qakbot | 1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49

General

Target

1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll
Size

628KB
MD5

e3639b7a074b4349f96e9dcf59c22cde
SHA1

36ebed9ab3e530752a49658f76cf6c26bbebbd97
SHA256

1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49
SHA512

49042451af9bc8bc383bc9eff248447fda7c0437941a1e6f2a97276d9d9aee464045423e594084fb4865e997a7f5db82baf066244faf94e1e24f74a6cfc45083

Score

10^/10

qakbot cullinan 1640168876 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

cullinan

Campaign

1640168876

C2

93.48.80.198:995

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

31.35.28.29:443

96.37.113.36:993

190.39.205.165:443

79.173.195.234:443

39.49.66.100:995

103.139.242.30:22

79.167.192.206:995

45.9.20.200:2211

24.95.61.62:443

37.210.226.125:61202

103.139.242.30:995

70.163.1.219:443

103.143.8.71:6881

76.169.147.192:32103

136.143.11.232:443

63.153.187.104:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1608 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

860 schtasks.exe

pid	process
1608	regsvr32.exe

pid	process
860	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\4a078aa2 = b123ed99c18bb9b2196c4b7ff3badbaede9faec4aede97c39c475af96f112c69451dd3d838434e82d0223972ea4766f2414c59bd05fe9665c0e9da55b4320fba32e1f6e0dec9326ef963bf6acd5fdeaf452c414691d73f514e7f97764723e5	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\4a078aa2 = b123fa99c18b8c429e1363fdfb01c75d568c7236a9c72f8a73b3dc70bd613e470000435dc635d3691ceeab92f40c7f251c62fcf5edc3bd240439cd02b2c041d13ce53e6310ef5d54ad57	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\c5651df5 = 517dcb8b5acd74abab9368568cc4a08bf40d49c3384c14c682c66a98	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\d1351a = e871f242ef948df33152a1372cf44a741130e5bb0905d65c7d994f5cb41e6e585e7aa6af4fb21e96d551fba0c3994047fca573021d934d48e996264ad0512a2e6f831dbff6d3f18990bb7d6c764625b9e063a7e2adfe064f1570e986ca53	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\c7243d89 = 40e393653a66dd60698fa92700c483a3c8738f83058f5371156ea1fc11131fb5014050b4f3e43f71b229fbbe7462756b3769d4d5432d8846740d181adab8c429eb7e8c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\7f985aec = 971b3955a61b8a18491befddf5f517e1c20a7e12601300e1eb8c3f7b5fa19c9bb3cbebc526f0193cbb2a8b7ae12aceca1738e09f02057389ca20c0cb9fcb19be86d592a638bebd43a71b870602cf49a933cf43e92ab510c9fd22c0a7eb72b9496e09f76622ee4290f3976bde7e1eabe7883986f07ac2766e98665fabeef8c9f974dd2991d55ba933ec2fee02acac8e8c80db96e093bbe307df424bfd32f437e1622c16c5c47320f79cfdd9e29dcd1d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\7dd97a90 = 4c1a122f062d21cb99a6a16f0cded78d8e6ff5858c1284db6b66b039196192bdcecf454567a5305bf75ef6e41e6d8751e03d62e39e8cbbd1367908f42ee86b3cfe15eb13d7c8090745ce2356	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\b86d527f = 160cdfe1af2bf477a934704163dee29f6304c0d4e61e448b8a1328ded9017cc604b7d0f90a929868f84886ba9d587325728378106be2c93fc3ad1f33c221f3949de1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wzuaugpxqcd\354ee554 = b6ec1423393d7d4176eb214f34fd7bb2ac3e01e20a07a6e7aeb5bf261e3e3cf10c366998d39420fdf5bfb10a8faf6a25878b88da2dc0de4df6024fe3fbb34c84677dcac44062629b2a6658372bbc3fa36047c4f15c44ec4a3dc90b831f9d9d08f96f877713a8a8bf2b	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1308 rundll32.exe
1608 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1308 rundll32.exe
1608 regsvr32.exe

