qakbot | 60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9

General

Target

60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
Size

934KB
MD5

ea4f783d466e757560776d148a790709
SHA1

5beac9e9677e5bec28655ab09ad013311be9572e
SHA256

60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9
SHA512

2971dbc30fbfc4939e17c0ac3dd1d419ce93f13a20dde5700e8ce4352a8373d326d346befe8c87929f2b71c906dc6fa5ef32858ff3c944f756df6ed841aa693f

Score

10^/10

qakbot cullinan 1639333530 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

C2

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

324 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4048 regsvr32.exe
4048 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

4048 regsvr32.exe

pid	process
324	regsvr32.exe

pid	process
1548	schtasks.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

regsvr32.exe

pid	process
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

regsvr32.exe

pid	process
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe
4048	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3260 wrote to memory of 4048	3260	regsvr32.exe	regsvr32.exe
PID 3260 wrote to memory of 4048	3260	regsvr32.exe	regsvr32.exe
PID 3260 wrote to memory of 4048	3260	regsvr32.exe	regsvr32.exe
PID 4048 wrote to memory of 1280	4048	regsvr32.exe	explorer.exe
PID 4048 wrote to memory of 1280	4048	regsvr32.exe	explorer.exe
PID 4048 wrote to memory of 1280	4048	regsvr32.exe	explorer.exe
PID 4048 wrote to memory of 1280	4048	regsvr32.exe	explorer.exe
PID 4048 wrote to memory of 1280	4048	regsvr32.exe	explorer.exe
PID 1280 wrote to memory of 1548	1280	explorer.exe	schtasks.exe
PID 1280 wrote to memory of 1548	1280	explorer.exe	schtasks.exe
PID 1280 wrote to memory of 1548	1280	explorer.exe	schtasks.exe
PID 2836 wrote to memory of 324	2836	regsvr32.exe	regsvr32.exe
PID 2836 wrote to memory of 324	2836	regsvr32.exe	regsvr32.exe
PID 2836 wrote to memory of 324	2836	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dkwblvvhzu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll\"" /SC ONCE /Z /ST 06:19 /ET 06:31
4⤵
- Creates scheduled task(s)
PID:1548

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll"
2⤵
- Loads dropped DLL
PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
MD5
ea4f783d466e757560776d148a790709

SHA1
5beac9e9677e5bec28655ab09ad013311be9572e

SHA256
60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9

SHA512
2971dbc30fbfc4939e17c0ac3dd1d419ce93f13a20dde5700e8ce4352a8373d326d346befe8c87929f2b71c906dc6fa5ef32858ff3c944f756df6ed841aa693f

Download Submit
\Users\Admin\AppData\Local\Temp\60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9.dll
MD5
ea4f783d466e757560776d148a790709

SHA1
5beac9e9677e5bec28655ab09ad013311be9572e

SHA256
60db49cac9157a0e63ba7cf559fa084c5bb3fec0ba69c6a08bb85dd3ba6dbac9

SHA512
2971dbc30fbfc4939e17c0ac3dd1d419ce93f13a20dde5700e8ce4352a8373d326d346befe8c87929f2b71c906dc6fa5ef32858ff3c944f756df6ed841aa693f

Download Submit
memory/324-124-0x0000000000000000-mapping.dmp

Download
memory/1280-118-0x0000000000000000-mapping.dmp

Download
memory/1280-120-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1280-121-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1280-122-0x0000000002F50000-0x0000000002F71000-memory.dmp

Filesize
132KB

Download
memory/1548-119-0x0000000000000000-mapping.dmp

Download
memory/4048-115-0x0000000000000000-mapping.dmp

Download
memory/4048-116-0x0000000004D80000-0x0000000004DA3000-memory.dmp

Filesize
140KB

Download
memory/4048-117-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads