qakbot | 60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9

General

Target

60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
Size

934KB
MD5

ea4f783d466e757560776d148a790709
SHA1

5beac9e9677e5bec28655ab09ad013311be9572e
SHA256

60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9
SHA512

2971dbc30fbfc4939e17c0ac3dd1d419ce93f13a20dde5700e8ce4352a8373d326d346befe8c87929f2b71c906dc6fa5ef32858ff3c944f756df6ed841aa693f

Score

10^/10

qakbot cullinan 1639333530 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1016 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1676 schtasks.exe

pid	process
1016	regsvr32.exe

pid	process
1676	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Upuieevokoauuy	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\166a89a9 = 99bea05e7f2996dfb53da0eea30f7f4a714571e4cc6c0d390e8388a3d612a8e3ead1f93f6e1a74d205ae0cdace4cf76580fcae6c90a96d9628b337be146024	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\23f559e7 = d83e194f5f35eec87576f174290794729aee4e1ca80b3552e312795558d3ca5099edfd705f1dd574c9bb78982e3b6bc7db27f8ceb1728bd115440f5468c93a45388266ced92987868c834d1310f482dcf0a588b419fcfdd95231463ea531d70372b420be	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\21b4799b = 2ee3185443131f079dd3795b9a918df4da2609ce272506a077c8aff0a67f455759a7818b3fcf8c7ad0a0df6ba69055d24ac195db8da542b0aea24c595064436365e4e04a3d00f19b4c19cc8903ab8a6725ca14c1134429ad361e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\e4005174 = 83b17c6dee4b952fd292ea5e8a7385f5cfa66397cc8d915096aec725c04e70f0d9dbd702eb9b13b4aac9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\5cbc3611 = a3205554c46aaab9f02878bb5737a46302584ece96c2d8b444553cf22e3198fa0e6bebfc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\6923e65f = c7f3dcd89524a784e024c4c5191aadbda0b1a31bf9f5bb087f963bba9ce416828a275342d13414a442f3f1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\99081efe = 13227eec62eb34363a1a233435dec2da52	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\9b493e82 = 065f4a6c0678b08c1b0d87ba041c9a09ea50ed2df587e2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Upuieevokoauuy\166a89a9 = 99beb75e7f29a3925d9a022cec3c7542053d9c58fee9f4a7710808f5fd88353c0d5a9fcf4fbaba4d8ffaaa0b2133ef0f08c358e5902b25f91b624b82d9ec662bae1e701e5e09faa83b3000d6489a25c890611c86	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

628 regsvr32.exe
1016 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

628 regsvr32.exe
1016 regsvr32.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	process
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe
1016	regsvr32.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

regsvr32.exe

pid	process
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe
628	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 628	1624	regsvr32.exe	regsvr32.exe
PID 628 wrote to memory of 780	628	regsvr32.exe	explorer.exe
PID 628 wrote to memory of 780	628	regsvr32.exe	explorer.exe
PID 628 wrote to memory of 780	628	regsvr32.exe	explorer.exe
PID 628 wrote to memory of 780	628	regsvr32.exe	explorer.exe
PID 628 wrote to memory of 780	628	regsvr32.exe	explorer.exe
PID 628 wrote to memory of 780	628	regsvr32.exe	explorer.exe
PID 780 wrote to memory of 1676	780	explorer.exe	schtasks.exe
PID 780 wrote to memory of 1676	780	explorer.exe	schtasks.exe
PID 780 wrote to memory of 1676	780	explorer.exe	schtasks.exe
PID 780 wrote to memory of 1676	780	explorer.exe	schtasks.exe
PID 1984 wrote to memory of 1656	1984	taskeng.exe	regsvr32.exe
PID 1984 wrote to memory of 1656	1984	taskeng.exe	regsvr32.exe
PID 1984 wrote to memory of 1656	1984	taskeng.exe	regsvr32.exe
PID 1984 wrote to memory of 1656	1984	taskeng.exe	regsvr32.exe
PID 1984 wrote to memory of 1656	1984	taskeng.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 1016	1656	regsvr32.exe	regsvr32.exe
PID 1016 wrote to memory of 1780	1016	regsvr32.exe	explorer.exe
PID 1016 wrote to memory of 1780	1016	regsvr32.exe	explorer.exe
PID 1016 wrote to memory of 1780	1016	regsvr32.exe	explorer.exe
PID 1016 wrote to memory of 1780	1016	regsvr32.exe	explorer.exe
PID 1016 wrote to memory of 1780	1016	regsvr32.exe	explorer.exe
PID 1016 wrote to memory of 1780	1016	regsvr32.exe	explorer.exe
PID 1780 wrote to memory of 1672	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 1672	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 1672	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 1672	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 112	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 112	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 112	1780	explorer.exe	reg.exe
PID 1780 wrote to memory of 112	1780	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dshkiahp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll\"" /SC ONCE /Z /ST 14:20 /ET 14:32
      4⤵
      Creates scheduled task(s)
      PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {B57E3043-7888-4EB1-9541-8188CAA8DE13} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Slujo" /d "0"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zdyhwuvqaj" /d "0"
        5⤵
        
        PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll

MD5
ea4f783d466e757560776d148a790709

SHA1
5beac9e9677e5bec28655ab09ad013311be9572e

SHA256
60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9

SHA512
2971dbc30fbfc4939e17c0ac3dd1d419ce93f13a20dde5700e8ce4352a8373d326d346befe8c87929f2b71c906dc6fa5ef32858ff3c944f756df6ed841aa693f

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll

MD5
ea4f783d466e757560776d148a790709

SHA1
5beac9e9677e5bec28655ab09ad013311be9572e

SHA256
60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9

SHA512
2971dbc30fbfc4939e17c0ac3dd1d419ce93f13a20dde5700e8ce4352a8373d326d346befe8c87929f2b71c906dc6fa5ef32858ff3c944f756df6ed841aa693f

Download Submit
memory/112-77-0x0000000000000000-mapping.dmp

Download
memory/628-55-0x0000000000000000-mapping.dmp

Download
memory/628-56-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download
memory/628-62-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download
memory/628-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/780-63-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/780-60-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/780-58-0x0000000000000000-mapping.dmp

Download
memory/780-57-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1016-68-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download
memory/1656-65-0x0000000000000000-mapping.dmp

Download
memory/1672-76-0x0000000000000000-mapping.dmp

Download
memory/1676-64-0x0000000000000000-mapping.dmp

Download
memory/1780-72-0x0000000000000000-mapping.dmp

Download
memory/1780-78-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads