MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 085f0f3f25b1328d153a7c56125e1d8a4d43bc882fe3f250d742ea5247850c02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 085f0f3f25b1328d153a7c56125e1d8a4d43bc882fe3f250d742ea5247850c02
SHA3-384 hash: 8d38da4b120d732f410bcd1ff092108b461436608e380e724ae73414e5968cc802003fcff0af50ea2af49476c11e3c1c
SHA1 hash: e6601cb30205c8e790ac4511f0d6362b80dbb9f5
MD5 hash: 09a815f48d8a5319d88f2b8b2e4b02ab
humanhash: four-thirteen-glucose-triple
File name:hindmost.temp
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'055'704 bytes
First seen:2022-11-22 16:23:30 UTC
Last seen:2022-11-22 17:28:12 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1726357b6fc2d768227af59ffbcbdfa8 (1 x Quakbot)
ssdeep 24576:AXYkbOvnDF9dnJEd+5F6bRGiJzN8gvd4rmwd2eZL/v2mWG2mWYY:XHnDF9dnJEd+5F6bR/JzN863q/v2mWGl
TLSH T156256BA296149435F86CECBD243DA6062829FCB11696B583F2C07DA3B4F35D138E7E47
TrID 45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.4% (.EXE) Win64 Executable (generic) (10523/12/4)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b671d4ccccd46e8c (1 x Quakbot)
Reporter pr0xylife
Tags:1669024152 BB07 dll FISH ACCOUNTING TRANSLATING LIMITED Qakbot Quakbot signed

Code Signing Certificate

Organisation:FISH ACCOUNTING & TRANSLATING LIMITED
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-10-26T00:00:00Z
Valid to:2023-10-26T23:59:59Z
Serial number: 626735ed30e50e3e0553986d806bfc54
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: a1488004ec967faf6c66f55440bbde0de47065490f7c758f3ca1315bb0ef3b97
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337299/
Detection(s):
SecuriteInfo.com.Win32.DangerousSig.15426.26845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/637cf7a59c57db591d88be50/reports/1e634ed6-197b-49e8-a47b-5fbf4eaf3299/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e162ffe-f59c-4db7-ba51-a23a7a35627f
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1119075
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 751792 Sample: hindmost.temp.dll Startdate: 22/11/2022 Architecture: WINDOWS Score: 72 33 89.115.196.99 VODAFONE-PTVodafonePortugalPT Portugal 2->33 35 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->35 37 98 other IPs or domains 2->37 39 Yara detected Qbot 2->39 41 C2 URLs / IPs found in malware configuration 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->43 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->53 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Maps a DLL or memory area into another process 9->59 12 rundll32.exe 9->12         started        15 cmd.exe 1 9->15         started        17 regsvr32.exe 9->17         started        19 4 other processes 9->19 process6 signatures7 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->61 63 Writes to foreign memory regions 12->63 65 Allocates memory in foreign processes 12->65 21 wermgr.exe 8 1 12->21         started        24 rundll32.exe 15->24         started        67 Maps a DLL or memory area into another process 17->67 27 wermgr.exe 17->27         started        process8 file9 31 C:\Users\user\Desktop\hindmost.temp.dll, PE32 21->31 dropped 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->45 47 Writes to foreign memory regions 24->47 49 Allocates memory in foreign processes 24->49 51 Maps a DLL or memory area into another process 24->51 29 wermgr.exe 24->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/085f0f3f25b1328d153a7c56125e1d8a4d43bc882fe3f250d742ea5247850c02/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 16:24:10 UTC
File Type:
PE (Dll)
Extracted files:
26
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbpq6pzfwezi2fj2prlbexq5rjguhpeif7r7eugxilvfer4fbqba._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb07 campaign:1669024152 banker stealer trojan
Link:
https://tria.ge/reports/221122-twcr3sdd6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
69.119.123.159:2222
197.148.17.17:2078
174.104.184.149:443
12.172.173.82:995
91.68.227.219:443
85.241.180.94:443
83.7.53.150:443
213.22.188.57:2222
71.46.234.170:443
190.75.150.58:2222
86.98.15.100:995
89.115.196.99:443
83.31.254.67:2222
46.162.109.183:443
2.84.98.228:2222
78.69.251.252:2222
12.172.173.82:465
75.143.236.149:443
47.229.96.60:443
80.121.8.212:995
74.92.243.113:50000
86.225.214.138:2222
183.82.100.110:2222
86.175.128.143:443
105.103.41.128:990
121.122.99.151:995
82.121.237.106:2222
83.248.199.56:443
81.156.198.115:2222
24.228.132.224:2222
87.243.146.59:443
174.112.25.29:2078
84.35.26.14:995
174.45.15.123:443
83.110.90.214:995
87.65.160.87:995
172.90.139.138:2222
71.247.10.63:2083
47.41.154.250:443
80.103.77.44:2222
92.11.189.236:2222
81.229.117.95:2222
91.169.12.198:32100
62.31.130.138:465
188.92.64.68:443
58.186.75.42:443
85.59.61.52:2222
94.63.65.146:443
80.13.179.151:2222
24.206.27.39:443
170.253.25.35:443
157.231.42.190:995
184.153.132.82:443
174.101.111.4:443
23.240.47.58:995
217.128.91.196:2222
62.35.67.88:443
184.155.91.69:443
86.176.144.202:2222
86.213.224.109:2222
90.104.22.28:2222
76.80.180.154:995
174.77.209.5:443
184.176.154.83:995
58.247.115.126:995
69.133.162.35:443
71.183.236.133:443
102.47.130.52:995
103.141.50.117:995
116.75.63.124:443
70.66.199.12:443
92.185.204.18:2078
130.43.107.232:995
92.24.200.226:995
81.111.108.123:443
98.145.23.67:443
197.0.235.159:443
92.137.74.174:2222
92.207.132.174:2222
12.172.173.82:50001
76.127.192.23:443
12.172.173.82:21
176.142.207.63:443
83.110.223.247:443
71.247.10.63:50003
108.6.249.139:443
24.69.87.61:443
90.89.95.158:2222
89.129.109.27:2222
91.254.215.167:443
71.247.10.63:995
47.34.30.133:443
86.130.9.140:2222
70.64.77.115:443
87.223.80.45:443
180.151.104.143:443
109.57.68.154:443
103.55.67.180:443
75.99.125.238:2222
50.68.204.71:995
73.36.196.11:443
105.184.161.242:443
187.199.224.16:32103
105.103.41.128:32103
75.156.125.215:995
170.249.59.153:443
2.91.187.6:995
87.202.101.164:50000
105.103.41.128:465
74.66.134.24:443
172.117.139.142:995
87.1.202.122:443
105.103.41.128:2078
12.172.173.82:990
86.171.75.63:443
12.172.173.82:2087
105.103.41.128:22
24.142.218.202:443
66.191.69.18:995
45.248.169.101:443
Unpacked files
SH256 hash:
b7bd1dee74653a2f1871f9a589f2e17697ddc014b55f7e158e296601f6e00eb0
MD5 hash:
742d7c33eed01381114e981abad801fb
SHA1 hash:
44f665c1408004ae67c7f4c50f80d61af6076d7c
Link:
https://www.unpac.me/results/9383daac-5a50-4b25-ad6d-6212a407fa6c/
SH256 hash:
01747eb0f7df63b9df7aeff2dc51e43264adc05b4c16f4908f38352405e31342
MD5 hash:
cf7dcbd42a3e3b61c697e93450f78585
SHA1 hash:
38b2ccbc8abdd59b5cb25acce730ce26c403c589
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9383daac-5a50-4b25-ad6d-6212a407fa6c/
SH256 hash:
085f0f3f25b1328d153a7c56125e1d8a4d43bc882fe3f250d742ea5247850c02
MD5 hash:
09a815f48d8a5319d88f2b8b2e4b02ab
SHA1 hash:
e6601cb30205c8e790ac4511f0d6362b80dbb9f5
Link:
https://www.unpac.me/results/9383daac-5a50-4b25-ad6d-6212a407fa6c/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/085f0f3f25b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/085f0f3f25b1328d153a7c56125e1d8a4d43bc882fe3f250d742ea5247850c02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337299/

Comments