MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
SHA3-384 hash: 524218e6edc52700f57e9665b402bb23917836dd0d870e8ac6678fe19147138b3f73363175805d94f828b46da8ecd75b
SHA1 hash: 1173b6e2ee70b5aa5ae6ea389bc22264bc17dbbd
MD5 hash: dee6ba42dfe4a7e4df153a3e2d09afc0
humanhash: mountain-cup-rugby-bacon
File name:44687.1701525463.dat.exe
Download: download sample
Signature Quakbot
Create hunting rule
File size:574'464 bytes
First seen:2022-05-06 08:10:49 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 22b99fa302038e0141db17211e65b333 (5 x Quakbot)
ssdeep 12288:4QZcD4XyPsVAhrvjYhTZhzsKnaFiE/AbG0vZRz5B:jZtiP9pGzgKEiEQ1ZRdB
Threatray 1'029 similar samples on MalwareBazaar
TLSH T1E7C4A022F3D0883BD1731A7D8D57B764982ABE812D74AC8B2BE41E8C8F397817525357
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter madjack_red
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269019/
Detection(s):
Win.Malware.Zusy-9910308-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/6274d827bd5c76586e15c79f/reports/a67dbcdd-81f7-40a0-a580-66d8e8ce21b3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/674777f6-4ed8-43f3-9b6b-3b30f2f477c3
Result
Threat name:
CryptOne Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988953
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621449 Sample: 44687.1701525463.dat.exe Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected CryptOne packer 2->70 72 5 other signatures 2->72 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->74 76 Injects code into the Windows Explorer (explorer.exe) 9->76 78 Writes to foreign memory regions 9->78 80 3 other signatures 9->80 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 50 C:\Users\user\...\44687.1701525463.dat.dll, PE32 16->50 dropped 54 Uses cmd line tools excessively to alter registry or file data 16->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 16->56 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->58 60 Injects code into the Windows Explorer (explorer.exe) 22->60 62 Writes to foreign memory regions 22->62 64 3 other signatures 22->64 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        82 Contains functionality to detect sleep reduction / modifications 28->82 35 WerFault.exe 20 9 28->35         started        38 explorer.exe 28->38         started        84 Uses cmd line tools excessively to alter registry or file data 31->84 40 reg.exe 1 1 31->40         started        42 reg.exe 1 1 31->42         started        44 conhost.exe 31->44         started        process10 dnsIp11 52 192.168.2.1 unknown unknown 35->52 46 conhost.exe 40->46         started        48 conhost.exe 42->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 08:11:09 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djo7ntafeovgk6akyvlf7ym75z6si47oqqbik6xqies32nxujgza._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
Quakbot
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
Quakbot
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
Quakbot
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
Quakbot
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
Quakbot
+ 1'019 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220506-j29nwsccgl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
527e9d61ddeff064647d956d52b1780e2d6bbf9a28f30efdc7c30f985629dc43
MD5 hash:
0472c872620ed002ca3f20878019e1ed
SHA1 hash:
f7ec5d5ab11beb372e72e0981100876d3c3d4597
Link:
https://www.unpac.me/results/c9c9c994-4219-468b-956a-6cf187d56a8c/
SH256 hash:
931a012c14e0289cffd0ef48b433493e2b6d0fc4100e8e36ad1af9966e314286
MD5 hash:
aa20ad2e6405b98fc552282d089447e9
SHA1 hash:
a1b8f7721560ea8120e2da2e25d54ebd32b9c19b
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c9c9c994-4219-468b-956a-6cf187d56a8c/
Parent samples :
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
c4e64cace2a3d08bcd96617d935bc90e204ba0b734c8b07f9a5039f2bbf80b49
44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
d762057dd5a76075f38baf15f8f453416cb5c446253a5aff0427f09a3755e302
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
81e6b3957773675320a240ef080cf4a52e2fa72c66a60a716296b68121cefd06
SH256 hash:
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
MD5 hash:
dee6ba42dfe4a7e4df153a3e2d09afc0
SHA1 hash:
1173b6e2ee70b5aa5ae6ea389bc22264bc17dbbd
Link:
https://www.unpac.me/results/c9c9c994-4219-468b-956a-6cf187d56a8c/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a5df6cc0523/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269019/

Comments