qakbot | d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937

Target

d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937.exe.dll
Size

945KB
MD5

bb17bf13123596ba3065efc74d625a3c
SHA1

b589b0dee84e30e205f242a8d429b1e231b5ec5b
SHA256

d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
SHA512

40d6bb5bb741b43a03969c40acafbc621281ad9f4fa23d3a90f07e30b01eda95227af6b96a20d48712f08b2252069e711842d71d3f1e95374db44fb7845ab427

Score

10^/10

qakbot cullinan 1639333530 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1639333530

65.100.174.110:443

173.21.10.71:2222

140.82.49.12:443

190.73.3.148:2222

76.25.142.196:443

71.74.12.34:443

31.215.98.160:443

93.48.80.198:995

45.9.20.200:2211

41.228.22.180:443

109.12.111.14:443

63.143.92.99:995

120.150.218.241:995

94.60.254.81:443

86.148.6.51:443

218.101.110.3:995

216.238.71.31:443

207.246.112.221:443

216.238.72.121:443

216.238.71.31:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

960 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3804 regsvr32.exe
3804 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

3804 regsvr32.exe

pid	process
960	schtasks.exe

pid	process
3804	regsvr32.exe
3804	regsvr32.exe

pid	process
3804	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3520 wrote to memory of 3804	3520	regsvr32.exe	regsvr32.exe
PID 3520 wrote to memory of 3804	3520	regsvr32.exe	regsvr32.exe
PID 3520 wrote to memory of 3804	3520	regsvr32.exe	regsvr32.exe
PID 3804 wrote to memory of 3964	3804	regsvr32.exe	explorer.exe
PID 3804 wrote to memory of 3964	3804	regsvr32.exe	explorer.exe
PID 3804 wrote to memory of 3964	3804	regsvr32.exe	explorer.exe
PID 3804 wrote to memory of 3964	3804	regsvr32.exe	explorer.exe
PID 3804 wrote to memory of 3964	3804	regsvr32.exe	explorer.exe
PID 3964 wrote to memory of 960	3964	explorer.exe	schtasks.exe
PID 3964 wrote to memory of 960	3964	explorer.exe	schtasks.exe
PID 3964 wrote to memory of 960	3964	explorer.exe	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937.exe.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ataphrj /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937.exe.dll\"" /SC ONCE /Z /ST 11:11 /ET 11:23
4⤵
- Creates scheduled task(s)
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-119-0x0000000000000000-mapping.dmp

Download
memory/3804-115-0x0000000000000000-mapping.dmp

Download
memory/3804-116-0x00000000045A0000-0x00000000045C3000-memory.dmp

Filesize
140KB

Download
memory/3804-117-0x0000000010000000-0x00000000100F5000-memory.dmp

Filesize
980KB

Download
memory/3964-118-0x0000000000000000-mapping.dmp

Download
memory/3964-120-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3964-121-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3964-122-0x0000000000B10000-0x0000000000B31000-memory.dmp

Filesize
132KB

Download