qakbot | ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa

General

Target

ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll
Size

1.8MB
MD5

2f43f8973f17f78a09839a38f6427011
SHA1

808c88c6ef79d862cb4adb957613d3b367a736c1
SHA256

ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa
SHA512

0c4f39f0d850513186de75625f1e2c2365a6b31ca553df4e354650333be8c5643843fc3e21344a44f9d4a3ad227b2605b0ea658de708c51e9a012b41d950f4b9

Score

10^/10

qakbot cullinan 1640170781 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640170781

C2

14.96.108.245:61202

182.191.92.203:995

136.232.34.70:443

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2100 regsvr32.exe

pid	process
2100	regsvr32.exe

Drops file in System32 directory 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2724 schtasks.exe

pid	process
2724	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\a2fc8e03 = 9c58cb5fa506223cbde56d8f08eafe3166082f2b662452592d6e6a55cc33db	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\6748a6ec = 0af85c6cce3660e98e5bd237e7937a4d09ae88b8ff00f3a0fa086c0c49a6237c8a75c54296c216d830d4874f03483ac0e846aada3125b65a1d1eb8c32bcb56b1122fe79431423a90467fd6c1e21c4ea066041bda4d45d5c8cfd4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\a0bdae7f = f161f8013e39887bc4caa414549741006667e508cba30802cfaddafdb4811ff85cbaeadf80055877ab54f9b514d4a0c62e66683c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\52d776a2 = a1dafc561e354899743ba57e31f0a63f17bc0da2e1dd551b538867817a30dba448f419032cefa8c7572ad2d96622bba59c5bafc87bdaa45f0834e1cdafe6892bcca7ea002d80ebc6665cd66239	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\1801c91a = 300ea3915513bd680a0b2528f58f71d96a64bf244dc683fadbe2b4bd9e14782b1c345d56805d26dff1c9b41c8c5a64c8235ecc80f220b7074c2d8bccf822426e0585bc633a2181cd01d74404daa117821ce1a111421e288b71152ea255f34b1d2180be3ecc3c1de5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\2d9e1954 = 4a50f748d8622b660517c3fbd6f44be72d5edf427ab57f8986fdb2b44f810c5840	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\1a40e966 = de30e67eb239fa716c3a81aef2671b0b0c90c25d94ee2e453a418ca383012579f3919529af1d704bba68f0f9ca2032898d5d4a394c0a90f0f9653a4250bf936ad960b13be05fe819c96d4c26ef64581c9e01bac1672111d99c8fd95fd8eb09fd39e2d12d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\dff4c189 = a4469516473696a5db9630394abfda36ba3c1341bdd2ad34507a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb\2d9e1954 = 4a50e048d8621e6068dd595ebd0f8c232fd0e400e1ae8520d695aeecc6d41d1546753a64e46a431e85c0de8f34346f2d87ad2c3e2145	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vdyeyfsb	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2092 regsvr32.exe
2092 regsvr32.exe
2100 regsvr32.exe
2100 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2092 regsvr32.exe
2100 regsvr32.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	process
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe
2100	regsvr32.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

regsvr32.exe

pid	process
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe
2092	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 432 wrote to memory of 2092	432	regsvr32.exe	regsvr32.exe
PID 432 wrote to memory of 2092	432	regsvr32.exe	regsvr32.exe
PID 432 wrote to memory of 2092	432	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1116	2092	regsvr32.exe	explorer.exe
PID 2092 wrote to memory of 1116	2092	regsvr32.exe	explorer.exe
PID 2092 wrote to memory of 1116	2092	regsvr32.exe	explorer.exe
PID 2092 wrote to memory of 1116	2092	regsvr32.exe	explorer.exe
PID 2092 wrote to memory of 1116	2092	regsvr32.exe	explorer.exe
PID 1116 wrote to memory of 2724	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 2724	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 2724	1116	explorer.exe	schtasks.exe
PID 1328 wrote to memory of 2100	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 2100	1328	regsvr32.exe	regsvr32.exe
PID 1328 wrote to memory of 2100	1328	regsvr32.exe	regsvr32.exe
PID 2100 wrote to memory of 3872	2100	regsvr32.exe	explorer.exe
PID 2100 wrote to memory of 3872	2100	regsvr32.exe	explorer.exe
PID 2100 wrote to memory of 3872	2100	regsvr32.exe	explorer.exe
PID 2100 wrote to memory of 3872	2100	regsvr32.exe	explorer.exe
PID 2100 wrote to memory of 3872	2100	regsvr32.exe	explorer.exe
PID 3872 wrote to memory of 1076	3872	explorer.exe	reg.exe
PID 3872 wrote to memory of 1076	3872	explorer.exe	reg.exe
PID 3872 wrote to memory of 1224	3872	explorer.exe	reg.exe
PID 3872 wrote to memory of 1224	3872	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rxfoeagr /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll\"" /SC ONCE /Z /ST 06:19 /ET 06:31
4⤵
- Creates scheduled task(s)
PID:2724

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Nhatpp" /d "0"
4⤵
PID:1076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Duihzwliw" /d "0"
4⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll
MD5
2f43f8973f17f78a09839a38f6427011

SHA1
808c88c6ef79d862cb4adb957613d3b367a736c1

SHA256
ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa

SHA512
0c4f39f0d850513186de75625f1e2c2365a6b31ca553df4e354650333be8c5643843fc3e21344a44f9d4a3ad227b2605b0ea658de708c51e9a012b41d950f4b9

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
MD5
589088aff5333b9c462b91ff72358459

SHA1
55bd09715728e2cb86a194da732a0d841532b520

SHA256
bc3feb717e90f22b802674d9d3ae2f8e1fb77db407db670f6319c2d26442d82e

SHA512
19aa9a607c097ca9d4febfa449fca102777167476c603de57fc8fa3a834519969e05e3e234b2d581fbbcf7d9ef72b9254d0ab5192b15625e3aeb8123b3b6c144

Download Submit
\Users\Admin\AppData\Local\Temp\ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa.dll
MD5
2f43f8973f17f78a09839a38f6427011

SHA1
808c88c6ef79d862cb4adb957613d3b367a736c1

SHA256
ad3d76e5b5bca64010c2317e586508581f0d0981e006e79d189af0c3ce2a67aa

SHA512
0c4f39f0d850513186de75625f1e2c2365a6b31ca553df4e354650333be8c5643843fc3e21344a44f9d4a3ad227b2605b0ea658de708c51e9a012b41d950f4b9

Download Submit
memory/1076-129-0x0000000000000000-mapping.dmp

Download
memory/1116-118-0x0000000000000000-mapping.dmp

Download
memory/1116-120-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1116-121-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1116-122-0x0000000002A20000-0x0000000002A41000-memory.dmp

Filesize
132KB

Download
memory/1224-130-0x0000000000000000-mapping.dmp

Download
memory/2092-115-0x0000000000000000-mapping.dmp

Download
memory/2092-116-0x0000000000770000-0x00000000008BA000-memory.dmp

Filesize
1.3MB

Download
memory/2092-117-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/2100-127-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2100-124-0x0000000000000000-mapping.dmp

Download
memory/2724-119-0x0000000000000000-mapping.dmp

Download
memory/3872-128-0x0000000000000000-mapping.dmp

Download
memory/3872-132-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3872-131-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3872-133-0x0000000000270000-0x0000000000291000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads