MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0695cd35445dc2f5b9bd2028e09db9449d61be3e1aab0a3047d822634afd2df1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	0695cd35445dc2f5b9bd2028e09db9449d61be3e1aab0a3047d822634afd2df1
SHA3-384 hash:	8756b62765e7a54bd7551e84e7f6ee70759d0b53d2df54112008be24906595393435187780b26f5fa2deae7d15525bd9
SHA1 hash:	a55bcb89fe4d8df899065d9afbde01f324f507b7
MD5 hash:	c4e506aada22abb46a69e989d2273a2a
humanhash:	finch-mirror-winter-quebec
File name:	file
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	351'208 bytes
First seen:	2021-04-29 01:16:15 UTC
Last seen:	2021-04-29 12:43:50 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	2f58585fc731a3646ea640dd58abbda7 (570 x Quakbot)
ssdeep	6144:2nQU+LqGvHr0nNK11G9DMEeZa8POyKmLUyaViFwRui:ZFrkNK11G9AEtMxQyOi6R
Threatray	2'334 similar samples on MalwareBazaar
TLSH	6874BF7DBB16DC23E2581BB062D35B581A53DAD63250210A1AF19F58ACE73A4BC37FC4
Reporter	Anonymous
Tags:	Qakbot Quakbot signed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/145985/

Detection(s):

Win.Packed.Qbot-9802444-0

Win.Malware.Ezuu-9802595-0

Win.Malware.Ezvd-9803869-0

Win.Malware.Ezuu-9805498-0

Win.Malware.Ezuu-9806579-0

Win.Malware.Ezuu-9810642-0

Win.Malware.Ezuu-9810692-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Changing a file

Sending a UDP request

Creating a file in the Windows subdirectories

Launching a process

Modifying an executable file

Creating a process with a hidden window

Creating a window

Creating a file

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0695cd35445dc2f5b9bd2028e09db9449d61be3e1aab0a3047d822634afd2df1/

Threat name:

Win32.Trojan.QBot

Status:

Malicious

First seen:

2020-12-04 19:15:00 UTC

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:abc106 campaign:1606896670 banker stealer trojan

Link:

https://tria.ge/reports/210429-1h7cscp9dx/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Qakbot/Qbot

Malware Config

C2 Extraction:

203.106.195.67:443
58.152.9.133:443
67.61.157.208:443
211.24.72.253:443
82.10.43.130:2222
200.75.136.78:443
120.159.238.185:2222
196.151.252.84:443
105.198.236.101:443
197.161.154.132:443
79.172.26.240:443
41.233.153.21:993
103.102.100.78:2222
82.223.205.216:443
90.23.117.67:2222
81.214.126.173:2222
95.56.177.11:995
217.128.117.218:2222
185.163.221.77:2222
120.151.95.167:443
87.218.53.206:2222
94.49.188.240:443
2.90.33.130:443
70.124.29.226:443
81.150.181.168:2222
109.154.193.21:2222
120.150.218.241:995
96.40.175.33:443
5.2.188.253:443
86.125.209.126:443
89.137.211.239:443
189.252.72.41:995
109.209.94.165:2222
79.115.171.106:2222
61.1.205.150:443
68.46.142.48:995
69.11.247.242:443
123.136.59.45:443
87.27.110.90:2222
39.61.33.253:995
217.133.54.140:32100
181.129.155.10:443
27.223.92.142:995
175.137.119.141:443
197.51.82.115:995
197.45.110.165:995
174.62.13.151:443
71.10.43.79:443
75.136.26.147:443
156.205.103.107:995
189.150.40.192:2222
116.240.78.45:995
80.110.42.35:443
85.132.36.111:2222
144.202.38.185:443
41.97.178.190:443
68.224.121.148:993
78.101.145.96:61201
47.146.34.236:443
149.28.98.196:443
45.77.193.83:443
31.5.168.31:443
82.76.47.211:443
149.28.98.196:995
144.202.38.185:2222
24.95.61.62:443
149.28.98.196:2222
45.63.107.192:2222
149.28.99.97:2222
149.28.99.97:443
45.63.107.192:995
72.29.181.78:2222
144.202.38.185:995
37.21.231.245:995
41.227.82.102:443
182.161.6.57:3389
94.49.90.92:995
178.222.114.132:995
98.121.187.78:443
108.23.22.28:0
41.39.134.183:443
109.205.204.229:2222
120.150.34.178:443
95.77.223.148:443
176.45.233.94:995
50.244.112.10:995
173.173.1.164:443
108.30.125.94:443
78.187.125.116:2222
79.113.119.125:443
86.121.43.200:443
85.52.72.32:2222
31.5.21.66:995
189.231.3.63:443
105.103.33.188:443
218.227.162.13:443
95.76.27.6:443
91.104.44.226:995
81.97.154.100:443
47.44.217.98:443
37.209.255.10:443
161.142.217.62:443
85.204.189.105:443
68.15.109.125:443
37.211.86.156:443
156.220.32.217:995
90.101.117.122:2222
96.225.88.23:443
2.50.56.81:443
47.21.192.182:2222
93.146.133.102:2222
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
72.36.59.46:2222
189.157.3.12:443
219.76.148.249:443
198.2.35.226:2222
86.98.59.208:443
47.22.148.6:443
197.86.204.38:443
120.150.60.189:995
45.118.65.34:443
110.142.205.182:443
37.210.133.63:995
94.98.242.243:443
45.32.162.253:443
83.110.150.100:443
140.82.27.132:443
45.32.165.134:443
39.36.30.92:995
94.176.40.234:443
73.244.83.199:443
2.88.67.161:995
86.98.34.84:995
65.131.47.74:995
181.208.249.141:443
200.110.188.218:443
151.33.226.156:443
73.51.245.231:995
37.210.131.246:443
71.220.164.199:443
172.87.157.235:443
47.24.47.218:443
195.97.101.40:443
184.21.136.237:995
118.70.55.146:443
103.76.160.110:443
2.89.183.206:443

Unpacked files

SH256 hash:

e306a7a3dda23d90ef95dc2b10b81d01a5c42de0760e2ef2d9018c0500b2820c

MD5 hash:

fc54b3ae29ef5eda2606f3fc7fffbbcd

SHA1 hash:

40b839a989f1f0099498a14686800d3fc1a86eda

Link:

https://www.unpac.me/results/3c5bc29e-caed-46e7-983a-e9a3a756a188/

SH256 hash:

0695cd35445dc2f5b9bd2028e09db9449d61be3e1aab0a3047d822634afd2df1

MD5 hash:

c4e506aada22abb46a69e989d2273a2a

SHA1 hash:

a55bcb89fe4d8df899065d9afbde01f324f507b7

Link:

https://www.unpac.me/results/3c5bc29e-caed-46e7-983a-e9a3a756a188/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0695cd35445dc2f5b9bd2028e09db9449d61be3e1aab0a3047d822634afd2df1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_QakBot Create hunting rule
Author:	ditekSHen
Description:	Detects variants of QakBot payload

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	qbot_bin Create hunting rule
Author:	James_inthe_box
Description:	Qbot Qakbot
Reference:	https://app.any.run/tasks/b89d7454-403c-4c81-95db-7ecbba38eb02

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Cape

https://www.capesandbox.com/analysis/145985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample