MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8
SHA3-384 hash:	7152c8b4fe4f73831b272f7e0c634baa79f04ce7b7659873d08ab137c8e10506a37019e9e414d0aacf1b58846f53cd05
SHA1 hash:	f9e98ee8e13f41dfacf58037a8249cc7e720d600
MD5 hash:	6c486935587324fc2bcb4a2bf54a1e9b
humanhash:	single-purple-avocado-beryllium
File name:	09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	686'576 bytes
First seen:	2022-07-09 07:12:28 UTC
Last seen:	2022-07-09 07:43:29 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	b3eb5f2cb0e5c330158023ae1978afd1 (12 x Quakbot)
ssdeep	12288:xHl4sryeYLd4LtvckUzl/Fcdjhv3r7UTGoChBQeH:tmYYLd4dsevnUGoMH
Threatray	1'397 similar samples on MalwareBazaar
TLSH	T152E49E26F7D08833D27316389C5B63A4A8357E50293868962FFC2E4C4F39B817A75797
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (573 x Quakbot, 295 x GCleaner, 137 x ArkeiStealer)
Reporter	JAMESWT_WT
Tags:	dll Quakbot signed TOPFLIGHT GROUP LIMITED

Code Signing Certificate

Organisation:	TOPFLIGHT GROUP LIMITED
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2022-06-24T00:00:00Z
Valid to:	2023-06-24T23:59:59Z
Serial number:	5b1f9ec88d185631ab032dbfd5166c0d
Intelligence:	12 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	a46234c01e9f9904e500aefad4b5718d86aaec4e084b3d8ffbfe5724f8ddda45
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/285776/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.49333993.5446.9397.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Searching for the window

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger overlay packed qakbot qbot

Link:

https://www.filescan.io/uploads/62c92abb11764e36f8260d07/reports/caa3ca3f-c637-41cc-9327-8ade6e3fe88c/overview

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/90cdbd12-9400-47b1-9467-3452b893333c

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1027696

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Creates files in the system32 config directory

Encrypted powershell cmdline option found

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Schedule system process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-07-09 02:24:54 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

22 of 39 (56.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bgslhhbrt4gon457ewrdxy6mnpkx2rmx5rnutc2w6rnhjthoopea._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

1beb6f15f403fe31392012b506ce1bb38424482d3e8123f0f80ae439484fffe7

Quakbot

357b994cf1840ccd15970656a2c42d5fa3491be76e08d063c9e7ca4b9c334da6

Quakbot

42bc9b623f70e46d6aab4910d8c75221aecf89a00756a61b21f952eea13a446c

Quakbot

5d62cbd1c137333a510d67a26d86ef27a0230a421f25516cfcb6df49cc91c953

Quakbot

5fe5acb2467c0b99e0bc07c7c661af29ab23da9388e356b0c6fb64037debe7a4

Quakbot

7d436b6200af103cb2fba472e95972dfb5475feb65d485720d0c547ca00c2547

Quakbot

dcd14c38adfeaf976dbf3aacce00d5e664e007fd3ad4b3d4f6d603be8ae4d92d

Quakbot

e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64

Quakbot

+ 1'387 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama199 campaign:1657265474 banker stealer trojan

Link:

https://tria.ge/reports/220709-h13nhscfhm/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

