qakbot | 2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8

General

Target

2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
Size

858KB
MD5

4f2bfea5068bf0f963e778f4f61cd99c
SHA1

797d596d9ef376747671cb373207043a5dbaccec
SHA256

2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8
SHA512

654adb2549cefb51bff892dd0c9964804ff3616496187b855995aab8596e03500d3d0170f90e2ee575fd383e80b341d97d2bb1191febcc4d36630b08d96f15ce

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2848 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2876 schtasks.exe

pid	process
2848	regsvr32.exe

pid	process
2876	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\a7238972 = 87450a2472612fd7c68f8d27b70fc05d27e743da657de23922588b0ef1d8e6d9d08596863281af05c888d9ea60dfe3136cbb6684ed5559f5de	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\2a003e59 = a3147cc6e5961f36fc3e03223d03df27656ea5a2691a9760ab5153fc36cb52cd5535868ac4c3238a23021cd6fb2fc8e1062af27903d81d3267c3ff720b03c46313ccc65ccf4eb1	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\1ddece6b = c45361e99a16ca6f151abc13bb13eb34d2bff093e8afd915c46105375c3f09ef8990674c6cee	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\a562a90e = ac7005f0b893c8296cb3d204a706fc141669201447a801f522a07a538a7ec3c91f92716623197eb68cdd70d5cc9a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\60d681e1 = 461372261970de2f69845ca807b4688750bd4e18750a79ae2c7eb78d57c846	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\554951af = 73f3be07b32308d0deda48d97df649e87fdcc00a920319f8e21ed5980b7289fd40a8ce66e8c462efe3517078f007ae41627e372c4d6b7b266f8e26c9d8eaf30f1c057dda645d08377ad686	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\2a003e59 = a3146bc6e5962a8b8b7f374f7e0d51dcbec6e8bc8ff8add2bdb7152bebc30f1da427187067e8982230be0b378d7bba8030d3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\1f9fee17 = 6c8a140e5df46fe4a8386a484041ea8543db7853e035a817da4b3cb23e0df0d7c2bcc2111922307dee945cea08c918305ac8e8df5855a7abf37f06fe554fc9d40b1f17a6d4ea43d6f26e652e34a5648ae9e28345a9e95aa0c9fcc053d03e76e2fac1c50e3a97d1e8bc691f7f620c02b66b5861e4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zouatkyal\d86ae684 = b8d19b527c36b54da4e392bf41053b6bc240b70b44d9ebbc4b04b74ceb152b018d5f1a4b	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2588 regsvr32.exe
2588 regsvr32.exe
2848 regsvr32.exe
2848 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2588 regsvr32.exe
2848 regsvr32.exe

pid	process
2588	regsvr32.exe
2588	regsvr32.exe
2848	regsvr32.exe
2848	regsvr32.exe

pid	process
2588	regsvr32.exe
2848	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1008 wrote to memory of 2588	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 2588	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 2588	1008	regsvr32.exe	regsvr32.exe
PID 2588 wrote to memory of 1348	2588	regsvr32.exe	explorer.exe
PID 2588 wrote to memory of 1348	2588	regsvr32.exe	explorer.exe
PID 2588 wrote to memory of 1348	2588	regsvr32.exe	explorer.exe
PID 2588 wrote to memory of 1348	2588	regsvr32.exe	explorer.exe
PID 2588 wrote to memory of 1348	2588	regsvr32.exe	explorer.exe
PID 1348 wrote to memory of 2876	1348	explorer.exe	schtasks.exe
PID 1348 wrote to memory of 2876	1348	explorer.exe	schtasks.exe
PID 1348 wrote to memory of 2876	1348	explorer.exe	schtasks.exe
PID 3012 wrote to memory of 2848	3012	regsvr32.exe	regsvr32.exe
PID 3012 wrote to memory of 2848	3012	regsvr32.exe	regsvr32.exe
PID 3012 wrote to memory of 2848	3012	regsvr32.exe	regsvr32.exe
PID 2848 wrote to memory of 3132	2848	regsvr32.exe	explorer.exe
PID 2848 wrote to memory of 3132	2848	regsvr32.exe	explorer.exe
PID 2848 wrote to memory of 3132	2848	regsvr32.exe	explorer.exe
PID 2848 wrote to memory of 3132	2848	regsvr32.exe	explorer.exe
PID 2848 wrote to memory of 3132	2848	regsvr32.exe	explorer.exe
PID 3132 wrote to memory of 860	3132	explorer.exe	reg.exe
PID 3132 wrote to memory of 860	3132	explorer.exe	reg.exe
PID 3132 wrote to memory of 1096	3132	explorer.exe	reg.exe
PID 3132 wrote to memory of 1096	3132	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lhxphxp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll\"" /SC ONCE /Z /ST 21:42 /ET 21:54
      4⤵
      Creates scheduled task(s)
      PID:2876

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ttvyslwvhne" /d "0"
      4⤵
      PID:860
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ilpdyahglto" /d "0"
      4⤵
      PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll

MD5
4f2bfea5068bf0f963e778f4f61cd99c

SHA1
797d596d9ef376747671cb373207043a5dbaccec

SHA256
2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8

SHA512
654adb2549cefb51bff892dd0c9964804ff3616496187b855995aab8596e03500d3d0170f90e2ee575fd383e80b341d97d2bb1191febcc4d36630b08d96f15ce

Download Submit
\Users\Admin\AppData\Local\Temp\2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8.dll

MD5
4f2bfea5068bf0f963e778f4f61cd99c

SHA1
797d596d9ef376747671cb373207043a5dbaccec

SHA256
2599965afc0a2ae60c8b61f82ecaf6a92918dd795d95121f951658a32ac737f8

SHA512
654adb2549cefb51bff892dd0c9964804ff3616496187b855995aab8596e03500d3d0170f90e2ee575fd383e80b341d97d2bb1191febcc4d36630b08d96f15ce

Download Submit
memory/860-128-0x0000000000000000-mapping.dmp

Download
memory/1096-129-0x0000000000000000-mapping.dmp

Download
memory/1348-121-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1348-120-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1348-122-0x0000000000EF0000-0x0000000000F11000-memory.dmp

Filesize
132KB

Download
memory/1348-118-0x0000000000000000-mapping.dmp

Download
memory/2588-115-0x0000000000000000-mapping.dmp

Download
memory/2588-116-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2588-117-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/2848-124-0x0000000000000000-mapping.dmp

Download
memory/2848-126-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/2876-119-0x0000000000000000-mapping.dmp

Download
memory/3132-127-0x0000000000000000-mapping.dmp

Download
memory/3132-131-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3132-130-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3132-132-0x0000000000A80000-0x0000000000AA1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads