qakbot | 186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc

General

Target

186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
Size

825KB
MD5

3142cbf3b97b301f787b5dfdde5e4b62
SHA1

d5c85a79f8afbaf828538e1544abcdf254cb2c6a
SHA256

186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc
SHA512

1b0c8ec21f42b5ca2cb7ab3a3b66c139c0a807c4cf399f4649f21f27913f351c04cb4676b37d7de5fe93bbca02119103d4b510ef6cfd819492292af4db5da0d7

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2864 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3580 schtasks.exe

pid	process
2864	regsvr32.exe

pid	process
3580	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\1031db56 = 724379be4ab8b97507ea637e37f1637a1fdf1e571c9fae18dfca2c01763e27c50a988d707a169bb990baf0b1d5162dd34d56d2f728a5168856e5d243ae86cf754f0b87a9341565c21b930bdb8d26b99f373d47f01b90c0735234579460e1051257273bcad71b030a2b038ee6552d8dbc2b7ff38720546d00ac6698a920b75520e6e96cedee7aa5b82f71383eae9937701b67e8d50160d7d3ec41ac66a5ccb2d14dc6f3f34673654c6e46be5178ee58e0970e7957f5e8ad3307290caa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\1270fb2a = 3eefa241db6a4c87086dc3bcc24862ff70263b8abc0af1f83afcd25314bcc355071faa7b83667a9b1ce7555792001c2550f96274f1643d1a50d311e947810f5ea93575c6488ac5e5387b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\d7c4d3c5 = 7e27d5973e7eacdbacc0a4f0dae08e4e352e6d1d95a1a8a361c9b4ab	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\a88dbc33 = 11e59500fd9083305c97cbc5dd38dd386fd03206a9101a1e8153730077853ddca8479edd0503a09f52c63406fec549638684d238d1511714f50adef9242148efd97f6328d1b809a0c1b2cf81047754cd293717cdeb750f3de9ebc058ac2c14bcd3a619faf431e0fd039c608101	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\25ae0b18 = bf554c7a9027e094728815489f1123a5030735c92e389fa23a6498cb952d154db12684b86bb37b7bcc088a1dec30edadae997c640f9aa0f940914b56f2e84e1b60d1ecf576fe4536c7067aa3becd88dbb949250da7812aa16adda839250d2e639545	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\aacc9c4f = c945fc9b33302f9b580c8779d02e4872690602d0f5743f882056109d9b81effa4b8bcfa42c49e3092e91b5a787115ff197725b0aa8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\6f78b4a0 = 69c03b0f5f2ba332cf1dc2d2f86f36a543b6926fc225d12747f65116770982dd740008e97c7d16143ca99c30a094b7780b3d3afd5b5b6f7289dd93947c338555afa5a6e4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\5ae764ee = 7aa5e05b1709afb0e4845328aaaa2ab474868ad1c6bea8275b680246293a1dd9f7a36087cc9902f640c5abcaacbe05c9208848fe3d43a075937528cb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ejesgihpa\25ae0b18 = bf555b7a9027d54f8c49407e18ac18d060289487b09efe9e07746947fbef75fe751133a3399f40f4fa88cd3f6ea5c7209853132839e8b648d43434bd35eee8de8ff7766133d8210c2b51fb6cb2f254770263df3d7e8e9cb76304f2c11e8b52626b47df84dab08ad261da3531e8f2bd45778b9fa885852c	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

668 regsvr32.exe
668 regsvr32.exe
2864 regsvr32.exe
2864 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

668 regsvr32.exe
2864 regsvr32.exe

pid	process
668	regsvr32.exe
668	regsvr32.exe
2864	regsvr32.exe
2864	regsvr32.exe

pid	process
668	regsvr32.exe
2864	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3080 wrote to memory of 668	3080	regsvr32.exe	regsvr32.exe
PID 3080 wrote to memory of 668	3080	regsvr32.exe	regsvr32.exe
PID 3080 wrote to memory of 668	3080	regsvr32.exe	regsvr32.exe
PID 668 wrote to memory of 1088	668	regsvr32.exe	explorer.exe
PID 668 wrote to memory of 1088	668	regsvr32.exe	explorer.exe
PID 668 wrote to memory of 1088	668	regsvr32.exe	explorer.exe
PID 668 wrote to memory of 1088	668	regsvr32.exe	explorer.exe
PID 668 wrote to memory of 1088	668	regsvr32.exe	explorer.exe
PID 1088 wrote to memory of 3580	1088	explorer.exe	schtasks.exe
PID 1088 wrote to memory of 3580	1088	explorer.exe	schtasks.exe
PID 1088 wrote to memory of 3580	1088	explorer.exe	schtasks.exe
PID 2984 wrote to memory of 2864	2984	regsvr32.exe	regsvr32.exe
PID 2984 wrote to memory of 2864	2984	regsvr32.exe	regsvr32.exe
PID 2984 wrote to memory of 2864	2984	regsvr32.exe	regsvr32.exe
PID 2864 wrote to memory of 3872	2864	regsvr32.exe	explorer.exe
PID 2864 wrote to memory of 3872	2864	regsvr32.exe	explorer.exe
PID 2864 wrote to memory of 3872	2864	regsvr32.exe	explorer.exe
PID 2864 wrote to memory of 3872	2864	regsvr32.exe	explorer.exe
PID 2864 wrote to memory of 3872	2864	regsvr32.exe	explorer.exe
PID 3872 wrote to memory of 2032	3872	explorer.exe	reg.exe
PID 3872 wrote to memory of 2032	3872	explorer.exe	reg.exe
PID 3872 wrote to memory of 2352	3872	explorer.exe	reg.exe
PID 3872 wrote to memory of 2352	3872	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wyfkdbblz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll\"" /SC ONCE /Z /ST 12:04 /ET 12:16
4⤵
- Creates scheduled task(s)
PID:3580

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Olegbeig" /d "0"
4⤵
PID:2032

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Xyduheuaxtr" /d "0"
4⤵
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
MD5
3142cbf3b97b301f787b5dfdde5e4b62

SHA1
d5c85a79f8afbaf828538e1544abcdf254cb2c6a

SHA256
186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc

SHA512
1b0c8ec21f42b5ca2cb7ab3a3b66c139c0a807c4cf399f4649f21f27913f351c04cb4676b37d7de5fe93bbca02119103d4b510ef6cfd819492292af4db5da0d7

Download Submit
\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
MD5
3142cbf3b97b301f787b5dfdde5e4b62

SHA1
d5c85a79f8afbaf828538e1544abcdf254cb2c6a

SHA256
186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc

SHA512
1b0c8ec21f42b5ca2cb7ab3a3b66c139c0a807c4cf399f4649f21f27913f351c04cb4676b37d7de5fe93bbca02119103d4b510ef6cfd819492292af4db5da0d7

Download Submit
memory/668-117-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/668-116-0x0000000000870000-0x00000000009BA000-memory.dmp

Filesize
1.3MB

Download
memory/668-115-0x0000000000000000-mapping.dmp

Download
memory/1088-119-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download
memory/1088-121-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1088-122-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1088-118-0x0000000000000000-mapping.dmp

Download
memory/2032-128-0x0000000000000000-mapping.dmp

Download
memory/2352-129-0x0000000000000000-mapping.dmp

Download
memory/2864-124-0x0000000000000000-mapping.dmp

Download
memory/2864-126-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3580-120-0x0000000000000000-mapping.dmp

Download
memory/3872-127-0x0000000000000000-mapping.dmp

Download
memory/3872-130-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3872-131-0x0000000000340000-0x0000000000361000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads