MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0924d35df6c4c9d97df5da3bfd8ecf136979eaf9eef13e082a6337af5549d6e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0924d35df6c4c9d97df5da3bfd8ecf136979eaf9eef13e082a6337af5549d6e0
SHA3-384 hash: 8cda5ed921a10f4c4a6d1aa108a7bf5a6bb4f0563a1614d9f95711153810d320c09889756f6218f2cb56678cd2ae0ef5
SHA1 hash: aade7c90bdc3cf1b16722611553c68a007ca9315
MD5 hash: b37487887b41e0b6879c952dbb19552b
humanhash: maine-single-colorado-xray
File name:0x0002000000015588-266.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:868'864 bytes
First seen:2022-04-04 16:43:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fb812e15befde32b6180a6b0cd372f42 (7 x Quakbot)
ssdeep 24576:Zp4qZZQsxzVxASLeM/3S6kk0lWhgDabO:Zp
Threatray 406 similar samples on MalwareBazaar
TLSH T16405BFB876047CE6E5AF427BDE96ACD913762A32C9C799CD8065B7C30963372EE01C05
Reporter pr0xylife
Tags:dll obama173 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260690/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.16655.32475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/624b205fdb9ca5cf841d19b1/reports/42a75a85-d209-44be-a3d8-4c26d6eb13a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5762fff1-15cd-4157-bc3c-9f71a82733c8
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/970276
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0924d35df6c4c9d97df5da3bfd8ecf136979eaf9eef13e082a6337af5549d6e0/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 16:44:07 UTC
File Type:
PE (Dll)
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3
Quakbot
10fef78aae388d689a89def6829a43bb262b889f8a19e311ab9a264884b49e47
Quakbot
35ee73317411bafbf39ffd556524a369c5e5311113c05acd30116c3252e34601
Quakbot
446352954cb68160dec6f871334286d749f9581df27673a0d30dc0f5d786161c
Quakbot
644f00812319bdb00411294b2ddb4e9f86bf0797f825543ea0fe16db1e1aea4e
Quakbot
740ddb58bbbcbaee867adb4448694b4ef4da6c319d587f8b3269326c558097dc
Quakbot
7432507857291e71388dd79097cfd5b68425e894dd56db0818b6893cfb36b7e8
Quakbot
7a227df10f82dc2e11822716aa04e91797e9a3011976a4e5884deb704bf0134a
Quakbot
8535a5a3595009a9270abff1eeacfb7fa530d692f4ef91d6be25612e3f6b4211
Quakbot
8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f
Quakbot
+ 396 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama173 campaign:1648712096 banker stealer trojan
Link:
https://tria.ge/reports/220404-t8sztsdbbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
176.67.56.94:443
148.64.96.100:443
47.180.172.159:443
47.23.89.62:995
96.21.251.127:2222
140.82.49.12:443
103.88.226.30:443
92.177.45.46:2078
82.84.66.211:2222
83.110.157.57:2222
41.228.22.180:443
75.188.35.168:443
83.110.85.209:443
113.11.89.170:995
182.191.92.203:995
103.230.180.119:443
24.43.99.75:443
37.186.54.166:995
72.76.94.99:443
175.145.235.37:443
75.99.168.194:61201
45.9.20.200:443
47.180.172.159:50010
207.170.238.231:443
85.246.82.244:443
173.174.216.62:443
70.57.207.83:443
86.195.158.178:2222
45.241.152.155:993
149.28.238.199:443
45.76.167.26:995
47.23.89.62:993
149.28.238.199:995
144.202.2.175:995
140.82.63.183:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:443
144.202.2.175:443
45.63.1.12:995
144.202.3.39:995
144.202.3.39:443
83.110.85.209:995
31.35.28.29:443
93.48.80.198:995
208.107.221.224:443
32.221.224.140:995
80.11.74.81:2222
117.248.109.38:21
87.139.163.216:995
71.13.93.154:2222
103.107.113.120:443
105.186.127.127:995
5.95.58.211:2087
172.115.177.204:2222
209.197.176.40:995
70.46.220.114:443
47.156.131.10:443
91.177.173.10:995
201.103.199.197:443
172.114.160.81:995
195.32.32.122:80
1.161.75.18:995
191.249.126.43:443
102.65.38.90:443
121.74.182.236:995
86.98.27.253:443
173.21.10.71:2222
24.178.196.158:2222
217.164.117.187:2222
67.209.195.198:443
78.188.76.167:443
46.198.215.60:995
37.152.80.105:443
39.49.46.114:995
78.100.225.12:2222
24.152.219.253:995
86.220.98.71:2222
217.128.122.65:2222
120.150.218.241:995
103.87.95.133:2222
202.134.152.2:2222
102.140.71.10:443
217.164.117.187:1194
190.73.3.148:2222
161.142.56.8:443
74.15.2.252:2222
180.183.128.80:2222
76.70.9.169:2222
75.113.214.234:2222
203.122.46.130:443
76.69.155.202:2222
86.98.208.214:2222
75.99.168.194:443
1.161.75.18:443
120.61.3.249:443
86.98.157.14:993
108.60.213.141:443
39.44.144.159:995
45.46.53.140:2222
39.41.142.101:995
73.151.236.31:443
174.69.215.101:443
47.158.25.67:443
117.102.102.186:443
191.99.191.28:443
76.169.147.192:32103
201.172.31.135:2222
76.25.142.196:443
201.145.189.252:443
71.74.12.34:443
96.37.113.36:993
187.250.114.15:443
181.62.0.59:443
190.252.242.69:443
189.176.231.229:443
72.252.201.34:995
67.165.206.193:993
5.32.41.45:443
41.38.167.179:995
72.252.201.34:990
209.180.70.25:443
72.12.115.90:22
63.143.92.99:995
70.51.134.168:2222
40.134.246.185:995
100.1.108.246:443
24.229.150.54:995
143.0.34.185:443
24.55.67.176:443
177.222.51.50:443
109.12.111.14:443
47.156.191.217:443
187.102.135.142:2222
179.158.105.44:443
191.112.12.240:443
191.205.7.5:32101
81.60.217.218:995
200.58.84.99:443
41.84.241.23:995
125.24.101.65:443
2.42.176.91:443
81.132.186.248:2078
177.16.139.134:443
82.152.39.39:443
43.252.72.97:2222
176.88.238.122:995
201.212.192.206:443
197.87.144.34:443
Unpacked files
SH256 hash:
0924d35df6c4c9d97df5da3bfd8ecf136979eaf9eef13e082a6337af5549d6e0
MD5 hash:
b37487887b41e0b6879c952dbb19552b
SHA1 hash:
aade7c90bdc3cf1b16722611553c68a007ca9315
Link:
https://www.unpac.me/results/1472da79-fc69-45f2-98e8-56d78fa09141/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0924d35df6c4c9d97df5da3bfd8ecf136979eaf9eef13e082a6337af5549d6e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260690/

Comments