MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
SHA3-384 hash: 256d92d6085558220aafdef82eaffbfba6e0bebe8cfe5a2323a2264b075c41bf08606e2a4f4631f4449f2071b156e46b
SHA1 hash: 38cac8495ef43e51cdac1cb5e85d10137b365bee
MD5 hash: d89521adaf6418e6ebe43b1a1a9d2af9
humanhash: friend-missouri-twenty-jupiter
File name:pebbles.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:493'056 bytes
First seen:2022-10-03 15:16:17 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 8877a7b766af3aace7fcad8462a174cc (1 x Quakbot)
ssdeep 12288:Y2X+B4HKFVxT5jXAcOf35HI9H5RGqdIhr54f:L5EVl5DC4HDbd
Threatray 1'448 similar samples on MalwareBazaar
TLSH T1DBA48D0AB612C430D66910B12876BBE047ACBD325E751EDF73805F778A641F77A29F22
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316158/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13270.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/633afceed5955f6f49d5d10b/reports/6cecceab-2eee-46ec-8594-294e530b9a5a/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b63293ff-dfcc-45cb-ad85-2caec03cf710
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1082598
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715156 Sample: pebbles.dat.dll Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        17 3 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\pebbles.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 15:17:06 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfs5yv2fnvh4ag3m4dzefwaho37arildkttbo4svzotbqnedkwwa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a
Quakbot
42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25
Quakbot
5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959
Quakbot
5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1
Quakbot
e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Quakbot
+ 1'438 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221003-sn1y9scfap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
99.221.33.122:35602
29.202.180.222:51620
23.94.40.182:4331
34.19.16.166:1288
241.163.135.223:50051
32.107.156.85:19172
228.49.142.11:64889
196.202.140.31:7400
110.114.87.194:23019
217.188.119.28:9613
29.44.169.79:27952
169.83.63.109:46511
47.65.80.200:49855
50.140.194.100:14738
152.64.159.219:41214
12.255.117.222:36282
199.246.11.177:40851
81.180.116.241:1057
87.3.215.226:21496
247.44.83.206:32161
110.141.155.115:21355
126.7.15.81:38878
246.166.147.15:42079
71.118.48.68:16876
240.237.58.79:52135
228.135.88.101:8170
37.13.235.189:18671
187.156.210.204:4243
146.54.170.64:61188
240.132.30.162:19966
23.207.217.71:260
125.250.215.162:30167
242.193.131.8:56589
188.7.186.109:6729
80.147.52.103:32403
232.222.181.12:36938
165.107.195.136:37237
193.129.246.98:0
162.224.55.111:30915
17.105.54.14:63284
149.253.253.235:19955
148.219.182.10:5489
56.214.171.2:7637
171.182.161.115:60821
175.2.110.61:49611
99.130.91.79:29604
136.197.36.254:0
Unpacked files
SH256 hash:
45b06b4ea4f9e69bfd93baf5ed1da9059ce91a6faf0c27a586d1960d1f7c709d
MD5 hash:
0e77f14378f61ce84bebb92e0797fbd8
SHA1 hash:
431ebcc88a23fa53d806dfba3f511dc8ec513438
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/4b654787-4272-4693-a488-d571149a74e5/
Parent samples :
1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff
SH256 hash:
505958cb297c622978dc33faa8fc456744404f73ee200a2644c37cad9cc363c2
MD5 hash:
14c54900c418218660d84a42d1ea57ee
SHA1 hash:
1eb3dcea460688ecf9de6e418eefc78e5d3a9b8a
Link:
https://www.unpac.me/results/4b654787-4272-4693-a488-d571149a74e5/
SH256 hash:
1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
MD5 hash:
d89521adaf6418e6ebe43b1a1a9d2af9
SHA1 hash:
38cac8495ef43e51cdac1cb5e85d10137b365bee
Link:
https://www.unpac.me/results/4b654787-4272-4693-a488-d571149a74e5/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1965dc57456d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316158/

Comments