MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
SHA3-384 hash: 99420865e130d355d0de7ed233d78d7deb3aa67a88208f6b25bdbad8edfe5aefcc5a97f17c70866321ecdbe1de039031
SHA1 hash: 2596f834041095c888b45e61ca48df3d4ce3a99d
MD5 hash: f24a452723c7e5d1f85eab7f5ec7ecd9
humanhash: violet-washington-butter-oscar
File name:onanism.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:483'840 bytes
First seen:2022-10-03 15:58:42 UTC
Last seen:2022-10-03 16:42:34 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 2db63a3cf4d0f2034045aa22cff90795 (1 x Quakbot)
ssdeep 6144:icJ88bsBZpZKeiJb1pPMkKvHrdTcf7CsHW8kYTRapUQsJT8Td++seeAOA0Y:VJDoBZjFibAOTCs28k2gN/rea0Y
Threatray 1'449 similar samples on MalwareBazaar
TLSH T1ACA49E06B652C471CA6911B12C36BBE442ACAC358F741ADB37C01F7789A51F77E28F26
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316168/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/633b06c70d3d21420cca4844/reports/84b2c276-c439-4136-9c5e-6f26c1858b75/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c492775-4954-45a2-a840-0aa839749b70
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1082623
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715180 Sample: onanism.dat.dll Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        17 3 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\onanism.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 15:59:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dk6c7mr7ku3ysr57kkeznnip73izlicz2x33knzhc6jhatvvzvga._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Quakbot
27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a
Quakbot
42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25
Quakbot
5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959
Quakbot
5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1
Quakbot
e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Quakbot
+ 1'439 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221003-te21msdgh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
99.221.33.122:35602
29.202.180.222:51620
23.94.40.182:4331
34.19.16.166:1288
241.163.135.223:50051
32.107.156.85:19172
228.49.142.11:64889
196.202.140.31:7400
110.114.87.194:23019
217.188.119.28:9613
29.44.169.79:27952
169.83.63.109:46511
47.65.80.200:49855
50.140.194.100:14738
152.64.159.219:41214
12.255.117.222:36282
199.246.11.177:40851
81.180.116.241:1057
87.3.215.226:21496
247.44.83.206:32161
110.141.155.115:21355
126.7.15.81:38878
246.166.147.15:42079
71.118.48.68:16876
240.237.58.79:52135
228.135.88.101:8170
37.13.235.189:18671
187.156.210.204:4243
146.54.170.64:61188
240.132.30.162:19966
23.207.217.71:260
125.250.215.162:30167
242.193.131.8:56589
188.7.186.109:6729
80.147.52.103:32403
232.222.181.12:36938
165.107.195.136:37237
193.129.246.98:0
162.224.55.111:30915
17.105.54.14:63284
149.253.253.235:19955
148.219.182.10:5489
56.214.171.2:7637
171.182.161.115:60821
175.2.110.61:49611
99.130.91.79:29604
136.197.36.254:0
Unpacked files
SH256 hash:
45b06b4ea4f9e69bfd93baf5ed1da9059ce91a6faf0c27a586d1960d1f7c709d
MD5 hash:
0e77f14378f61ce84bebb92e0797fbd8
SHA1 hash:
431ebcc88a23fa53d806dfba3f511dc8ec513438
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/6591a458-3612-4408-be73-1f8ca7daf03f/
Parent samples :
1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff
SH256 hash:
1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
MD5 hash:
f24a452723c7e5d1f85eab7f5ec7ecd9
SHA1 hash:
2596f834041095c888b45e61ca48df3d4ce3a99d
Link:
https://www.unpac.me/results/6591a458-3612-4408-be73-1f8ca7daf03f/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1abc2fb23f55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

zip fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31

Quakbot

DLL dll 1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/316168/
  
Dropped by
SHA256 fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31
  
Dropped by
MD5 ce75bdf25dc3ffaf5b77f0a781fee3c1

Comments