qakbot | 2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3

General

Target

2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll
Size

958KB
MD5

8fc78bdb91458a75ee1c6228337190b1
SHA1

879f1f5fe678deb5ec4743eb60a364577d17d7bf
SHA256

2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3
SHA512

362991facd6668e42a2ec59bff17bbedabcad94212f9cedadcb92b4dbc28e32bb209c12cb4d0ef40029be8818de9e204cb11d03dd7d9e3fc380a927d5590f0de

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1832 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

556 schtasks.exe

pid	process
1832	regsvr32.exe

pid	process
556	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\d6b56d62 = d8996ad13209ffe5c5048f2656ba54eb7ede346f40768bbe9a063fb756f16d150036ead581ab5c30	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\9c63d2da = 1e9e19bf81ea63416e14173c64f61ea141e8d8d8ca621d2b162626bfd1f37ffa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\5b96da49 = 44b25d8e1b68806346a174fd329d06e7a519980fa08c6c66d6643e4d91ca9ca627e149f5e805fb9cefa1a5a252ce23f6aee8ee15aac934b03c19ce909cbfd23e5a0f9f80712aa787d233a2be0b61635ae16f483fddead54a106adf5b556177397c234934fea705112c0eabd2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\a9fc0294 = 507956accde0c6c164204ba17de2d98077	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\d6b56d62 = d8997dd13209cab7abc67507bfa2ba422786a6c838b82205c5909f0fea91be29710c7627463b5ec59536737e7007264c1654d2e23fb9f7824014206540	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ozzahzdods	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\e32abd2c = b09c7558093181a03b33457204abe0119cabe797755796a3793b3c7443eac4d744edb95013ddf40a29666217f566d556961cf32927e5b053236f2b1037f2845730394cac3a62636a549280ec6cf6fe006e8eac18a0514165ffb4fa882fd7a0f75cbaf270ff48e0f0678f53c679105e83e422fb5bab76c2be58318cf1eceb9e70f1a6e2a62b2fb2cd1c10708bedee199a8d090c095029fa84ab0ebdbd013f742335	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\e16b9d50 = 4a4bc76739ef97c6e6253ffac9b07a2faebc1674a61191933e956b3881e3c6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\59d7fa35 = 77a90c80af5473e629088482c24fce0087a43764b80fbbaee7e961b612295398c331e8b0a771ac93	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ozzahzdods\24dfb5bf = 6086205f84ab528163ade8fc884fa0b576b81a4229	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

840 regsvr32.exe
1832 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

840 regsvr32.exe
1832 regsvr32.exe

pid	process
840	regsvr32.exe
1832	regsvr32.exe

pid	process
840	regsvr32.exe
1832	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 840	756	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1920	840	regsvr32.exe	explorer.exe
PID 840 wrote to memory of 1920	840	regsvr32.exe	explorer.exe
PID 840 wrote to memory of 1920	840	regsvr32.exe	explorer.exe
PID 840 wrote to memory of 1920	840	regsvr32.exe	explorer.exe
PID 840 wrote to memory of 1920	840	regsvr32.exe	explorer.exe
PID 840 wrote to memory of 1920	840	regsvr32.exe	explorer.exe
PID 1920 wrote to memory of 556	1920	explorer.exe	schtasks.exe
PID 1920 wrote to memory of 556	1920	explorer.exe	schtasks.exe
PID 1920 wrote to memory of 556	1920	explorer.exe	schtasks.exe
PID 1920 wrote to memory of 556	1920	explorer.exe	schtasks.exe
PID 1868 wrote to memory of 1776	1868	taskeng.exe	regsvr32.exe
PID 1868 wrote to memory of 1776	1868	taskeng.exe	regsvr32.exe
PID 1868 wrote to memory of 1776	1868	taskeng.exe	regsvr32.exe
PID 1868 wrote to memory of 1776	1868	taskeng.exe	regsvr32.exe
PID 1868 wrote to memory of 1776	1868	taskeng.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 1832	1776	regsvr32.exe	regsvr32.exe
PID 1832 wrote to memory of 1352	1832	regsvr32.exe	explorer.exe
PID 1832 wrote to memory of 1352	1832	regsvr32.exe	explorer.exe
PID 1832 wrote to memory of 1352	1832	regsvr32.exe	explorer.exe
PID 1832 wrote to memory of 1352	1832	regsvr32.exe	explorer.exe
PID 1832 wrote to memory of 1352	1832	regsvr32.exe	explorer.exe
PID 1832 wrote to memory of 1352	1832	regsvr32.exe	explorer.exe
PID 1352 wrote to memory of 1944	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1944	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1944	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1944	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1980	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1980	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1980	1352	explorer.exe	reg.exe
PID 1352 wrote to memory of 1980	1352	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dnyqvnfwda /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll\"" /SC ONCE /Z /ST 16:13 /ET 16:25
4⤵
- Creates scheduled task(s)
PID:556

C:\Windows\system32\taskeng.exe
taskeng.exe {80EB5E68-5166-42F1-B47D-7C243BAFCA11} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Swegw" /d "0"
5⤵
PID:1944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Sewdeki" /d "0"
5⤵
PID:1980

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll
MD5
8fc78bdb91458a75ee1c6228337190b1

SHA1
879f1f5fe678deb5ec4743eb60a364577d17d7bf

SHA256
2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3

SHA512
362991facd6668e42a2ec59bff17bbedabcad94212f9cedadcb92b4dbc28e32bb209c12cb4d0ef40029be8818de9e204cb11d03dd7d9e3fc380a927d5590f0de

Download Submit
\Users\Admin\AppData\Local\Temp\2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3.dll
MD5
8fc78bdb91458a75ee1c6228337190b1

SHA1
879f1f5fe678deb5ec4743eb60a364577d17d7bf

SHA256
2abda935db7d445ca540f92c60d03172b54d2b7a9da159b1a24a658034a3d7a3

SHA512
362991facd6668e42a2ec59bff17bbedabcad94212f9cedadcb92b4dbc28e32bb209c12cb4d0ef40029be8818de9e204cb11d03dd7d9e3fc380a927d5590f0de

Download Submit
memory/556-63-0x0000000000000000-mapping.dmp

Download
memory/756-54-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/840-55-0x0000000000000000-mapping.dmp

Download
memory/840-56-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/840-60-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/840-61-0x0000000010000000-0x00000000100F5000-memory.dmp

Filesize
980KB

Download
memory/1352-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1352-72-0x0000000000000000-mapping.dmp

Download
memory/1776-65-0x0000000000000000-mapping.dmp

Download
memory/1832-68-0x0000000000000000-mapping.dmp

Download
memory/1920-64-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1920-62-0x0000000074921000-0x0000000074923000-memory.dmp

Filesize
8KB

Download
memory/1920-58-0x0000000000000000-mapping.dmp

Download
memory/1920-57-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1944-75-0x0000000000000000-mapping.dmp

Download
memory/1980-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads