MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697
SHA3-384 hash: 3a94c7445c9c8e00ef3740160869e247c69adc768b3b3344d858ca6dbe74829ee592b252299875fd267078079b0c930c
SHA1 hash: a00c696c050131ed2b83154468fc2b80b550b985
MD5 hash: d39b3724920742864b1e3d0f3b01f39a
humanhash: autumn-oven-sixteen-floor
File name:ch1.ocx
Download: download sample
Signature Quakbot
Create hunting rule
File size:452'732 bytes
First seen:2022-02-28 18:57:41 UTC
Last seen:2022-02-28 20:48:56 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 12288:qO4uLHNJbWW3kyGTuq5V8zS0dUktS0z09fGuDFDHM4R:qRuBZV0uE8z1dUt9OuDFDHM4R
Threatray 92 similar samples on MalwareBazaar
TLSH T1B6A4BFF875146DD6EB6F477BDA96ACEC037617228AC798CD80647BC305A3375EE02809
Reporter k3dg3___
Tags:dll qbot Quakbot ta577 tr

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245415/
Detection(s):
SecuriteInfo.com.ArtemisD39B37249207.21125.17027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
DNS request
Launching a process
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/621d1b47b94fb38cb426fe05/reports/78aa8fdd-6fda-4d14-8419-68cc9023b9e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/42e660b6-1c8e-477a-8836-504c4658bcbb
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/947617
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 580098 Sample: ch1.ocx Startdate: 28/02/2022 Architecture: WINDOWS Score: 88 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Qbot 2->33 35 Sigma detected: Suspicious Call by Ordinal 2->35 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->45 47 Injects code into the Windows Explorer (explorer.exe) 8->47 49 Writes to foreign memory regions 8->49 51 2 other signatures 8->51 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 regsvr32.exe 8->16         started        18 explorer.exe 8->18         started        process5 signatures6 20 rundll32.exe 11->20         started        53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->53 55 Injects code into the Windows Explorer (explorer.exe) 13->55 57 Writes to foreign memory regions 13->57 23 explorer.exe 13->23         started        59 Allocates memory in foreign processes 16->59 61 Maps a DLL or memory area into another process 16->61 25 explorer.exe 8 1 16->25         started        process7 signatures8 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->37 39 Injects code into the Windows Explorer (explorer.exe) 20->39 41 Writes to foreign memory regions 20->41 43 2 other signatures 20->43 27 explorer.exe 20->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 18:58:10 UTC
File Type:
PE (Dll)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
532f5a32f685a1acdb7c0982bb4fd721852af1e9fb278bf5d0faa82a6741f3c8
Quakbot
538a6af386f29cac70e74c1eb885bae87b0ea6b487b0411db4f78ee8c2fea336
Quakbot
5b585bcc7ac833317be929b0cc62de62827de31567ac58f2c6e10644b3739e67
Quakbot
790951787b259b98ea0f3b7face9c805643bd5e36b2d8a9d92d6d20a7107971b
Quakbot
8f7701d2c28e11cab1b101e679722065262dfba823a87fa7d02216a6c5c17d44
Quakbot
9ae13c19261bfaabaaf173c24d895e19fa751373749f17058e288dc5c6a481a0
Quakbot
c184cc9ab735a9d8843dcde620b3075f99e2d54519fee2109aa01c06f27371fd
Quakbot
c2919ef3ccf9cc5805a282d96326a28df6236801953c39bb582b7b181a058ebe
Quakbot
ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79
Quakbot
+ 82 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1646033426 banker stealer trojan
Link:
https://tria.ge/reports/220228-xmgw8aehe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
121.7.223.188:2222
124.41.193.166:443
197.167.46.225:993
93.48.80.198:995
41.43.13.54:995
160.179.145.47:443
182.191.92.203:995
39.41.139.127:995
75.99.168.194:61201
193.253.44.249:2222
38.70.253.226:2222
176.110.96.225:443
41.228.22.180:443
5.88.12.21:443
173.21.10.71:2222
102.65.38.67:443
144.202.2.175:995
105.184.116.32:995
92.177.45.46:2078
78.191.34.56:995
41.84.247.27:995
89.137.52.44:443
180.233.150.134:995
190.189.33.6:32101
76.70.9.169:2222
120.150.218.241:995
220.129.52.36:443
67.209.195.198:443
217.128.122.65:2222
141.237.64.254:995
184.100.174.73:443
32.221.231.1:443
129.208.10.192:995
114.79.148.170:443
89.211.185.240:2222
121.74.187.191:995
84.241.8.23:32103
39.49.110.154:995
96.21.251.127:2222
149.135.101.20:443
2.50.41.69:61200
139.228.65.100:2222
45.46.53.140:2222
74.15.2.252:2222
136.143.11.232:443
209.210.95.228:32100
120.61.3.199:443
75.156.151.34:443
63.143.92.99:995
185.249.85.209:443
58.105.167.35:50000
31.215.84.57:2222
197.89.109.221:443
190.73.3.148:2222
144.202.2.175:443
176.67.56.94:443
66.230.104.103:443
175.137.153.178:443
47.180.172.159:443
71.74.12.34:443
75.99.168.194:443
103.139.242.30:990
140.82.49.12:443
47.180.172.159:50010
117.248.109.38:21
2.50.27.78:443
41.13.143.139:443
24.178.196.158:2222
39.52.38.109:995
128.106.122.206:443
167.86.202.26:443
180.183.100.147:2222
86.98.156.238:993
39.44.124.140:995
76.25.142.196:443
47.23.89.60:993
173.174.216.62:443
208.107.221.224:443
76.69.155.202:2222
73.151.236.31:443
189.253.111.123:995
82.41.63.217:443
109.12.111.14:443
89.101.97.139:443
86.198.170.170:2222
75.188.35.168:443
105.184.249.182:995
161.142.63.168:443
68.204.7.158:443
86.98.148.18:995
86.139.33.187:443
197.167.46.225:995
197.164.171.102:995
2.51.171.43:995
101.50.110.176:995
103.230.180.119:443
70.51.153.159:2222
189.146.51.56:443
76.169.147.192:32103
186.64.67.28:443
86.97.161.106:443
41.230.62.211:993
197.240.236.170:443
197.165.161.159:995
81.213.206.182:443
206.217.0.154:995
75.67.194.204:443
191.99.191.28:443
216.46.32.83:443
64.231.96.211:2222
70.57.207.83:443
186.69.101.54:443
72.252.201.34:990
201.103.17.10:443
40.134.247.125:995
47.156.191.217:443
100.1.108.246:443
47.158.25.67:443
67.165.206.193:993
72.252.201.34:993
39.52.196.53:995
72.252.201.34:995
208.101.87.135:443
190.206.211.182:443
31.35.28.29:443
69.14.172.24:443
70.45.27.254:443
69.144.42.24:443
78.101.152.231:61202
82.152.39.39:443
196.203.37.215:80
103.116.178.85:443
86.98.11.110:443
98.14.54.50:443
136.232.34.70:443
203.101.178.94:443
89.249.215.26:443
217.164.121.201:2222
111.125.245.118:995
1.161.108.147:995
1.161.108.147:443
41.84.224.185:443
103.87.95.131:2222
78.96.235.245:443
173.220.98.101:443
94.59.58.249:1194
190.200.231.217:61202
106.51.48.170:50001
Unpacked files
SH256 hash:
2841642c39cbfc04de51f4524ccd7f94326cdb13de50b63df2a0ebf22daa30bd
MD5 hash:
2fc694183883feed52e0e37fd3b4eb9d
SHA1 hash:
7753785697a545d214b516e39e8d8947ec84f5a6
Link:
https://www.unpac.me/results/9cf85c7b-f957-45ce-b5b1-76bedb01b3aa/
SH256 hash:
1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697
MD5 hash:
d39b3724920742864b1e3d0f3b01f39a
SHA1 hash:
a00c696c050131ed2b83154468fc2b80b550b985
Link:
https://www.unpac.me/results/9cf85c7b-f957-45ce-b5b1-76bedb01b3aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

Excel file xlsx 16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be

Quakbot

DLL dll 1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697

(this sample)

  
Dropped by
SHA256 16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/245415/

Comments