MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 13
| SHA256 hash: | 01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f |
|---|---|
| SHA3-384 hash: | 243cb791455d65dd428c984637ac72f4a5992406e2ddc5b5c3c73436234dd9c809c3dae3efb20762de426d128d4f7c43 |
| SHA1 hash: | 7a8c734481c95117009c57c8c81e077a2a5c5d96 |
| MD5 hash: | 747a50a101b528a155c8095f1aef0230 |
| humanhash: | three-red-rugby-oscar |
| File name: | arsenic.db |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 869'888 bytes |
| First seen: | 2022-09-22 16:47:56 UTC |
| Last seen: | 2022-09-23 14:14:39 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 7c147222db065d3f126e0cde781f8035 (2 x Quakbot) |
| ssdeep | 12288:VByskGoWHwa0nZXKlhb/H9TT+iTojfQCA3kptT68JtQzB5UT+QD1lNMAFa:SnEjYNAeh4X668Jc5w9M+a |
| TLSH | T1AE058E22A2F044B7D1B32F3DAD3B92A598297D112E38A44B3BD41E4D4E396417A353F7 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  pr0xylife |
| Tags: | 1663774884 dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
5
# of downloads :
647
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Suspicious
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
greyware keylogger
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Result
Threat name:
CryptOne, Qbot
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2022-09-22 16:48:10 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
12 of 39 (30.77%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:bb campaign:1663774884 banker stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
70.49.33.200:2222
181.118.183.123:443
99.232.140.205:2222
31.54.39.153:2078
173.218.180.91:443
193.3.19.37:443
134.35.8.88:443
41.97.152.42:443
70.51.132.197:2222
41.111.74.35:995
189.19.189.222:32101
105.156.139.150:443
217.165.68.59:993
119.82.111.158:443
111.125.157.230:443
125.25.129.70:443
197.94.84.128:443
177.255.14.99:995
187.205.222.100:443
190.44.40.48:995
139.228.33.176:2222
191.97.234.238:995
66.181.164.43:443
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
109.155.5.164:993
76.169.76.44:2222
72.88.245.71:443
197.204.243.167:443
68.53.110.74:995
41.69.103.179:995
68.224.229.42:443
100.1.5.250:995
194.166.205.204:995
88.232.207.24:443
14.183.63.12:443
89.211.223.138:2222
85.98.206.165:995
191.254.74.89:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
181.118.183.123:443
99.232.140.205:2222
31.54.39.153:2078
173.218.180.91:443
193.3.19.37:443
134.35.8.88:443
41.97.152.42:443
70.51.132.197:2222
41.111.74.35:995
189.19.189.222:32101
105.156.139.150:443
217.165.68.59:993
119.82.111.158:443
111.125.157.230:443
125.25.129.70:443
197.94.84.128:443
177.255.14.99:995
187.205.222.100:443
190.44.40.48:995
139.228.33.176:2222
191.97.234.238:995
66.181.164.43:443
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
109.155.5.164:993
76.169.76.44:2222
72.88.245.71:443
197.204.243.167:443
68.53.110.74:995
41.69.103.179:995
68.224.229.42:443
100.1.5.250:995
194.166.205.204:995
88.232.207.24:443
14.183.63.12:443
89.211.223.138:2222
85.98.206.165:995
191.254.74.89:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
Unpacked files
SH256 hash:
c6cbe60796b9f65e14373ab724f4e706f9b9ac84930f0905ec84368ffa3792dc
MD5 hash:
8cfb82b210656fa8c052ab5083384a35
SHA1 hash:
c8c762c6341027a6a412bc4abc834f51ca0611d4
SH256 hash:
babffc91fddfe19b8fc8dc2702b6e540ee71bc756fc79963e6112629ea58fc04
MD5 hash:
ef435ce7bff4e87f1e445c13367cc04f
SHA1 hash:
fbffb228f83a3f6fd847ce2ebcf1a576d077cff3
Detections:
Qakbot
win_qakbot_auto
SH256 hash:
01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f
MD5 hash:
747a50a101b528a155c8095f1aef0230
SHA1 hash:
7a8c734481c95117009c57c8c81e077a2a5c5d96
Malware family:
QBot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | RansomwareTest4 |
|---|---|
| Author: | Daoyuan Wu |
| Description: | Test Ransomware YARA rules |
| Rule name: | RansomwareTest5 |
|---|---|
| Author: | Daoyuan Wu |
| Description: | Test Ransomware YARA rules |
| Rule name: | RansomwareTest6 |
|---|---|
| Author: | Daoyuan Wu |
| Description: | Test Ransomware YARA rules |
| Rule name: | RansomwareTest7 |
|---|---|
| Author: | Daoyuan Wu |
| Description: | Test Ransomware YARA rules |
| Rule name: | unpacked_qbot |
|---|---|
| Description: | Detects unpacked or memory-dumped QBot samples |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
| Rule name: | win_qakbot_malped |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.