qakbot | bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad

General

Target

bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
Size

959KB
MD5

e5ef2b91bcdb8037bb2465c84c28248b
SHA1

adaad69a8641a607d7fc77c7cd11d6981c8afde0
SHA256

bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad
SHA512

66c38499678ca3e21b4dfe9e91934357b3c85c542a1774ee98411660f64d7aa05d718c3095e33280275df631833dd0607ee3a40cd06b8abb754d97132bb7700c

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

756 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3916 schtasks.exe

pid	process
756	regsvr32.exe

pid	process
3916	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\5014e785 = 33f2ae33520972b86b00265d973b79e979d203ec68546380e312b17bbd98cc020dd0afd0333197fa98c14d2a945fd2dacf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\e8a880e0 = 8524b5f6e7ebbd4f4c8fb187c26b457085e20d084574dba3ab590d74eb317aa67805	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\95a0cf6a = 65f90c5c3cf759bd077986fff7c7a1deb9b70e58cb8c3345e431a260b3ade1d809d51ca3e6b426bd845feefeb21cff0b67ba666a31a3f7e4179c29d93f2fc71901f2549eb7a4e57913d86e6cfff36ae393c3a0def05b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\67ca17b7 = 2ad6c5c9908cd892a5f5a4138777bfe7012deda2fbf207594ad51d63f02709cb9a21bc316331c8a4058adafb90249f5817f6a4107286d80b6559d0ad164e9dbb20ed991526f9302b1638e20c58ddc5d0c2fff3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\18837841 = 986d1ba2612c07ef3544b0a58da3f54d9c8d944a5295ca5bc2d4531ee3fdaec9d45ead9011556359fb1a7073e30be707749bd96f75dcac7bf28e1527c6cc9d21828a4bd83e3faaf8f7631e25d2ad0b0b29452ab71f83166f3ec8	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\67ca17b7 = 2ad6d2c9908ced2197ec9e5d9ce53fbce105a8afb9197688ac913c1ec5921ac9e21e99200f187615d77c2d9a69769835999cb51dc1f04475acc2fe4716c9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\5255c7f9 = ed919fd442bd79a03388914f503c79d1515e07d5c8f9e5ccf82e02d49c607b6f786e55c06c159ba486b694af1e0514c1f500eb4ff37d64d3af711b55d1e6493647bd495f9db926a2b68f8239ba8b59e6485d3649a28fad98525c258d369c58534eb0fbb83fe97028b58e4a5ec1961cb9cd83d6c64fa8281bc820233415e2960e9bf934bec2d619a9b0189ba9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\2d1ca80f = c50a383b91cca23963e64eae841643c2ea5ca387d590d2c8879475d7929607c19977d3d49c7df3b57a5153549ca82d86	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lsqkyiyeqo\eae9a09c = e60a5cefdff7236aabe00bbdade88ed6270a6a0d5d4346f2bf02d05d	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1996 regsvr32.exe
1996 regsvr32.exe
756 regsvr32.exe
756 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1996 regsvr32.exe
756 regsvr32.exe

pid	process
1996	regsvr32.exe
1996	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe

pid	process
1996	regsvr32.exe
756	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2860 wrote to memory of 1996	2860	regsvr32.exe	regsvr32.exe
PID 2860 wrote to memory of 1996	2860	regsvr32.exe	regsvr32.exe
PID 2860 wrote to memory of 1996	2860	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 2744	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 2744	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 2744	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 2744	1996	regsvr32.exe	explorer.exe
PID 1996 wrote to memory of 2744	1996	regsvr32.exe	explorer.exe
PID 2744 wrote to memory of 3916	2744	explorer.exe	schtasks.exe
PID 2744 wrote to memory of 3916	2744	explorer.exe	schtasks.exe
PID 2744 wrote to memory of 3916	2744	explorer.exe	schtasks.exe
PID 3328 wrote to memory of 756	3328	regsvr32.exe	regsvr32.exe
PID 3328 wrote to memory of 756	3328	regsvr32.exe	regsvr32.exe
PID 3328 wrote to memory of 756	3328	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 364	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 364	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 364	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 364	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 364	756	regsvr32.exe	explorer.exe
PID 364 wrote to memory of 412	364	explorer.exe	reg.exe
PID 364 wrote to memory of 412	364	explorer.exe	reg.exe
PID 364 wrote to memory of 376	364	explorer.exe	reg.exe
PID 364 wrote to memory of 376	364	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn uklpvolvv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll\"" /SC ONCE /Z /ST 12:04 /ET 12:16
      4⤵
      Creates scheduled task(s)
      PID:3916

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hsyujiukmpwu" /d "0"
      4⤵
      PID:412
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yqxqwiv" /d "0"
      4⤵
      PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll

MD5
e5ef2b91bcdb8037bb2465c84c28248b

SHA1
adaad69a8641a607d7fc77c7cd11d6981c8afde0

SHA256
bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad

SHA512
66c38499678ca3e21b4dfe9e91934357b3c85c542a1774ee98411660f64d7aa05d718c3095e33280275df631833dd0607ee3a40cd06b8abb754d97132bb7700c

Download Submit
\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll

MD5
e5ef2b91bcdb8037bb2465c84c28248b

SHA1
adaad69a8641a607d7fc77c7cd11d6981c8afde0

SHA256
bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad

SHA512
66c38499678ca3e21b4dfe9e91934357b3c85c542a1774ee98411660f64d7aa05d718c3095e33280275df631833dd0607ee3a40cd06b8abb754d97132bb7700c

Download Submit
memory/364-127-0x0000000000000000-mapping.dmp

Download
memory/364-132-0x0000000003200000-0x0000000003221000-memory.dmp

Filesize
132KB

Download
memory/364-131-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/364-130-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/376-129-0x0000000000000000-mapping.dmp

Download
memory/412-128-0x0000000000000000-mapping.dmp

Download
memory/756-126-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/756-124-0x0000000000000000-mapping.dmp

Download
memory/1996-115-0x0000000000000000-mapping.dmp

Download
memory/1996-116-0x0000000002CF0000-0x0000000002D13000-memory.dmp

Filesize
140KB

Download
memory/1996-117-0x0000000010000000-0x00000000100F5000-memory.dmp

Filesize
980KB

Download
memory/2744-118-0x0000000000000000-mapping.dmp

Download
memory/2744-122-0x0000000003200000-0x0000000003221000-memory.dmp

Filesize
132KB

Download
memory/2744-121-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2744-120-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3916-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads