qakbot | 017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6

General

Target

017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
Size

1.8MB
MD5

bc5790b25d7c562724938d58612f3466
SHA1

3472be4b855c1fc8242ea45022fb020e7e224b19
SHA256

017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6
SHA512

c24cc45592c0767708b851ee3937a7cdf37808be592e4e863306552be8b345cc78d5742c09e5d39f142b2a8391371816281ae2cdc070f997312896c150f9d7db

Score

10^/10

qakbot cullinan 1640170781 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640170781

C2

14.96.108.245:61202

182.191.92.203:995

136.232.34.70:443

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1500 regsvr32.exe

pid	process
1500	regsvr32.exe

Drops file in System32 directory 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

904 schtasks.exe

pid	process
904	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\dffdefdf = 24be75bf42138786ca662ca3b257e37a19142a4884a316ecab459a5c522eeece81051a2a3b4dd3cfa55ab625398caa14e4887aeb2faae07e62727575f96a56df9e3e3f5acbd6466fed42537e71604faf42ba6beb23bca9ea703f1298b9fb65b81be48d7a7cdb05f8517730e99688e95fec51baede046f0f45a78b7db99c243a282ee092f8dc4a4ccd103d5a221b676fe5b2b530a7e2b8be400986a012b7b7fce3fccd5b281bcd425f6c55cbd2bc1a5592bdf757b9b8f6e7a2db07cb027ad453399451f9082f9bef8d693f34d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\ddbccfa3 = 5fb1c695ca15c11b967b0cfbf01774c41ab01e2118708dbd1a538bbd61057891fd668395ea1cf2865a2f0404d9a82ea527661265dca3870c1a7a8c0abd5aba6b1a731684ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\6500a8c6 = d5458de40f4200cd99c37b48408f4ae83f3c93d0daca74c5c6601072d5703ad56c483f9ce8fb20a779d5473d962fae031ee7e4d9a9ff89880d72ab2dec5dfc36a7fe8c2c9a490eae6c81897735d54a3191c7abe4a30bf7884061d9f860e3d090a5897d99b44d5c2d64f4ed34047f39	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\952b5067 = 0bd54fe0221d3959af98f8b6046d0a42d3968e97108952d90b75f0a507bdc97c9a5f2917d0463f4a5d31f28b1d46b27cec0f9b3c53a63dee27fd3bfa989222112efef4beace3fa39e7eb919d1727c39ea1f49294ae47dd49af4fed04efbc81e4865a945ddefaf1bc01ca36	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\ea623f91 = 74716deea1a2ec23d795a3f5c6617120945ed9818820c4369047720af0bb06388280b563b986ea17c1a1535b5651c84fc3d3e63870ad0a26ffde81a6cf2dbf583010	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\1808e74c = 2f388a26850ca226b3fdef2ffbc1900208d60e2928a2e26c131510b4360dc4b2d9511b4de4f32fb4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\a0b48029 = b4adf074438d7259efc44cf8345e6d6b7e62f8109ccceec76ff7b9bf93cbd65ef4b61b3f8e04509cf19586f47dc03c5c426946	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\674188ba = f93ed8ddd4de9b14618867ad4cc31d347ac6c272039d74085fb2bc0ab00d3333ba35c513cc74bcc5233aee6ac03382b9c8bb3c6cde81b0996b5ebc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Jthyeymciquwu\ea623f91 = 74717aeea1a2d9bf9310d7bcaa391f6ec25f021fbf467d8c43a4ec9187dd73c0457cd9457830e6b7fb2aa5f1debc511bf37ed1677aa45f956003c372f45622bd3421c1d99757a880942a736b09ced36fbbb28e55442984	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

752 regsvr32.exe
1500 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

752 regsvr32.exe
1500 regsvr32.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	process
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe
1500	regsvr32.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

regsvr32.exe

pid	process
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe
752	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 944 wrote to memory of 752	944	regsvr32.exe	regsvr32.exe
PID 752 wrote to memory of 336	752	regsvr32.exe	explorer.exe
PID 752 wrote to memory of 336	752	regsvr32.exe	explorer.exe
PID 752 wrote to memory of 336	752	regsvr32.exe	explorer.exe
PID 752 wrote to memory of 336	752	regsvr32.exe	explorer.exe
PID 752 wrote to memory of 336	752	regsvr32.exe	explorer.exe
PID 752 wrote to memory of 336	752	regsvr32.exe	explorer.exe
PID 336 wrote to memory of 904	336	explorer.exe	schtasks.exe
PID 336 wrote to memory of 904	336	explorer.exe	schtasks.exe
PID 336 wrote to memory of 904	336	explorer.exe	schtasks.exe
PID 336 wrote to memory of 904	336	explorer.exe	schtasks.exe
PID 800 wrote to memory of 1916	800	taskeng.exe	regsvr32.exe
PID 800 wrote to memory of 1916	800	taskeng.exe	regsvr32.exe
PID 800 wrote to memory of 1916	800	taskeng.exe	regsvr32.exe
PID 800 wrote to memory of 1916	800	taskeng.exe	regsvr32.exe
PID 800 wrote to memory of 1916	800	taskeng.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1500	1916	regsvr32.exe	regsvr32.exe
PID 1500 wrote to memory of 1776	1500	regsvr32.exe	explorer.exe
PID 1500 wrote to memory of 1776	1500	regsvr32.exe	explorer.exe
PID 1500 wrote to memory of 1776	1500	regsvr32.exe	explorer.exe
PID 1500 wrote to memory of 1776	1500	regsvr32.exe	explorer.exe
PID 1500 wrote to memory of 1776	1500	regsvr32.exe	explorer.exe
PID 1500 wrote to memory of 1776	1500	regsvr32.exe	explorer.exe
PID 1776 wrote to memory of 1076	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 1076	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 1076	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 1076	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 976	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 976	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 976	1776	explorer.exe	reg.exe
PID 1776 wrote to memory of 976	1776	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vmtzfjz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll\"" /SC ONCE /Z /ST 04:02 /ET 04:14
4⤵
- Creates scheduled task(s)
PID:904

C:\Windows\system32\taskeng.exe
taskeng.exe {DFAF2D6C-6178-433B-9A93-DF9FF11E97BC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Otpuxfnsajbq" /d "0"
5⤵
PID:1076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Hpminjoyp" /d "0"
5⤵
PID:976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
MD5
bc5790b25d7c562724938d58612f3466

SHA1
3472be4b855c1fc8242ea45022fb020e7e224b19

SHA256
017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6

SHA512
c24cc45592c0767708b851ee3937a7cdf37808be592e4e863306552be8b345cc78d5742c09e5d39f142b2a8391371816281ae2cdc070f997312896c150f9d7db

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
MD5
d1b01deff326d9e2f9626e339c385589

SHA1
b81210855180a268569f104cd4093c88727f76bd

SHA256
5df988f746ccc6ec9eb581f2a0ac6d7246fdd7f5491661dc3edd5cb603ded8ab

SHA512
28dd095728b72f1e977f37b9cb31de47c46209634247723a3ad04313a378066f137506e552e536f160b733a980102c9fa9d86cff26d010b81f49eee7e56a6431

Download Submit
\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
MD5
bc5790b25d7c562724938d58612f3466

SHA1
3472be4b855c1fc8242ea45022fb020e7e224b19

SHA256
017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6

SHA512
c24cc45592c0767708b851ee3937a7cdf37808be592e4e863306552be8b345cc78d5742c09e5d39f142b2a8391371816281ae2cdc070f997312896c150f9d7db

Download Submit
memory/336-62-0x0000000074671000-0x0000000074673000-memory.dmp

Filesize
8KB

Download
memory/336-63-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/336-59-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/336-60-0x0000000000000000-mapping.dmp

Download
memory/752-58-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/752-57-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/752-56-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/752-55-0x0000000000000000-mapping.dmp

Download
memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/976-77-0x0000000000000000-mapping.dmp

Download
memory/1076-76-0x0000000000000000-mapping.dmp

Download
memory/1500-68-0x0000000000000000-mapping.dmp

Download
memory/1776-73-0x0000000000000000-mapping.dmp

Download
memory/1776-78-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1916-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads