MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270
SHA3-384 hash: d980747f41eb3d81ea541dab390e1c43f3925726d58a4d6e10bf1fce5462013103aa4ed3db90d9107649cdea9c62811a
SHA1 hash: 1b2bd9e3638e558bbb34d6cf87fc405ddfe5d5db
MD5 hash: 14b7e959c4a57ecf9b5fe3ba943d80ab
humanhash: potato-comet-sixteen-pip
File name:winced.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:482'816 bytes
First seen:2022-11-01 09:57:38 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 98f8695a2128119cca21bd86d814c319 (1 x Quakbot)
ssdeep 6144:rFdsFJ6i5gi6QFklGtnWf+ajAjM1ShS5p+ppsJv3DTIjF0HHGh/O98CbS3Om5djg:3KZklGtnyfgHCvQFyHM3Om52EtJkiI
Threatray 1'631 similar samples on MalwareBazaar
TLSH T1A6A4BF00B152C135F4BF047944B89A695A2C7E2007945CEFB3C4BA3E6AF47D1BA717A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:1667208499 BB05 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326775/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware hacktool
Link:
https://www.filescan.io/uploads/6360edaba5db8d309cbc2a47/reports/3d5db8c9-1891-4ddc-bf78-a981dcb40e89/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa41ca33-149b-4f72-98bf-a7c363aa34af
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1102427
Signature
Allocates memory in foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735088 Sample: winced.dat.dll Startdate: 01/11/2022 Architecture: WINDOWS Score: 88 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Qbot 2->41 43 Sigma detected: Execute DLL with spoofed extension 2->43 8 loaddll32.exe 1 2->8         started        process3 signatures4 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->53 55 Maps a DLL or memory area into another process 8->55 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 process5 file6 21 rundll32.exe 11->21         started        57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->57 59 Writes to foreign memory regions 13->59 61 Allocates memory in foreign processes 13->61 24 wermgr.exe 13->24         started        63 Maps a DLL or memory area into another process 16->63 26 wermgr.exe 16->26         started        33 C:\Users\user\Desktop\winced.dat.dll, PE32 18->33 dropped 28 WerFault.exe 23 9 18->28         started        signatures7 process8 dnsIp9 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->45 47 Writes to foreign memory regions 21->47 49 Allocates memory in foreign processes 21->49 51 Maps a DLL or memory area into another process 21->51 31 wermgr.exe 21->31         started        35 192.168.2.1 unknown unknown 28->35 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 09:58:09 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2dp7nrlg6d6au4ix23flmgtzzcgxycuynsar7piztjtpdxtmjya._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
Quakbot
3673e67108d268144a56740412a8df09d18f7e1e3565738df4ee299ca89f9928
Quakbot
68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
Quakbot
aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4
Quakbot
e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
Quakbot
e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2
Quakbot
eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e
Quakbot
+ 1'621 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb05 campaign:1667208499 banker stealer trojan
Link:
https://tria.ge/reports/221101-lzgw7sbeaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
174.77.209.5:443
187.0.1.74:23795
24.206.27.39:443
1.156.220.169:30723
156.216.39.119:995
58.186.75.42:443
1.156.197.160:30467
187.1.1.190:4844
186.18.210.16:443
1.181.56.171:771
90.165.109.4:2222
187.0.1.186:39742
87.57.13.215:443
187.0.1.207:52344
227.26.3.227:1
98.207.190.55:443
187.0.1.197:7017
188.49.56.189:443
102.156.160.115:443
187.0.1.24:17751
70.51.139.148:2222
187.0.1.109:34115
14.164.18.210:443
187.0.1.97:30597
205.161.22.189:443
187.0.1.151:54711
196.217.63.248:443
187.0.1.160:45243
66.37.239.222:443
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993
Unpacked files
SH256 hash:
7fe3748859c1d1e26fdefa94348a1b0384371956d37dcb443cc41fe089ac0980
MD5 hash:
4422b69dfee21253d9a0d3ae931b2498
SHA1 hash:
d5849a933708338e68d64aa25e6ec03501db2737
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3ccf7881-4ed8-4ffc-b71e-7a310850f1be/
Parent samples :
68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270
bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27
ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d
SH256 hash:
0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270
MD5 hash:
14b7e959c4a57ecf9b5fe3ba943d80ab
SHA1 hash:
1b2bd9e3638e558bbb34d6cf87fc405ddfe5d5db
Link:
https://www.unpac.me/results/3ccf7881-4ed8-4ffc-b71e-7a310850f1be/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0686ffb62b37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326775/

Comments