MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
SHA3-384 hash: 0e13ddf826c01f1861f8b27b8ce718de9720a4581aa77deb27c14962e23ca19211965146e6aad33e9df6d9701e52314e
SHA1 hash: 863903621d8d1b6a174ea2a35001683b83fb7e8c
MD5 hash: c84b57f722d4402f1bedbd28d22b20f1
humanhash: zebra-pip-magnesium-nineteen
File name:q.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:734'651 bytes
First seen:2022-06-21 17:12:48 UTC
Last seen:2022-06-21 17:48:54 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c7f3e11e6f6fe8a9de8b31827060af69 (8 x Quakbot)
ssdeep 12288:0SHEVZKP1O+hamzhv1fm3R7yhZF0WGNYW:xSi7NvE9EeYW
Threatray 1'260 similar samples on MalwareBazaar
TLSH T16EF49E72B3E04837C1771A7C8D1BB66898297D113E3C988A7BF41D4C5F3A781366A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282047/
Detection(s):
SecuriteInfo.com.W32.PinkSbot-IBC84B57F722D4.16986.7980.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Sending a custom TCP request
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay
Link:
https://www.filescan.io/uploads/62b1fc2208903778452da550/reports/bcc688b1-b0e9-4c97-b55f-4721985020da/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad424f99-b575-4b5f-992d-56244087d9e3
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017325
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 649820 Sample: q.png Startdate: 21/06/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Yara detected CryptOne packer 2->63 65 Sigma detected: Schedule system process 2->65 67 2 other signatures 2->67 9 loaddll32.exe 1 2->9         started        12 powershell.exe 11 2->12         started        14 powershell.exe 8 2->14         started        process3 signatures4 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->69 71 Injects code into the Windows Explorer (explorer.exe) 9->71 73 Writes to foreign memory regions 9->73 77 3 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        75 Creates files in the system32 config directory 12->75 22 regsvr32.exe 12->22         started        24 conhost.exe 12->24         started        26 regsvr32.exe 14->26         started        28 conhost.exe 14->28         started        process5 file6 47 C:\Users\user\Desktop\q.dll, PE32 16->47 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 16->59 30 schtasks.exe 1 16->30         started        32 rundll32.exe 20->32         started        35 regsvr32.exe 22->35         started        37 regsvr32.exe 26->37         started        signatures7 process8 signatures9 39 conhost.exe 30->39         started        49 Contains functionality to detect sleep reduction / modifications 32->49 41 WerFault.exe 23 9 32->41         started        51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->51 53 Injects code into the Windows Explorer (explorer.exe) 35->53 55 Writes to foreign memory regions 35->55 57 2 other signatures 35->57 43 explorer.exe 8 2 35->43         started        process10 process11 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 17:13:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqwumw636aunsa25bp2jn73tcr4ciu27rdi6m3374mwfli3dag4a._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
Quakbot
1c5e20638c4e5892745a8bf2c9fed302d825be6bca58b46896f36116c637bc83
Quakbot
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
Quakbot
7b7c1e7e308228cc4a38adaf8ca66952f12eab0ec27d594d7b59815e0950fa2f
Quakbot
877b074b2f8f46154fed79d0ee820d365148c40131ab76fe1d55d9b23204b5b1
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
b674993c41ae982f26c752e411b4d3169f9b5e803df585261eb42b58dba91ded
Quakbot
ec8f7afb7234b7c5555907948439e5d48712c5ea66a5284bf46eb612cc70eca7
Quakbot
+ 1'250 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1655814286 banker stealer trojan
Link:
https://tria.ge/reports/220621-vreasagbcm/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
202.134.152.2:2222
100.38.242.113:995
41.228.22.180:443
45.241.205.91:993
90.120.209.197:2078
210.246.4.69:995
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
120.150.218.241:995
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
2.34.12.8:443
104.34.212.7:32103
88.251.195.142:443
92.137.225.8:2222
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
188.136.218.225:61202
39.52.59.14:995
31.215.70.37:443
83.110.94.105:443
175.145.235.37:443
208.107.221.224:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
173.21.10.71:2222
76.25.142.196:443
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
72.252.157.93:990
72.252.157.93:995
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
102.182.232.3:995
72.252.157.93:993
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
63.143.92.99:995
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
208.101.82.0:443
Unpacked files
SH256 hash:
674b5e1d7f0951639847a498222aab467b3787167658cc018c8be738e6a6b74e
MD5 hash:
c0b9aa389d866497ee135a089617623a
SHA1 hash:
9133145783827c4c46209ef211c2b4ca587b98fe
Link:
https://www.unpac.me/results/9a9459ac-b66c-4b63-b456-e461de93dc82/
SH256 hash:
717230d2a493174a3282d15d93283642a08fed5bc02eadbf30daea1cac8fa55d
MD5 hash:
467b538d0a7c8a9a3ffa2e03c3681222
SHA1 hash:
c3a8515dcd97fbae4f066f9379724a7ce9c26f34
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a9459ac-b66c-4b63-b456-e461de93dc82/
Parent samples :
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d
SH256 hash:
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
MD5 hash:
c84b57f722d4402f1bedbd28d22b20f1
SHA1 hash:
863903621d8d1b6a174ea2a35001683b83fb7e8c
Link:
https://www.unpac.me/results/9a9459ac-b66c-4b63-b456-e461de93dc82/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/142d465bdbf0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282047/

Comments