pid	process
1308	rundll32.exe
1608	regsvr32.exe

pid	process
1308	rundll32.exe
1608	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 1308	620	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 576	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 576	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 576	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 576	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 576	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 576	1308	rundll32.exe	explorer.exe
PID 576 wrote to memory of 860	576	explorer.exe	schtasks.exe
PID 576 wrote to memory of 860	576	explorer.exe	schtasks.exe
PID 576 wrote to memory of 860	576	explorer.exe	schtasks.exe
PID 576 wrote to memory of 860	576	explorer.exe	schtasks.exe
PID 2000 wrote to memory of 2004	2000	taskeng.exe	regsvr32.exe
PID 2000 wrote to memory of 2004	2000	taskeng.exe	regsvr32.exe
PID 2000 wrote to memory of 2004	2000	taskeng.exe	regsvr32.exe
PID 2000 wrote to memory of 2004	2000	taskeng.exe	regsvr32.exe
PID 2000 wrote to memory of 2004	2000	taskeng.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1608	2004	regsvr32.exe	regsvr32.exe
PID 1608 wrote to memory of 1028	1608	regsvr32.exe	explorer.exe
PID 1608 wrote to memory of 1028	1608	regsvr32.exe	explorer.exe
PID 1608 wrote to memory of 1028	1608	regsvr32.exe	explorer.exe
PID 1608 wrote to memory of 1028	1608	regsvr32.exe	explorer.exe
PID 1608 wrote to memory of 1028	1608	regsvr32.exe	explorer.exe
PID 1608 wrote to memory of 1028	1608	regsvr32.exe	explorer.exe
PID 1028 wrote to memory of 1744	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 1744	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 1744	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 1744	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 556	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 556	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 556	1028	explorer.exe	reg.exe
PID 1028 wrote to memory of 556	1028	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eptybfqsm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll\"" /SC ONCE /Z /ST 05:02 /ET 05:14
4⤵
- Creates scheduled task(s)
PID:860

C:\Windows\system32\taskeng.exe
taskeng.exe {F43B476E-8E30-42D1-BEFA-C0C1D99BDB1B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Niwcspjgyf" /d "0"
5⤵
PID:1744

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Upwpy" /d "0"
5⤵
PID:556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll
MD5
e3639b7a074b4349f96e9dcf59c22cde

SHA1
36ebed9ab3e530752a49658f76cf6c26bbebbd97

SHA256
1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49

SHA512
49042451af9bc8bc383bc9eff248447fda7c0437941a1e6f2a97276d9d9aee464045423e594084fb4865e997a7f5db82baf066244faf94e1e24f74a6cfc45083

Download Submit
\Users\Admin\AppData\Local\Temp\1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49.dll
MD5
e3639b7a074b4349f96e9dcf59c22cde

SHA1
36ebed9ab3e530752a49658f76cf6c26bbebbd97

SHA256
1d735649a27067b1397141a75e74e858c62457d05aa6be1d69b17d4e1835db49

SHA512
49042451af9bc8bc383bc9eff248447fda7c0437941a1e6f2a97276d9d9aee464045423e594084fb4865e997a7f5db82baf066244faf94e1e24f74a6cfc45083

Download Submit
memory/576-61-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/576-63-0x00000000751E1000-0x00000000751E3000-memory.dmp

Filesize
8KB

Download
memory/576-64-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1028-78-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1308-59-0x0000000000770000-0x00000000007B3000-memory.dmp

Filesize
268KB

Download
memory/1308-60-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1308-53-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1308-55-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1308-58-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1308-56-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1308-54-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/1308-57-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1608-69-0x00000000001A0000-0x0000000000240000-memory.dmp

Filesize
640KB

Download
memory/1608-74-0x00000000009F0000-0x0000000000A11000-memory.dmp

Filesize
132KB

Download
memory/2004-65-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads