Overview

overview

10

Static

static

24f1a3db1a...3b.dll

windows7_x64

10

24f1a3db1a...3b.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    1799s
  • max time network
    1802s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-01-2022 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll

  • Size

    644KB

  • MD5

    259bda03244a5c9077b39d0632ba829e

  • SHA1

    24f1a3db1a108d35950cb15bd93dd13c4455f13b

  • SHA256

    b83f24c6503b8ca75beea28f0992d819ff195463c8629bb5c69b82e6c03aa4c3

  • SHA512

    f1053c863125f918accd1e2fb5211773313defc6a2dec607eca4041e73f7307058193e6291fc7c2c66125ebc3ee61e451e217148f463b7bfdcebcd3125cc05a7

Score
10/10
qakbotcullinan1640168876bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640168876

C2

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

76.169.147.192:32103

136.143.11.232:443

63.153.187.104:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ruebdwp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll\"" /SC ONCE /Z /ST 15:57 /ET 16:09
          4⤵
          • Creates scheduled task(s)
          PID:1380
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:824
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {385BA619-4781-4352-AC20-4820469A6780} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\system32\regsvr32.exe
        regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\SysWOW64\regsvr32.exe
          -s "C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll"
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Fxeycgzg" /d "0"
              5⤵
                PID:1748
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Vyqifkzufa" /d "0"
                5⤵
                  PID:1604
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {510DEE15-411D-4535-957B-EF59B731E8AE} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\system32\regsvr32.exe
            regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Windows\SysWOW64\regsvr32.exe
              -s "C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll"
              3⤵
                PID:1152

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Disabling Security Tools

          1
          T1089

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll
            MD5

            259bda03244a5c9077b39d0632ba829e

            SHA1

            24f1a3db1a108d35950cb15bd93dd13c4455f13b

            SHA256

            b83f24c6503b8ca75beea28f0992d819ff195463c8629bb5c69b82e6c03aa4c3

            SHA512

            f1053c863125f918accd1e2fb5211773313defc6a2dec607eca4041e73f7307058193e6291fc7c2c66125ebc3ee61e451e217148f463b7bfdcebcd3125cc05a7

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll
            MD5

            01b8a974f93befd9725b5f7f5b27e029

            SHA1

            91eca55d0a72e1fa3e4d28df748f029da44dc03c

            SHA256

            90a59ab0372737c3d1536ed00213d96cd23f1fd5209843f1d2539fb493da588c

            SHA512

            2d2a1a254e4628fe1ddd15b63f16896033430f6fb9631dee1f76f51acfe00ae35e4c67f57af82770d33acf6454fe88ef58cad0c228f978b4f3791f6a2fa10d30

            Download Submit
          • \??\PIPE\wkssvc
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            Download Submit
          • \Users\Admin\AppData\Local\Temp\24f1a3db1a108d35950cb15bd93dd13c4455f13b.dll
            MD5

            259bda03244a5c9077b39d0632ba829e

            SHA1

            24f1a3db1a108d35950cb15bd93dd13c4455f13b

            SHA256

            b83f24c6503b8ca75beea28f0992d819ff195463c8629bb5c69b82e6c03aa4c3

            SHA512

            f1053c863125f918accd1e2fb5211773313defc6a2dec607eca4041e73f7307058193e6291fc7c2c66125ebc3ee61e451e217148f463b7bfdcebcd3125cc05a7

            Download Submit
          • memory/268-62-0x0000000000080000-0x0000000000082000-memory.dmp
            Filesize

            8KB

            Download
          • memory/268-65-0x00000000000D0000-0x00000000000F1000-memory.dmp
            Filesize

            132KB

            Download
          • memory/268-64-0x0000000075121000-0x0000000075123000-memory.dmp
            Filesize

            8KB

            Download
          • memory/824-66-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1096-60-0x0000000000410000-0x0000000000431000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1096-56-0x00000000003C0000-0x0000000000403000-memory.dmp
            Filesize

            268KB

            Download
          • memory/1096-54-0x0000000076491000-0x0000000076493000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1096-59-0x0000000000410000-0x0000000000431000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1096-58-0x0000000000410000-0x0000000000431000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1096-57-0x0000000000410000-0x0000000000431000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1096-55-0x00000000001F0000-0x0000000000290000-memory.dmp
            Filesize

            640KB

            Download
          • memory/1096-61-0x0000000000410000-0x0000000000431000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1904-73-0x00000000004D0000-0x00000000004F1000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1904-75-0x00000000004D0000-0x00000000004F1000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1904-74-0x00000000004D0000-0x00000000004F1000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1904-72-0x00000000004D0000-0x00000000004F1000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1904-81-0x00000000004D0000-0x00000000004F1000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1904-80-0x0000000000390000-0x00000000003D3000-memory.dmp
            Filesize

            268KB

            Download
          • memory/1904-71-0x0000000000430000-0x00000000004D0000-memory.dmp
            Filesize

            640KB

            Download
          • memory/2028-82-0x0000000000080000-0x00000000000A1000-memory.dmp
            Filesize

            132KB

            Download