qakbot | 017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6

General

Target

017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
Size

1.8MB
MD5

bc5790b25d7c562724938d58612f3466
SHA1

3472be4b855c1fc8242ea45022fb020e7e224b19
SHA256

017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6
SHA512

c24cc45592c0767708b851ee3937a7cdf37808be592e4e863306552be8b345cc78d5742c09e5d39f142b2a8391371816281ae2cdc070f997312896c150f9d7db

Score

10^/10

qakbot cullinan 1640170781 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640170781

C2

14.96.108.245:61202

182.191.92.203:995

136.232.34.70:443

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2752 regsvr32.exe

pid	process
2752	regsvr32.exe

Drops file in System32 directory 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2280 schtasks.exe

pid	process
2280	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\2c95d525 = fde693f6b0aa82	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\53dcbad3 = 7051dd12166854b41e6635127cc9df03	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\2c95d525 = fde684f6b0aab7a4ff1f8be80f43fd24bcd092b85c175934a4b8f1b0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\66436a9d = 217f2401b5b21dcdf10521fda8999321705d662a4cdf1bf5dd30db88fbe55d51a159bc623f0fc0a7998baf6702c68318c8ff98cdc718a173236565da0b0c11f1ed858968c4c0bb6666fc9edca2377ab62bfbdba4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\a1b6620e = 0e9af19635bacb9259d2e6946d3702fb713c03dbc433da4c7c1f36c75f7115c4aa8aee0714d7d696476d2f92a7	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\190a056b = 7ff6942a4cb3bb7b334284aa7660764f3f66810950d12d661532ba845b3ae2e98a0e4544cc096187b5ed1b273e818ab0cb7f8aafe0edd900601a5eef16e0d5e0ceaccca3b9547fdd7af76713d6e94deec251e063a83b206fa69052a022a8dfd6ee5c661ab1e544243d83646523614f3d08ca8cd63c026e38dc731a018f03873d4a0b55a11ad7a42ddae980aeb4d6df26bb9f57289ec55da9ef1f9a7724de61cc8f7ada41b6d72c0c8fd75bda9ec6f789a3ac3fc28b56026c2c69	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\1b4b2517 = 9d4fa99043dd6d804c1962a59ca896929653d2c9263a6c9fc4b79e2f2b39f473be18d3c9fcfb4f78329356d92834ed5bdeb20e58d7faafe6535926f66d3ce4259c12ad5a94049e10923160388905e64b97a99eed18	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\a3f74272 = 9355e745fe19c87d8cd6436330c2c884494ea600d702096341a88e521324d61c284f6a92b7332acfbad208d04f85f473f21cb8aacda717b9ecfc65b91c68ed9cd26a8f0b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ctrboshidhu\deff0df8 = 86c786c9c297935f926fe808c45330c5c7bbf46b5efe	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3736 regsvr32.exe
3736 regsvr32.exe
2752 regsvr32.exe
2752 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3736 regsvr32.exe
2752 regsvr32.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	process
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

regsvr32.exe

pid	process
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3068 wrote to memory of 3736	3068	regsvr32.exe	regsvr32.exe
PID 3068 wrote to memory of 3736	3068	regsvr32.exe	regsvr32.exe
PID 3068 wrote to memory of 3736	3068	regsvr32.exe	regsvr32.exe
PID 3736 wrote to memory of 3912	3736	regsvr32.exe	explorer.exe
PID 3736 wrote to memory of 3912	3736	regsvr32.exe	explorer.exe
PID 3736 wrote to memory of 3912	3736	regsvr32.exe	explorer.exe
PID 3736 wrote to memory of 3912	3736	regsvr32.exe	explorer.exe
PID 3736 wrote to memory of 3912	3736	regsvr32.exe	explorer.exe
PID 3912 wrote to memory of 2280	3912	explorer.exe	schtasks.exe
PID 3912 wrote to memory of 2280	3912	explorer.exe	schtasks.exe
PID 3912 wrote to memory of 2280	3912	explorer.exe	schtasks.exe
PID 1300 wrote to memory of 2752	1300	regsvr32.exe	regsvr32.exe
PID 1300 wrote to memory of 2752	1300	regsvr32.exe	regsvr32.exe
PID 1300 wrote to memory of 2752	1300	regsvr32.exe	regsvr32.exe
PID 2752 wrote to memory of 3688	2752	regsvr32.exe	explorer.exe
PID 2752 wrote to memory of 3688	2752	regsvr32.exe	explorer.exe
PID 2752 wrote to memory of 3688	2752	regsvr32.exe	explorer.exe
PID 2752 wrote to memory of 3688	2752	regsvr32.exe	explorer.exe
PID 2752 wrote to memory of 3688	2752	regsvr32.exe	explorer.exe
PID 3688 wrote to memory of 1196	3688	explorer.exe	reg.exe
PID 3688 wrote to memory of 1196	3688	explorer.exe	reg.exe
PID 3688 wrote to memory of 3716	3688	explorer.exe	reg.exe
PID 3688 wrote to memory of 3716	3688	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lyyafrv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll\"" /SC ONCE /Z /ST 19:04 /ET 19:16
4⤵
- Creates scheduled task(s)
PID:2280

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Xyfcegusauk" /d "0"
4⤵
PID:1196

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Muqhdazdezm" /d "0"
4⤵
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
MD5
bc5790b25d7c562724938d58612f3466

SHA1
3472be4b855c1fc8242ea45022fb020e7e224b19

SHA256
017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6

SHA512
c24cc45592c0767708b851ee3937a7cdf37808be592e4e863306552be8b345cc78d5742c09e5d39f142b2a8391371816281ae2cdc070f997312896c150f9d7db

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
MD5
73434e1fd6facf8fe053ff69f36166e9

SHA1
2e61ea9d2a868da502b2120c368a77c6f92506d0

SHA256
260986b1480c683cffb7fd28e3ae44855a49c17af9f31acd0f7113c4a42bc92f

SHA512
da1da90544b9e014dbfeaa2ce8d2afca8a6887582396b671f5188d60d2b067737c1b317d8f465015778553492b3d52242be4db769529d6933ad6b67e59161c62

Download Submit
\Users\Admin\AppData\Local\Temp\017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6.dll
MD5
bc5790b25d7c562724938d58612f3466

SHA1
3472be4b855c1fc8242ea45022fb020e7e224b19

SHA256
017dc2e32d24734096b82e11c91fbba15e45181fbbd7f611abb963eaaea9a3e6

SHA512
c24cc45592c0767708b851ee3937a7cdf37808be592e4e863306552be8b345cc78d5742c09e5d39f142b2a8391371816281ae2cdc070f997312896c150f9d7db

Download Submit
memory/1196-129-0x0000000000000000-mapping.dmp

Download
memory/2280-119-0x0000000000000000-mapping.dmp

Download
memory/2752-127-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/2752-124-0x0000000000000000-mapping.dmp

Download
memory/3688-133-0x0000000002DB0000-0x0000000002DD1000-memory.dmp

Filesize
132KB

Download
memory/3688-132-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3688-131-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3688-128-0x0000000000000000-mapping.dmp

Download
memory/3716-130-0x0000000000000000-mapping.dmp

Download
memory/3736-116-0x0000000000E00000-0x0000000000EAE000-memory.dmp

Filesize
696KB

Download
memory/3736-117-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/3736-115-0x0000000000000000-mapping.dmp

Download
memory/3912-120-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3912-118-0x0000000000000000-mapping.dmp

Download
memory/3912-122-0x0000000002850000-0x0000000002871000-memory.dmp

Filesize
132KB

Download
memory/3912-121-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads