MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
SHA3-384 hash: 8602d03899e73521fa9ecb1c7f992c0fb07e4c6e007895769e86755c46caa331d9eba34066abaeff1b9c9bdb5619ba7f
SHA1 hash: 427ad3b91f2ea33cc99c8c98780c7884655d373e
MD5 hash: 56ef1d9b70d6a6860868d521a8bb2865
humanhash: butter-glucose-magazine-hawaii
File name:grouts.tmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'563'136 bytes
First seen:2022-11-14 15:12:12 UTC
Last seen:2022-11-14 16:43:50 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 0e2a4a023bd87e533d8d58e97eeac211 (1 x Quakbot)
ssdeep 24576:M3VzebIGQvSeKV9TAwPZ8nPQQrrabMxNd6LE3Sl+:4JvgMQM3fd66Sw
Threatray 1'753 similar samples on MalwareBazaar
TLSH T15F758D32B6D284F7F476163C9C6BAF9998E979111D2C585A3FE40E0C0F3A6413E292D7
TrID 28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
12.9% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:1668418916 BB06 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
US US
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/333810/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.11304.29917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware hacktool keylogger
Link:
https://www.filescan.io/uploads/63725afebde1d4a13243d5a8/reports/97234129-e4ea-4f3a-890b-16813d3a0bb5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55de01c7-3e92-46fe-8177-3ac4199305a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 15:13:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dklzx353qgevpm3bw2k7uncuh5jbuzkky5lh5542ek5tqky64c2q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
3af5cb95c67369ad8e7e804ec997f9ca8a15c4452e860debf4e63f4b237b5fa0
Quakbot
6214d4a5f33371c92a890cc71f527304cd603e2a07cbb45875e7c7f89ad133ac
Quakbot
7b806b77fd66b1d93c3daeb03b932a66fe455935ef345170b058f7559a1f174e
Quakbot
8894098f037fa2c86cf0c9742ca84f1979578840d8f4a1abd76105da4538bace
Quakbot
bcc4b1dd13aa456d3b42cb2571616689338a793f2159133e77760944b84992de
Quakbot
c2b42415eaf7e9099ac95797547f968020a5df23f5d715eaa92f6d4939f6ca30
Quakbot
ce6543b9b4f5a398e5caa2c2d3e3a765d8d29360330d651b661c3c2f0b7208de
Quakbot
+ 1'743 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668418916 banker stealer trojan
Link:
https://tria.ge/reports/221114-slqqhsge9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
24.142.218.202:443
152.170.17.136:443
90.104.22.28:2222
24.64.114.59:61202
86.225.214.138:2222
92.27.86.48:2222
70.120.228.205:2083
24.206.27.39:443
27.99.45.237:2222
105.103.27.80:32103
170.253.25.35:443
24.64.114.59:2222
92.207.132.174:2222
86.133.237.3:443
172.117.139.142:995
108.6.249.139:443
92.239.81.124:443
86.129.13.128:2222
47.34.30.133:443
86.148.55.111:443
94.63.65.146:443
24.64.114.59:3389
184.153.132.82:443
74.66.134.24:443
83.11.84.105:2222
105.184.161.242:443
82.121.237.106:2222
112.141.184.246:995
91.165.188.74:50000
91.180.68.95:2222
188.4.196.132:995
88.171.156.150:50000
83.7.56.214:443
75.99.125.238:2222
105.103.27.80:990
62.35.67.88:443
105.103.27.80:2078
62.31.130.138:465
87.220.205.14:2222
193.3.19.137:443
73.36.196.11:443
24.116.45.121:443
2.84.98.228:2222
50.68.204.71:443
85.59.61.52:2222
58.247.115.126:995
180.151.104.143:443
212.251.122.147:995
100.16.107.117:443
24.49.232.96:443
174.77.209.5:443
157.231.42.190:443
73.165.119.20:443
213.91.235.146:443
87.223.88.205:443
90.221.5.105:443
50.68.204.71:995
79.37.204.67:443
98.145.23.67:443
86.171.75.63:443
76.68.34.167:2222
41.109.78.231:995
24.49.232.96:995
93.24.192.142:20
186.188.80.154:443
89.129.109.27:2222
213.67.255.57:2222
92.185.204.18:2078
92.137.74.174:2222
78.69.251.252:2222
190.24.45.24:995
92.106.70.62:2222
109.11.175.42:2222
24.28.121.122:443
78.253.154.211:50000
81.111.108.123:443
78.92.133.215:443
76.127.192.23:443
149.126.159.224:443
77.126.81.208:443
105.103.27.80:22
81.159.252.167:2222
94.60.141.48:995
75.143.236.149:443
110.4.255.247:443
170.249.59.153:443
75.98.154.19:443
173.239.94.212:443
176.142.207.63:443
87.202.101.164:50000
151.32.168.124:443
74.92.243.113:50000
31.190.68.212:443
85.74.158.150:2222
24.64.114.59:2078
69.133.162.35:443
84.35.26.14:995
174.104.184.149:443
136.232.184.134:995
68.47.128.161:443
50.68.204.71:993
87.65.160.87:995
200.233.108.153:995
206.1.223.209:2087
109.152.70.207:50000
174.45.15.123:443
81.229.117.95:2222
47.41.154.250:443
72.82.136.90:443
88.126.94.4:50000
89.240.102.164:995
190.18.236.175:443
175.205.2.54:443
82.127.174.33:2222
24.228.132.224:2222
174.101.111.4:443
91.169.12.198:32100
157.231.42.190:995
74.33.84.227:443
Unpacked files
SH256 hash:
de357a9de0ea7bd70f893676c78e53cb15e93c945c2467bf3a51664fdfc14bfc
MD5 hash:
117abd21fc673285123acc5b924dcc8d
SHA1 hash:
565cb60fc7f3d675dd5c13f75c1124dd37ca8865
Link:
https://www.unpac.me/results/d881ebe6-359a-4677-8c39-3e9eb78f5ef5/
SH256 hash:
6440ddf20cd76372a19f2eb71148a0548607ab41677a0a9b3dcee4bc8b7629d3
MD5 hash:
243330e1aca83f37aea2848f2e3fc21f
SHA1 hash:
7b08cdae0879b34f112907ce18aa7fa060a4ded3
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d881ebe6-359a-4677-8c39-3e9eb78f5ef5/
SH256 hash:
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
MD5 hash:
56ef1d9b70d6a6860868d521a8bb2865
SHA1 hash:
427ad3b91f2ea33cc99c8c98780c7884655d373e
Link:
https://www.unpac.me/results/d881ebe6-359a-4677-8c39-3e9eb78f5ef5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333810/

Comments