qakbot | 186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc

General

Target

186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
Size

825KB
MD5

3142cbf3b97b301f787b5dfdde5e4b62
SHA1

d5c85a79f8afbaf828538e1544abcdf254cb2c6a
SHA256

186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc
SHA512

1b0c8ec21f42b5ca2cb7ab3a3b66c139c0a807c4cf399f4649f21f27913f351c04cb4676b37d7de5fe93bbca02119103d4b510ef6cfd819492292af4db5da0d7

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1176 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1628 schtasks.exe

pid	process
1176	regsvr32.exe

pid	process
1628	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\4731ef32 = ea648aa08cc9f0d1704e8b47619a246a9c3640e79fb9608adb46597af8b11b458f6f55b4fdb7f4b41fdc035d914967c8d44ba4fc7d341b99a062cdcd126ef1f8825faba3291d7fbf106b84ebedb7078c21e34accbe8c9c016dcc13bd2ef79eefefd5fc25f53b4db911	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\fdcca82b = 8d41f26add5524150f1561e8d6da2585cf8f40ded483dbdf6ecaa6f180b699bdafea510e8b6f9a25ba6a118da63a04a07f10066347ca3e4a4658f65e30ac22f21e2bb3f33ebbe9079affec2c9f9df770b17adfaf5fec9a5eb75f264cdbc3fb62e8cd2753c57482e4b22563	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\4570cf4e = 264c289b8eb502856dd0be37c6788c8d601daad97904d77cc58c781e782cde52ff7a8907eb2e50b633fb326639ccfc11ebe943eff0f1d71521dfa45ef41a39b08e08b75f432755a89567accb199b339c650dcefa2b2877f5bb05a1b5a1954c3c254a55	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\ff8d8857 = 2ebcff093efe29a1bf6695547d36eb101a22502c7a2f82abb7ad087795bbc1c3de	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\8285c7dd = 344d65484e8eafd55a637807fdd852d2950f74ab32efb20497312a239d05a5bdb8655eebc6ac	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\3a39a0b8 = 723b387cd50bdab925daf0f869f1e151ecf3e559e38ca78c3421d7963d71a8b19107e157b4976efa06772fd1cd35534a7efc8aeaf6b18917b38e571104f2cd7dfa6a4a60779b4c5db9086aacc0b40686b6e20d4a6350238a01	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\fa670f6 = 6d4be9b98174775f3b25ff452a879e3c21be1e9d95afb9794aa7396f47bcb99978076821e7b60798	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\70ef1f00 = 144757358d825ae9f72f729766ea3b181e1adda35e0c51a1bfa9a2de59bb1703a754ac84bc66e538c5848526f0f763e404613fb08e15	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wvpnwyxnv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Wvpnwyxnv\70ef1f00 = 144740358d826f47e89979029f6067fff634875338e248aa54fa1198090d6d0177	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1404 regsvr32.exe
1176 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1404 regsvr32.exe
1176 regsvr32.exe

pid	process
1404	regsvr32.exe
1176	regsvr32.exe

pid	process
1404	regsvr32.exe
1176	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1404	1660	regsvr32.exe	regsvr32.exe
PID 1404 wrote to memory of 828	1404	regsvr32.exe	explorer.exe
PID 1404 wrote to memory of 828	1404	regsvr32.exe	explorer.exe
PID 1404 wrote to memory of 828	1404	regsvr32.exe	explorer.exe
PID 1404 wrote to memory of 828	1404	regsvr32.exe	explorer.exe
PID 1404 wrote to memory of 828	1404	regsvr32.exe	explorer.exe
PID 1404 wrote to memory of 828	1404	regsvr32.exe	explorer.exe
PID 828 wrote to memory of 1628	828	explorer.exe	schtasks.exe
PID 828 wrote to memory of 1628	828	explorer.exe	schtasks.exe
PID 828 wrote to memory of 1628	828	explorer.exe	schtasks.exe
PID 828 wrote to memory of 1628	828	explorer.exe	schtasks.exe
PID 1120 wrote to memory of 1548	1120	taskeng.exe	regsvr32.exe
PID 1120 wrote to memory of 1548	1120	taskeng.exe	regsvr32.exe
PID 1120 wrote to memory of 1548	1120	taskeng.exe	regsvr32.exe
PID 1120 wrote to memory of 1548	1120	taskeng.exe	regsvr32.exe
PID 1120 wrote to memory of 1548	1120	taskeng.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1176	1548	regsvr32.exe	regsvr32.exe
PID 1176 wrote to memory of 1836	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1836	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1836	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1836	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1836	1176	regsvr32.exe	explorer.exe
PID 1176 wrote to memory of 1836	1176	regsvr32.exe	explorer.exe
PID 1836 wrote to memory of 2004	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 2004	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 2004	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 2004	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1064	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1064	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1064	1836	explorer.exe	reg.exe
PID 1836 wrote to memory of 1064	1836	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lreatphqz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll\"" /SC ONCE /Z /ST 15:46 /ET 15:58
4⤵
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {04642477-98BA-4CB8-B974-DB2D6732C175} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Oqzbss" /d "0"
5⤵
PID:2004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Joeaosx" /d "0"
5⤵
PID:1064

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
MD5
3142cbf3b97b301f787b5dfdde5e4b62

SHA1
d5c85a79f8afbaf828538e1544abcdf254cb2c6a

SHA256
186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc

SHA512
1b0c8ec21f42b5ca2cb7ab3a3b66c139c0a807c4cf399f4649f21f27913f351c04cb4676b37d7de5fe93bbca02119103d4b510ef6cfd819492292af4db5da0d7

Download Submit
\Users\Admin\AppData\Local\Temp\186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc.dll
MD5
3142cbf3b97b301f787b5dfdde5e4b62

SHA1
d5c85a79f8afbaf828538e1544abcdf254cb2c6a

SHA256
186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc

SHA512
1b0c8ec21f42b5ca2cb7ab3a3b66c139c0a807c4cf399f4649f21f27913f351c04cb4676b37d7de5fe93bbca02119103d4b510ef6cfd819492292af4db5da0d7

Download Submit
memory/828-64-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/828-59-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/828-60-0x0000000000000000-mapping.dmp

Download
memory/828-62-0x0000000074661000-0x0000000074663000-memory.dmp

Filesize
8KB

Download
memory/1064-76-0x0000000000000000-mapping.dmp

Download
memory/1176-68-0x0000000000000000-mapping.dmp

Download
memory/1404-57-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1404-58-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/1404-56-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1404-55-0x0000000000000000-mapping.dmp

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/1628-63-0x0000000000000000-mapping.dmp

Download
memory/1660-54-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1836-72-0x0000000000000000-mapping.dmp

Download
memory/1836-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2004-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads