qakbot | f33f13904ac136f6fa015ce4ad3120fdc2929e54fb8d913353ab72989dbb6c7c

General

Target

wal1.ocx.dll
Size

724KB
MD5

891e456efe3827daf61778acb8b548ae
SHA1

a67837da74ed35c6bd1cace8119544979f92d7e5
SHA256

f33f13904ac136f6fa015ce4ad3120fdc2929e54fb8d913353ab72989dbb6c7c
SHA512

2577ed482296e3a8ec45e544c80e58156c58eaef06920a5a1c06ec4a8f195256b5bc6ebbf80c2624b30e752bcb987ccf39271f9a1bdc0c0c45d371426d76fa1c

Score

10^/10

qakbot cullinan 1639988898 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639988898

C2

32.221.229.7:443

140.82.49.12:443

24.152.219.253:995

182.56.99.126:443

76.169.147.192:32103

218.101.110.3:995

89.101.97.139:443

82.152.39.39:443

176.24.150.197:443

96.37.113.36:993

68.186.192.69:443

59.88.168.108:443

75.110.250.187:443

182.191.92.203:995

89.165.88.95:443

103.142.10.177:443

45.9.20.200:2211

24.95.61.62:443

194.36.28.26:443

78.101.82.198:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1156 regsvr32.exe

pid	process
1156	regsvr32.exe

Drops file in System32 directory 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4028 schtasks.exe

pid	process
4028	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\1528f8c4 = 16f0e62e53f2a6c4c441334807559a3f4df63eb9ffc2b0c25dad5c9b70cd2810529cdaffacc9d29e13286eb945d0600bc9a3c499b683e6e4a78b21217ee29e376679b1bdd8bd0415a9b29088d1e812b6815e617ea680c506b49542ba2968392bbd8597fe60dc6118058757898ec6c5e0471949b2331abd83f47262dcc1e52df3addb1bc0546ff39f6e17796c414a0e089b96fd84696ce798dea763f46991c7ba04f650ad5092ca39eea873705bf68b85ef61a4eac9fdd48a868946c3033f53	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\1769d8b8 = 8f61965ebae136fc8ff16f40433bd9abe97e7795d2e144	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\afd5bfdd = 92a85234361a48acec89637e8001bbd75f4c66239f31e36a8acccca99bc4bb663307fa773e650d886d649264be75ea738f343d66d1f2031515accbcc10cf802dcb478022a5af7e4982680f16a93a3d7b1b41a5038adc52482e20e48ee53fd993dcf7bda446058f3c3d4f5f16960c9a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\d2ddf057 = 4ba432ce1b4466795a928a249e062b97ba598ecc1a225d2bd911	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\6a619732 = dd26890bb85c172ea46e759e38267cd147eaacd650	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\ad949fa1 = bcb922c7c3989e424ab0d021eb4dbfc748ffd98203efb0897c457669c690ae1d56fb80d7b7f5d1480cd88c09f5173fdf0d77a8f1311440a604cf28f99f20742b0405776564	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\20b7288a = 416963922cde4fc0d6ae04ffcaf09ec9efc6231858d8bb45a806195a440a5e786f48d64d75ce210c2da1ea063fd3ccd4e9dcbbfa7783055a496e1d4a6bfd75880f9c342d9eba19a6e293b02d003d477f9bccf6afb731eb484b41e87407410ab4a18cd167c11a633cdb83fae93f2c1d5eb42b4c241ce451cce26955d2	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\20b7288a = 416974922cde7aeffcc97c1f75f91b6adeb84cd6954506966d1278e134c7ac1a232aed0c6306a1bbf1a4c1661f8ede826f1165024685e40532b1a24637bc9beefe241ed52b49b184cf8c34d3f9233a2bfaa108da960a7ec5d45eea99aa956bb2de85e5d574bed0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ojxilufqwmci\5ffe477c = fd5c2202997d2d374dc5133dda28a9ad800ce86a82d434d452f488b2b41805c0625eea6fe3e30504d826165d5e5053c4a8edba25e1aa55f9d874df6f757cf5cd2c820128ed80f852ceb27da316ca	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2668 regsvr32.exe
2668 regsvr32.exe
1156 regsvr32.exe
1156 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2668 regsvr32.exe
1156 regsvr32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2668 regsvr32.exe
1156 regsvr32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

regsvr32.exe

pid process

2668 regsvr32.exe

pid	process
2668	regsvr32.exe
2668	regsvr32.exe
1156	regsvr32.exe
1156	regsvr32.exe

pid	process
2668	regsvr32.exe
1156	regsvr32.exe

pid	process
2668	regsvr32.exe
1156	regsvr32.exe

pid	process
2668	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2464 wrote to memory of 2668	2464	regsvr32.exe	regsvr32.exe
PID 2464 wrote to memory of 2668	2464	regsvr32.exe	regsvr32.exe
PID 2464 wrote to memory of 2668	2464	regsvr32.exe	regsvr32.exe
PID 2668 wrote to memory of 2348	2668	regsvr32.exe	explorer.exe
PID 2668 wrote to memory of 2348	2668	regsvr32.exe	explorer.exe
PID 2668 wrote to memory of 2348	2668	regsvr32.exe	explorer.exe
PID 2668 wrote to memory of 2348	2668	regsvr32.exe	explorer.exe
PID 2668 wrote to memory of 2348	2668	regsvr32.exe	explorer.exe
PID 2348 wrote to memory of 4028	2348	explorer.exe	schtasks.exe
PID 2348 wrote to memory of 4028	2348	explorer.exe	schtasks.exe
PID 2348 wrote to memory of 4028	2348	explorer.exe	schtasks.exe
PID 1588 wrote to memory of 1156	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 1156	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 1156	1588	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 1172	1156	regsvr32.exe	explorer.exe
PID 1156 wrote to memory of 1172	1156	regsvr32.exe	explorer.exe
PID 1156 wrote to memory of 1172	1156	regsvr32.exe	explorer.exe
PID 1156 wrote to memory of 1172	1156	regsvr32.exe	explorer.exe
PID 1156 wrote to memory of 1172	1156	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 2984	1172	explorer.exe	reg.exe
PID 1172 wrote to memory of 2984	1172	explorer.exe	reg.exe
PID 1172 wrote to memory of 3592	1172	explorer.exe	reg.exe
PID 1172 wrote to memory of 3592	1172	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\wal1.ocx.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\wal1.ocx.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rkfnmuz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\wal1.ocx.dll\"" /SC ONCE /Z /ST 16:58 /ET 17:10
4⤵
- Creates scheduled task(s)
PID:4028

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\wal1.ocx.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\wal1.ocx.dll"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Yohczg" /d "0"
4⤵
PID:2984

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Cfntof" /d "0"
4⤵
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wal1.ocx.dll
MD5
891e456efe3827daf61778acb8b548ae

SHA1
a67837da74ed35c6bd1cace8119544979f92d7e5

SHA256
f33f13904ac136f6fa015ce4ad3120fdc2929e54fb8d913353ab72989dbb6c7c

SHA512
2577ed482296e3a8ec45e544c80e58156c58eaef06920a5a1c06ec4a8f195256b5bc6ebbf80c2624b30e752bcb987ccf39271f9a1bdc0c0c45d371426d76fa1c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
MD5
3710206ee27a8680d6219877317684f3

SHA1
f5cb838b21c4a2e2884aae18501601956cdb9179

SHA256
25f136a4223d02ffcb3f51f83261a72fe43b7cc415008db7e15e8c0e2700ddd9

SHA512
9d33b12fabf1a6a02526e8f8066446907cf4872d745843fd75f4a0dd7acb4c661cef3b16343553236f68519c4593973f4bbe719ee937c32f13a1e5a4c4a07afb

Download Submit
\Users\Admin\AppData\Local\Temp\wal1.ocx.dll
MD5
891e456efe3827daf61778acb8b548ae

SHA1
a67837da74ed35c6bd1cace8119544979f92d7e5

SHA256
f33f13904ac136f6fa015ce4ad3120fdc2929e54fb8d913353ab72989dbb6c7c

SHA512
2577ed482296e3a8ec45e544c80e58156c58eaef06920a5a1c06ec4a8f195256b5bc6ebbf80c2624b30e752bcb987ccf39271f9a1bdc0c0c45d371426d76fa1c

Download Submit
memory/1156-127-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1156-124-0x0000000000000000-mapping.dmp

Download
memory/1172-133-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1172-132-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1172-131-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1172-128-0x0000000000000000-mapping.dmp

Download
memory/2348-122-0x0000000003480000-0x00000000034A1000-memory.dmp

Filesize
132KB

Download
memory/2348-118-0x0000000000000000-mapping.dmp

Download
memory/2348-120-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2348-121-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2668-117-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2668-116-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/2668-115-0x0000000000000000-mapping.dmp

Download
memory/2984-129-0x0000000000000000-mapping.dmp

Download
memory/3592-130-0x0000000000000000-mapping.dmp

Download
memory/4028-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads