Overview

overview

10

Static

static

bef46e00b7...ad.dll

windows7_x64

10

bef46e00b7...ad.dll

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14-12-2021 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll

  • Size

    959KB

  • MD5

    e5ef2b91bcdb8037bb2465c84c28248b

  • SHA1

    adaad69a8641a607d7fc77c7cd11d6981c8afde0

  • SHA256

    bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad

  • SHA512

    66c38499678ca3e21b4dfe9e91934357b3c85c542a1774ee98411660f64d7aa05d718c3095e33280275df631833dd0607ee3a40cd06b8abb754d97132bb7700c

Score
10/10
qakbotcullinan1639333530bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:660
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ofusieeg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll\"" /SC ONCE /Z /ST 17:13 /ET 17:25
          4⤵
          • Creates scheduled task(s)
          PID:1396
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9DA8AF4C-81D2-4B7A-848E-A10BBBD0425F} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:984
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ixmhefye" /d "0"
            5⤵
              PID:1716
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Jfgeiouudg" /d "0"
              5⤵
                PID:1748

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
        MD5

        e5ef2b91bcdb8037bb2465c84c28248b

        SHA1

        adaad69a8641a607d7fc77c7cd11d6981c8afde0

        SHA256

        bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad

        SHA512

        66c38499678ca3e21b4dfe9e91934357b3c85c542a1774ee98411660f64d7aa05d718c3095e33280275df631833dd0607ee3a40cd06b8abb754d97132bb7700c

        Download Submit
      • \Users\Admin\AppData\Local\Temp\bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad.dll
        MD5

        e5ef2b91bcdb8037bb2465c84c28248b

        SHA1

        adaad69a8641a607d7fc77c7cd11d6981c8afde0

        SHA256

        bef46e00b74c84f8c4e22ec59705da188ac9b417f57f98239e0befa44700a7ad

        SHA512

        66c38499678ca3e21b4dfe9e91934357b3c85c542a1774ee98411660f64d7aa05d718c3095e33280275df631833dd0607ee3a40cd06b8abb754d97132bb7700c

        Download Submit
      • memory/660-59-0x00000000000B0000-0x00000000000B2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/660-60-0x0000000000000000-mapping.dmp
        Download
      • memory/660-62-0x0000000074AA1000-0x0000000074AA3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/660-64-0x0000000000080000-0x00000000000A1000-memory.dmp
        Filesize

        132KB

        Download
      • memory/836-55-0x0000000000000000-mapping.dmp
        Download
      • memory/836-56-0x0000000076641000-0x0000000076643000-memory.dmp
        Filesize

        8KB

        Download
      • memory/836-57-0x0000000000170000-0x00000000001F0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/836-58-0x0000000010000000-0x00000000100F5000-memory.dmp
        Filesize

        980KB

        Download
      • memory/984-78-0x0000000000080000-0x00000000000A1000-memory.dmp
        Filesize

        132KB

        Download
      • memory/984-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1064-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1064-71-0x0000000000160000-0x0000000000161000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1080-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1396-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1624-54-0x000007FEFC401000-0x000007FEFC403000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1716-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1748-77-0x0000000000000000-mapping.dmp
        Download