	explorer.exe
PID 1736 wrote to memory of 1200	1736	regsvr32.exe	explorer.exe
PID 1736 wrote to memory of 1200	1736	regsvr32.exe	explorer.exe
PID 1736 wrote to memory of 1200	1736	regsvr32.exe	explorer.exe
PID 1200 wrote to memory of 1724	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1724	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1724	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1724	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1076	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1076	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1076	1200	explorer.exe	reg.exe
PID 1200 wrote to memory of 1076	1200	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cupsqkz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll\"" /SC ONCE /Z /ST 22:53 /ET 23:05
4⤵
- Creates scheduled task(s)
PID:788

C:\Windows\system32\taskeng.exe
taskeng.exe {F0764F46-7882-4AC4-917A-7D3C3655094B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Akaikpid" /d "0"
5⤵
PID:1724

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Hdtaqvuta" /d "0"
5⤵
PID:1076

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll
MD5
f8832c9c2d532586a6a27c18b1618d1c

SHA1
ad9ab0a5676f563357329fb97ab8ae037e0690a1

SHA256
2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd

SHA512
3a6503c6d1b98e9833bd83ef27289211b778cb0cbbe6acf8a59d114b92f6bd2f998f9f5fef5d31fef23cbecd2ed44d480f3c19dbb6036ac670c5cb4abf029750

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd.dll
MD5
f8832c9c2d532586a6a27c18b1618d1c

SHA1
ad9ab0a5676f563357329fb97ab8ae037e0690a1

SHA256
2c10df26a553b09ad12d5452bc50e527136bf6613b35d01f4feba4e1060353bd

SHA512
3a6503c6d1b98e9833bd83ef27289211b778cb0cbbe6acf8a59d114b92f6bd2f998f9f5fef5d31fef23cbecd2ed44d480f3c19dbb6036ac670c5cb4abf029750

Download Submit
memory/788-61-0x0000000000000000-mapping.dmp

Download
memory/956-53-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1076-76-0x0000000000000000-mapping.dmp

Download
memory/1200-71-0x0000000000000000-mapping.dmp

Download
memory/1200-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1616-56-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1616-62-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/1616-55-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1616-54-0x0000000000000000-mapping.dmp

Download
memory/1724-75-0x0000000000000000-mapping.dmp

Download
memory/1736-67-0x0000000000000000-mapping.dmp

Download
memory/1816-64-0x0000000000000000-mapping.dmp

Download
memory/1872-57-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1872-63-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1872-60-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1872-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads