MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a
SHA3-384 hash: 0e9806672cb7583a8749b9f5abf379e45db29bd11596df67a0c1dd3f13ef9c226a70044a23c8153000f682afd891f6e3
SHA1 hash: 18c143ba12246321416b77e67afac04825fca12f
MD5 hash: b5cd890b8ba5f31c3f7e457f40f5d728
humanhash: lamp-orange-mike-lion
File name:fearfully.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:395'776 bytes
First seen:2022-10-06 16:06:48 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3c85ad0d25a101f6044357c668da2423 (4 x Quakbot)
ssdeep 6144:XtgTFlqteWTBa5WsoUReNsyLK9+8WqniKS9jyA9yjHHXsBcfmL/p+LIORL6qYFYM:d8z4TU5WsoURzN9ftniPHlQEFYM
Threatray 1'483 similar samples on MalwareBazaar
TLSH T18D842C87ED54DFBBC6BD81B9AA5E069F821242167F4336EB621D4190B58374333E638C
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:dll obama210 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317364/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.16678.20525.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/633efd2a0d3d21420ccab100/reports/63eb4070-848c-4000-a53c-5ba1eb88542d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75ec9fd4-3300-4c40-80a6-1079d7203ff1
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1085087
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717643 Sample: fearfully.dat.dll Startdate: 06/10/2022 Architecture: WINDOWS Score: 96 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 3 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Maps a DLL or memory area into another process 8->52 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 regsvr32.exe 8->16         started        18 4 other processes 8->18 process5 file6 21 rundll32.exe 11->21         started        54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->54 56 Writes to foreign memory regions 13->56 58 Allocates memory in foreign processes 13->58 24 wermgr.exe 13->24         started        60 Maps a DLL or memory area into another process 16->60 26 wermgr.exe 16->26         started        32 C:\Users\user\Desktop\fearfully.dat.dll, PE32 18->32 dropped 28 WerFault.exe 23 9 18->28         started        signatures7 process8 signatures9 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->42 44 Writes to foreign memory regions 21->44 46 Allocates memory in foreign processes 21->46 48 Maps a DLL or memory area into another process 21->48 30 wermgr.exe 21->30         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aupnu6dqlm4nyflx56hkj2lstegtfst3hg2jqejhwlscehirb4va._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
Quakbot
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
Quakbot
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
Quakbot
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
Quakbot
83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
Quakbot
95f6e67cb136c2e2b798835a017b80d0979cb526121bfb89d89977d2d69fee0a
Quakbot
a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e
Quakbot
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
Quakbot
+ 1'473 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221006-tkmg5sabdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
78.94.148.92:1753
134.180.185.240:32987
201.136.101.182:38323
124.77.95.5:46163
196.90.29.190:30693
187.144.110.117:36330
10.44.33.140:65267
162.117.200.91:29984
159.254.223.192:31154
11.239.81.233:37
31.248.76.23:24072
224.77.182.18:55579
124.230.27.11:44408
205.255.39.94:54675
192.1.213.104:14212
145.3.120.239:20068
242.199.30.106:9157
243.240.195.106:42825
74.234.32.185:42698
102.51.5.67:47820
43.190.241.127:50708
29.119.168.182:51370
54.106.172.208:21101
76.55.174.209:2746
71.182.193.130:5327
111.143.132.167:9985
173.210.161.232:27188
22.155.219.162:29117
167.159.67.2:42455
80.214.112.151:9618
75.86.4.24:35165
106.146.239.56:49679
194.127.196.112:59762
64.184.233.29:48193
218.86.11.123:62100
108.87.254.103:36138
240.129.151.227:4400
96.117.66.72:0
48.220.224.248:32917
240.164.22.246:57048
224.87.85.180:40164
214.9.213.13:12523
117.180.92.184:46633
73.23.253.56:17393
162.74.55.118:4571
9.252.189.253:60714
101.200.152.191:46287
110.117.95.0:0
Unpacked files
SH256 hash:
1e4c3f0a0b28849831fbe177c3664479788753d0d68c1f5e7c490c622dbc622e
MD5 hash:
2dc152576ef9383da0b37061cdab4927
SHA1 hash:
54f013a3e8933b59cbcc842a9a4f8411100edc12
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc0985b3-ecda-44ee-942c-09d87f3557c2/
SH256 hash:
051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a
MD5 hash:
b5cd890b8ba5f31c3f7e457f40f5d728
SHA1 hash:
18c143ba12246321416b77e67afac04825fca12f
Link:
https://www.unpac.me/results/bc0985b3-ecda-44ee-942c-09d87f3557c2/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/051eda78705b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317364/

Comments