qakbot | 2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8

General

Target

2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
Size

858KB
MD5

4f2bfea5068bf0f963e778f4f61cd99c
SHA1

797d596d9ef376747671cb373207043a5dbaccec
SHA256

2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8
SHA512

654adb2549cefb51bff892dd0c9964804ff3616496187b855995aab8596e03500d3d0170f90e2ee575fd383e80b341d97d2bb1191febcc4d36630b08d96f15ce

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1512 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe

pid	process
1512	regsvr32.exe

pid	process
1496	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\2b82d38c = 915093cc304cf43ed3386a311e8b8a23d018	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\933eb4e9 = 81361e5f4f29903625b0ec475ed8aab872631cd37a25f5b4fc88fe66	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\54cbbc7a = b61ee4e7ec2de1e0d9d037c71d15	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\ee36fb63 = 2f2dd8bea3af8b4910f9140f910eb8aa239cfb6186caad8806af312254ee2927bd6ed0ba42cd24e0915c29ececd3619c530ca4b5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\568a9c06 = cac7d4bfab4723bade63b8f5f1793fbdbdd3c7079c38e6c0bb91dc9cc46ce6f5c7a6d5d266632e197778601d0e470877f274f28c964dc2aec2336908484b4dadf6751e1d59e47eb48814df42da00d9508598f05cabda6a70081258d3b6b3fbe027320ad7a427af5a2143	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\a6a164a7 = b43043ea403ee3f6ad0d439647778c342094d8e75f82bc7812102d4a3a1a307921338c4c56129464d70816aa552cdada453833b146c1d407a98f95d1be00fbc3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\d9e80b51 = 1029c93f41104044fa520bb6c211d355ac22e7edc74332ed807c8afa37b270e9283f1e88562495ee1e6ca7e9c73e5756a1e9fe076379a50d8d6e87894bae86717788ece396d431f805f1b2f6944a83047f898c09687be0e6b569d919ecd294f73e093c95dc253b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\d9e80b51 = 1029de3f411075aa26f33638aaf0e3d1164502e6c8f98ba9b4fd51e2a6d1f9aaec28dc6758a66bbaf34672c7f8cde8c3538e3a0993029e9e75bd665564894327d7ece7f67ba60beb7fe585f86023b4bce649	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Psuyiujeylpjs\ec77db1f = cddbeafa755588f96cbc64e5ad5f4aeebd90e872264c9840c4ac8fa4137b73174778204ce2a1a60501247f91455c9b3b11a3ebb1008ee2ca935f97f4eab8a92b878347d255b47d0c909b25137732357cb7029e660935bddfd23074270129e41d855d0dbc0bb3de0cf0c3af9abc4894ee5410c1aafff374181208e98a60507e0c9f7ccdc5e411332f231aedce2d17fc6fd866f06de40ac85cb59ea74e4de6e22bc2b53ac4b0c4f45f7fce29bb940b69f718ebeae5f58a2b790ba207f37580a76af5bffff259eaf013487d	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1672 regsvr32.exe
1512 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1672 regsvr32.exe
1512 regsvr32.exe

pid	process
1672	regsvr32.exe
1512	regsvr32.exe

pid	process
1672	regsvr32.exe
1512	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 948 wrote to memory of 1672	948	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1288	1672	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 1288	1672	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 1288	1672	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 1288	1672	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 1288	1672	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 1288	1672	regsvr32.exe	explorer.exe
PID 1288 wrote to memory of 1496	1288	explorer.exe	schtasks.exe
PID 1288 wrote to memory of 1496	1288	explorer.exe	schtasks.exe
PID 1288 wrote to memory of 1496	1288	explorer.exe	schtasks.exe
PID 1288 wrote to memory of 1496	1288	explorer.exe	schtasks.exe
PID 1212 wrote to memory of 1820	1212	taskeng.exe	regsvr32.exe
PID 1212 wrote to memory of 1820	1212	taskeng.exe	regsvr32.exe
PID 1212 wrote to memory of 1820	1212	taskeng.exe	regsvr32.exe
PID 1212 wrote to memory of 1820	1212	taskeng.exe	regsvr32.exe
PID 1212 wrote to memory of 1820	1212	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 1512	1820	regsvr32.exe	regsvr32.exe
PID 1512 wrote to memory of 1336	1512	regsvr32.exe	explorer.exe
PID 1512 wrote to memory of 1336	1512	regsvr32.exe	explorer.exe
PID 1512 wrote to memory of 1336	1512	regsvr32.exe	explorer.exe
PID 1512 wrote to memory of 1336	1512	regsvr32.exe	explorer.exe
PID 1512 wrote to memory of 1336	1512	regsvr32.exe	explorer.exe
PID 1512 wrote to memory of 1336	1512	regsvr32.exe	explorer.exe
PID 1336 wrote to memory of 1940	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1940	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1940	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1940	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1948	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1948	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1948	1336	explorer.exe	reg.exe
PID 1336 wrote to memory of 1948	1336	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dtufjqu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll\"" /SC ONCE /Z /ST 09:02 /ET 09:14
4⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\taskeng.exe
taskeng.exe {CE9EFE65-9B68-42A5-BC2F-DC251FA0DB32} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ldcyxooorh" /d "0"
5⤵
PID:1940

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Xoyjioxejf" /d "0"
5⤵
PID:1948

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
MD5
4f2bfea5068bf0f963e778f4f61cd99c

SHA1
797d596d9ef376747671cb373207043a5dbaccec

SHA256
2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8

SHA512
654adb2549cefb51bff892dd0c9964804ff3616496187b855995aab8596e03500d3d0170f90e2ee575fd383e80b341d97d2bb1191febcc4d36630b08d96f15ce

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
MD5
4f2bfea5068bf0f963e778f4f61cd99c

SHA1
797d596d9ef376747671cb373207043a5dbaccec

SHA256
2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8

SHA512
654adb2549cefb51bff892dd0c9964804ff3616496187b855995aab8596e03500d3d0170f90e2ee575fd383e80b341d97d2bb1191febcc4d36630b08d96f15ce

Download Submit
memory/948-55-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1288-60-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1288-61-0x0000000000000000-mapping.dmp

Download
memory/1288-63-0x0000000074861000-0x0000000074863000-memory.dmp

Filesize
8KB

Download
memory/1288-64-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1336-79-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1336-73-0x0000000000000000-mapping.dmp

Download
memory/1496-65-0x0000000000000000-mapping.dmp

Download
memory/1512-69-0x0000000000000000-mapping.dmp

Download
memory/1672-59-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/1672-58-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1672-57-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000000000-mapping.dmp

Download
memory/1820-66-0x0000000000000000-mapping.dmp

Download
memory/1940-77-0x0000000000000000-mapping.dmp

Download
memory/1948-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads