MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3
SHA3-384 hash: b114856a81dfec04bda88439106f4ffa979e8a26df7c6bca488b995c14a22474477d5d5f256abb32732bcc5baa530cc1
SHA1 hash: 08433ea3bca201ba265b1439af18d14e4c46ffe5
MD5 hash: dd7828e62a338382e9f76ae4afe4b755
humanhash: item-football-florida-quebec
File name:8746784935757.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:523'264 bytes
First seen:2022-03-22 12:22:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9e45408bef939ba7b084556548e54b63 (2 x Quakbot)
ssdeep 12288:l7kLQI89Rji0iEm2aY6XXQtVOlrFaMUm3HNNkpIdYdi:l7QxkjFOXKO5FaMzHNSpIt
Threatray 329 similar samples on MalwareBazaar
TLSH T1E7B4C0B53604BDE6E57F463BD9A59CDD137626228AC7D8CD90A077C30A733A1EE12C06
Reporter pr0xylife
Tags:dll obama168 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/254111/
Detection(s):
Win.Keylogger.Qbot-9942310-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6239bfab0cd58dbd92d671a0/reports/bbff555d-f33d-4dbf-9c4b-bd045139517e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ece87439-e6b7-4217-98fd-612396c4ec23
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/961610
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594091 Sample: 8746784935757.dat Startdate: 22/03/2022 Architecture: WINDOWS Score: 92 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Qbot 2->33 35 2 other signatures 2->35 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->45 47 Injects code into the Windows Explorer (explorer.exe) 8->47 49 Writes to foreign memory regions 8->49 51 2 other signatures 8->51 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->53 55 Injects code into the Windows Explorer (explorer.exe) 13->55 57 Writes to foreign memory regions 13->57 23 explorer.exe 13->23         started        59 Allocates memory in foreign processes 16->59 61 Maps a DLL or memory area into another process 16->61 25 explorer.exe 8 1 16->25         started        process7 signatures8 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->37 39 Injects code into the Windows Explorer (explorer.exe) 20->39 41 Writes to foreign memory regions 20->41 43 2 other signatures 20->43 27 explorer.exe 20->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 12:23:08 UTC
File Type:
PE (Dll)
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697
Quakbot
538a6af386f29cac70e74c1eb885bae87b0ea6b487b0411db4f78ee8c2fea336
Quakbot
5b585bcc7ac833317be929b0cc62de62827de31567ac58f2c6e10644b3739e67
Quakbot
7a227df10f82dc2e11822716aa04e91797e9a3011976a4e5884deb704bf0134a
Quakbot
8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f
Quakbot
8f7701d2c28e11cab1b101e679722065262dfba823a87fa7d02216a6c5c17d44
Quakbot
9ae13c19261bfaabaaf173c24d895e19fa751373749f17058e288dc5c6a481a0
Quakbot
c184cc9ab735a9d8843dcde620b3075f99e2d54519fee2109aa01c06f27371fd
Quakbot
c2919ef3ccf9cc5805a282d96326a28df6236801953c39bb582b7b181a058ebe
Quakbot
e8a2a3c6874dbaa04dfc60b58b5b1b677fbc33f6d2c08eb509f40b05df0d58be
Quakbot
+ 319 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama168 campaign:1647853291 banker stealer trojan
Link:
https://tria.ge/reports/220322-pkf8xabdhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
103.87.95.131:2222
195.32.57.18:80
92.99.229.158:2222
40.134.246.185:995
31.215.118.154:1194
41.228.22.180:443
39.49.39.239:995
217.128.122.65:2222
86.98.27.253:443
82.152.39.39:443
197.0.103.214:443
76.169.147.192:32103
24.152.219.253:995
37.186.54.166:995
202.134.152.2:2222
177.134.208.155:993
45.239.129.13:443
1.161.76.70:995
120.150.218.241:995
79.52.204.9:50001
74.15.2.252:2222
206.217.0.154:995
209.180.70.25:443
2.34.12.8:443
175.145.235.37:443
39.44.151.33:995
120.61.0.6:443
190.73.3.148:2222
76.70.9.169:2222
76.69.155.202:2222
217.165.109.52:993
161.142.56.8:443
31.215.69.127:443
5.95.58.211:2087
130.164.149.84:443
75.99.168.194:443
96.21.251.127:2222
140.82.49.12:443
124.41.193.166:443
80.11.74.81:2222
108.60.213.141:443
176.67.56.94:443
37.152.80.105:443
196.203.37.215:80
148.64.96.100:443
197.162.109.164:995
102.140.71.40:443
47.180.172.159:443
91.177.173.10:995
217.165.79.31:443
182.191.92.203:995
31.35.28.29:443
24.43.99.75:443
5.32.41.45:443
103.88.226.82:443
86.195.158.178:2222
93.48.80.198:995
47.180.172.159:50010
75.99.168.194:61201
45.9.20.200:443
173.174.216.62:443
47.23.89.62:993
197.167.5.180:993
144.202.2.175:995
140.82.63.183:995
144.202.3.39:443
149.28.238.199:443
45.76.167.26:443
140.82.63.183:443
45.76.167.26:995
45.63.1.12:995
149.28.238.199:995
144.202.2.175:443
144.202.3.39:995
45.63.1.12:443
207.170.238.231:443
197.92.138.54:443
71.13.93.154:2222
32.221.225.247:995
69.159.200.138:2222
37.210.149.61:2222
180.233.150.134:995
186.10.247.110:443
113.11.89.170:995
188.50.49.149:995
141.237.95.186:995
217.165.79.31:995
92.177.45.46:2078
106.51.48.170:50001
47.23.89.62:995
70.57.207.83:443
31.215.118.154:2222
172.115.177.204:2222
110.143.139.163:443
72.76.94.99:443
70.46.220.114:443
24.178.196.158:2222
67.209.195.198:443
121.74.182.236:995
75.159.9.236:443
172.114.160.81:995
78.188.76.167:443
1.161.76.70:443
2.42.176.91:443
76.23.237.163:995
128.106.123.187:443
103.157.122.130:21
67.165.206.193:993
39.52.66.201:995
191.99.191.28:443
174.69.215.101:443
76.25.142.196:443
173.21.10.71:2222
71.74.12.34:443
189.146.51.56:443
208.107.221.224:443
143.0.34.185:443
73.151.236.31:443
82.41.63.217:443
73.59.201.174:443
109.12.111.14:443
45.46.53.140:2222
89.101.97.139:443
86.198.170.170:2222
38.70.253.226:2222
41.84.240.210:995
86.98.150.187:995
86.180.31.38:443
103.230.180.119:443
89.137.52.44:443
197.37.7.47:995
75.188.35.168:443
187.199.203.159:443
72.12.115.90:22
189.237.6.251:443
201.172.31.135:2222
201.170.181.247:443
105.184.195.104:995
177.134.208.155:995
125.25.133.221:443
114.79.148.170:443
180.129.97.57:995
58.105.167.35:50000
201.145.160.158:443
201.103.6.221:443
47.156.191.217:443
70.51.135.39:2222
63.143.92.99:995
86.105.44.249:61202
100.1.108.246:443
Unpacked files
SH256 hash:
b9db59bce5b55ead7e9aa151251b298d607ff2e4b03fc418bb6e01d47bd1cb8a
MD5 hash:
8e745160200ff682e080a17be4bd86ff
SHA1 hash:
f40ebd2f7b8953bfd9e6a9f91bbeaf9e69fb593f
Link:
https://www.unpac.me/results/1442c5c0-2e53-4743-8079-32ba39d742d3/
SH256 hash:
0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3
MD5 hash:
dd7828e62a338382e9f76ae4afe4b755
SHA1 hash:
08433ea3bca201ba265b1439af18d14e4c46ffe5
Link:
https://www.unpac.me/results/1442c5c0-2e53-4743-8079-32ba39d742d3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0a38dfc9dc42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/254111/

Comments