MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131f545211db2b4cae7aea8303a9212f160708747364cd32cc1f3e8d739d288f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 131f545211db2b4cae7aea8303a9212f160708747364cd32cc1f3e8d739d288f
SHA3-384 hash: d2e37ba040842033dcc255468ad96cd63a51fe0c878008b79e554c4d0e37893f79736c43d43b0478eddc4c976eaefa3a
SHA1 hash: fcd7f3747819c0b57762365ee508866374a44205
MD5 hash: 360b52ee4f28aaf7a95a1b98342391ff
humanhash: oregon-bluebird-maryland-cold
File name:360b52ee_by_Libranalysis
Download: download sample
Signature Quakbot
Create hunting rule
File size:641'536 bytes
First seen:2021-05-21 17:01:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a7aba6adb1ae5b75efafc0349b38a1d7 (3 x Quakbot)
ssdeep 12288:kX8ImE3HOu+F0vZuPxdqrUrVQIKrX1U95RcYPXjC:kXZXXOQxm8Ur+XrX2ZLC
Threatray 1'443 similar samples on MalwareBazaar
TLSH FDD4AF27F7A0883BC133377D9D5B96949C29BE813D2468462FE81E486F7D3813E16297
Reporter Libranalysis
Tags:Quakbot


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/787475
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to detect sleep reduction / modifications
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 419873 Sample: 360b52ee_by_Libranalysis Startdate: 21/05/2021 Architecture: WINDOWS Score: 92 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Schedule system process 2->51 53 Machine Learning detection for sample 2->53 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->55 57 Contain functionality to detect virtual machines 8->57 59 Injects code into the Windows Explorer (explorer.exe) 8->59 61 3 other signatures 8->61 15 explorer.exe 8 1 8->15         started        19 cmd.exe 1 8->19         started        21 regsvr32.exe 11->21         started        23 regsvr32.exe 13->23         started        process5 file6 41 C:\Users\...\360b52ee_by_Libranalysis.dll, PE32 15->41 dropped 45 Contain functionality to detect virtual machines 15->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 15->47 25 schtasks.exe 1 15->25         started        27 rundll32.exe 19->27         started        30 WerFault.exe 17 9 21->30         started        32 WerFault.exe 9 23->32         started        signatures7 process8 signatures9 34 conhost.exe 25->34         started        63 Contains functionality to detect sleep reduction / modifications 27->63 36 WerFault.exe 23 9 27->36         started        39 explorer.exe 27->39         started        process10 dnsIp11 43 192.168.2.1 unknown unknown 36->43
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/131f545211db2b4cae7aea8303a9212f160708747364cd32cc1f3e8d739d288f/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2021-05-21 17:02:10 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0970047184fffb5c2d100a43ab90579c687366bbde30ef84cba649d7343fcf53
Quakbot
187fdc2a885fb0b71873d85076ffaa4bbc4bb6af7e778b4152060c2075b3633b
Quakbot
31c42d854a77c7673a3438df6501c3a09ee530f6f4f23cc7bea891cec7bc096b
Quakbot
3b1ea4d5e223f8ca9efe521bae4ec7f126732bfe83ad538cf6a85f06266a0ecc
Quakbot
5e840de448a948691f5dcb9699a771e9b0cff4c87a279070aa049eb336afbc9f
Quakbot
5f884557aefcd5155269aefe3429153b8fb3bbf557f0b5f3cf7f0e31783ab0ef
Quakbot
61edd528387d4978fa0f61d68bb1456ab9d0081a13fc51084294b0851aa3293e
Quakbot
a5db44836af72db422a54739f7ce980d8379a3222dbfc837b18cde8e7b802455
Quakbot
d61e90fe268528db7a0eee66f064270a519b2843a59642923b137ec2b81fe5e2
Quakbot
e9264e5385d7462278cec0d25de584e2ef9d2b30824ca2172c07f9719f1053ef
Quakbot
+ 1'433 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:clinton22 campaign:1621605808 banker stealer trojan
Link:
https://tria.ge/reports/210521-1fxxd88han/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
86.220.62.251:2222
189.210.115.207:443
68.204.7.158:443
105.198.236.99:443
172.78.43.46:443
72.252.201.69:443
50.244.112.106:443
45.63.107.192:443
197.45.110.165:995
24.122.166.173:443
47.22.148.6:443
72.240.200.181:2222
149.28.99.97:995
45.63.107.192:995
71.187.170.235:443
81.214.126.173:2222
81.97.154.100:443
75.67.192.125:443
73.25.124.140:2222
96.61.23.88:995
71.163.224.97:443
136.232.34.70:443
140.82.49.12:443
92.59.35.196:2222
24.139.72.117:443
68.186.192.69:443
207.246.116.237:2222
149.28.98.196:995
149.28.98.196:2222
45.77.117.108:995
45.77.115.208:443
45.32.211.207:8443
45.32.211.207:443
45.32.211.207:995
45.32.211.207:2222
144.202.38.185:443
207.246.77.75:443
207.246.77.75:995
207.246.77.75:2222
207.246.116.237:8443
207.246.77.75:8443
144.202.38.185:995
207.246.116.237:443
45.77.115.208:8443
207.246.116.237:995
45.77.117.108:443
149.28.101.90:8443
45.77.115.208:2222
45.77.117.108:8443
149.28.101.90:2222
45.77.115.208:995
149.28.101.90:995
149.28.101.90:443
149.28.98.196:443
45.77.117.108:2222
144.202.38.185:2222
216.201.162.158:443
184.185.103.157:443
71.41.184.10:3389
105.198.236.101:443
97.69.160.4:2222
24.179.77.148:443
95.77.223.148:443
115.133.243.6:443
27.223.92.142:995
144.139.47.206:443
75.118.1.141:443
76.25.142.196:443
73.151.236.31:443
222.153.124.130:995
173.21.10.71:2222
71.74.12.34:443
86.173.143.211:443
98.252.118.134:443
98.192.185.86:443
151.205.102.42:443
24.55.112.61:443
75.137.47.174:443
109.12.111.14:443
188.26.91.212:443
92.96.3.180:2078
67.165.206.193:993
50.29.166.232:995
47.196.213.73:443
86.248.16.253:2222
190.85.91.154:443
45.63.107.192:2222
149.28.99.97:2222
149.28.99.97:443
96.37.113.36:993
83.110.109.252:2222
24.229.150.54:995
45.46.53.140:2222
108.29.134.37:443
24.152.219.253:995
186.154.175.13:443
70.163.161.79:443
24.95.61.62:443
78.63.226.32:443
83.196.56.65:2222
195.6.1.154:2222
76.168.147.166:993
64.121.114.87:443
77.27.207.217:995
31.4.242.233:995
125.62.192.220:443
195.12.154.8:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/131f545211db2b4cae7aea8303a9212f160708747364cd32cc1f3e8d739d288f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 18:44:58 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [F0002.002] Collection::Polling
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0051] File System Micro-objective::Read File
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
10) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
11) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
12) [C0040] Process Micro-objective::Allocate Thread Local Storage
13) [C0017] Process Micro-objective::Create Process
14) [C0038] Process Micro-objective::Create Thread
15) [C0041] Process Micro-objective::Set Thread Local Storage Value
16) [C0018] Process Micro-objective::Terminate Process