121.7.223.45:2222
67.209.195.198:443
148.64.96.100:443
92.132.132.81:2222
217.128.122.65:2222
47.180.172.159:443
173.174.216.62:443
70.46.220.114:443
32.221.224.140:995
69.14.172.24:443
117.248.109.38:21
94.59.15.180:2222
38.70.253.226:2222
217.165.157.202:995
41.228.22.180:443
67.165.206.193:993
172.115.177.204:2222
186.90.153.162:2222
47.23.89.60:993
120.150.218.241:995
93.48.80.198:995
89.211.209.234:2222
197.89.12.70:443
208.107.221.224:443
24.178.196.158:2222
66.230.104.103:443
118.161.14.242:995
24.158.23.166:995
100.38.242.113:995
37.208.132.76:50010
63.143.92.99:995
182.191.92.203:995
86.97.246.166:1194
74.14.5.179:2222
40.134.246.185:995
111.125.245.116:995
173.21.10.71:2222
76.25.142.196:443
142.186.49.224:2222
118.161.14.242:443
174.69.215.101:443
187.172.164.12:443
129.208.151.177:995
70.51.137.244:2222
190.252.242.69:443
24.55.67.176:443
103.246.242.202:443
89.101.97.139:443
47.156.129.52:443
72.252.157.93:993
72.252.157.93:990
72.252.157.93:995
177.94.65.26:32101
24.139.72.117:443
82.41.63.217:443
179.158.105.44:443
81.132.186.218:2078
201.172.20.167:2222
37.186.58.99:995
37.34.253.233:443
125.25.133.223:443
45.241.254.69:993
39.49.41.221:995
196.203.37.215:80
88.240.59.52:443
39.44.60.200:995
86.97.10.37:443
86.98.157.114:993
109.12.111.14:443
81.193.30.90:443
39.52.59.221:995
39.41.16.210:995
106.51.48.188:50001
86.97.209.138:2222
104.34.212.7:32103
86.213.75.30:2078
45.46.53.140:2222
39.57.56.11:995
84.241.8.23:32103
2.178.166.220:61202
24.43.99.75:443
101.50.67.155:995
41.13.224.28:443
108.56.213.219:995
189.253.167.141:443
5.32.41.45:443
120.61.1.141:443
177.189.180.214:32101
94.36.193.176:2222
39.53.124.57:995
80.11.74.81:2222
41.84.224.109:443
103.116.178.85:995
209.15.76.228:443
184.97.29.26:443
102.65.66.66:443
39.52.221.9:995
191.112.26.57:443
210.246.4.69:995

Unpacked files

SH256 hash:

5e94cede21e0eddc69f19bc51e8380c736a045569722b4232eb55267fcb1cdc8

MD5 hash:

51fe4005c165e728b9e2ec0c6951f037

SHA1 hash:

974ed236d4f644bda67df9a359c5867704a7de59

Link:

https://www.unpac.me/results/13e0dfff-f0d5-4d2e-b8b0-baaf0c83a07e/

SH256 hash:

50d778ca9ec1749e645423deff1642c8c8513cd5a2090114b34078bcbfa14b8f

MD5 hash:

85f4770f6bfd7717f612c330974773e2

SHA1 hash:

5462429ecf47cd3f7d54efdb96e1e8ed38ffe094

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/13e0dfff-f0d5-4d2e-b8b0-baaf0c83a07e/

Parent samples :

1beb6f15f403fe31392012b506ce1bb38424482d3e8123f0f80ae439484fffe7
08f07f31eeba10e1139b287914bc0909cf64e40d51c84a8158365577f2126b4b
18fd119493272ee301e6f57417f64a89a9f4aa976ab8b940d12dea133ed9400e
5d62cbd1c137333a510d67a26d86ef27a0230a421f25516cfcb6df49cc91c953
357b994cf1840ccd15970656a2c42d5fa3491be76e08d063c9e7ca4b9c334da6
9e861f282623eca8634fb8e0486661f06f96b5f0d0ca5ee48ddc4bfa9b86cb36
4700092298655bf5ab6611727799d456e33dfecbe25f87d8391f73fe2c0480c3
d554cf5e1dd65dc5d013e04bce060bbe8029302c0da6d02fad3f58010c5a554b
595bc8cfd93e82a7e3b5f61f8087519f138c6c833a462ee3bde033e759e53045
09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8
80848c46e198bc29dad7f89e472b9766ea19a1d0e7def5c6535edc28f5699e36
42bc9b623f70e46d6aab4910d8c75221aecf89a00756a61b21f952eea13a446c

SH256 hash:

09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8

MD5 hash:

6c486935587324fc2bcb4a2bf54a1e9b

SHA1 hash:

f9e98ee8e13f41dfacf58037a8249cc7e720d600

Link:

https://www.unpac.me/results/13e0dfff-f0d5-4d2e-b8b0-baaf0c83a07e/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/09a4b39c319f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/09a4b39c319f0ce6f3bf25a23be3cc6bd57d4597ec5b498b56f45a74ccee73c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/285776/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample