MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079
SHA3-384 hash: 3a8b7387dfa438a8b7260e3ed5904a1849b4af6e55812ca9d7e2f01ae7e0dabe9b3da9c5b8b5060d5722cda239eb4d94
SHA1 hash: e75bed7e30fcbe1d4e1e8c4dcaf1f49484bb029b
MD5 hash: 11e4e853b7c06118060a98b9bd828daf
humanhash: kitten-asparagus-nevada-kilo
File name:DominationsFleshier.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:308'736 bytes
First seen:2022-12-21 21:18:49 UTC
Last seen:2022-12-21 22:27:48 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6176e2a142653611ab9359df2fd44146 (1 x Quakbot)
ssdeep 6144:gC+xTejJTnVWWZmzUTTxdGORwN6hta8SqKOnKs:vYTejJTVWWEzU5dG78dKTs
TLSH T1A064AC257742E038F56E0539BC64E5F95A38F8304B2849CB77D1AF1B5EA52E09E72E03
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1671561386 BB11 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
EG EG
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348867/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64413925.24453.25618.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63a378499f7f5520b780a580/reports/83e4d97f-dcec-415b-abe9-474b944b82ee/overview
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39bf897d-b36d-4d9c-8aa0-ccab6be791c9
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1139002
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 771732 Sample: DominationsFleshier.dll Startdate: 21/12/2022 Architecture: WINDOWS Score: 80 33 71.31.101.183 WINDSTREAMUS United States 2->33 35 216.36.153.248 WCG-ASCA Canada 2->35 37 96 other IPs or domains 2->37 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Qbot 2->47 49 C2 URLs / IPs found in malware configuration 2->49 51 Machine Learning detection for sample 2->51 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        16 rundll32.exe 9->16         started        18 5 other processes 9->18 signatures6 20 rundll32.exe 11->20         started        61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->61 63 Writes to foreign memory regions 13->63 65 Allocates memory in foreign processes 13->65 23 wermgr.exe 13->23         started        67 Maps a DLL or memory area into another process 16->67 25 wermgr.exe 16->25         started        process7 signatures8 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->53 55 Writes to foreign memory regions 20->55 57 Allocates memory in foreign processes 20->57 59 Maps a DLL or memory area into another process 20->59 27 wermgr.exe 8 15 20->27         started        process9 dnsIp10 39 31.48.67.240, 443, 49700, 49701 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 27->39 41 70.51.136.204, 2222 BACOMCA Canada 27->41 43 2 other IPs or domains 27->43 31 C:\Users\user\...\DominationsFleshier.dll, PE32 27->31 dropped file11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 22:34:08 UTC
File Type:
PE (Dll)
Extracted files:
73
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elc5trjph2paolryjtbjmot2iuzclqxnp4tpmdipwbb4o7ymib4q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb11 campaign:1671561386 banker stealer trojan
Link:
https://tria.ge/reports/221221-z56dmsdd23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
184.68.116.146:3389
92.189.214.236:2222
73.29.92.128:443
92.239.81.124:443
47.203.227.114:443
199.83.165.233:443
12.172.173.82:995
12.172.173.82:50001
136.244.25.165:443
37.15.128.31:2222
91.96.249.3:443
92.27.86.48:2222
75.156.125.215:995
93.147.134.85:443
86.176.246.195:2222
89.129.109.27:2222
70.55.120.16:2222
50.67.17.92:443
78.92.133.215:443
190.100.149.122:995
86.183.251.169:2222
184.68.116.146:2222
217.43.16.149:443
208.180.17.32:2222
75.143.236.149:443
70.64.77.115:443
76.184.95.190:993
73.161.176.218:443
84.35.26.14:995
67.235.138.14:443
206.166.209.170:2222
108.6.249.139:443
70.51.136.204:2222
67.253.226.137:995
201.137.206.40:443
176.44.121.220:995
31.48.67.240:443
80.103.77.44:2222
86.160.253.56:443
184.68.116.146:2078
76.80.180.154:995
181.118.183.50:443
173.178.151.233:443
72.80.7.6:995
109.220.196.24:2222
47.34.30.133:443
76.170.252.153:995
12.172.173.82:21
216.36.153.248:443
70.77.116.233:443
47.41.154.250:443
108.162.6.34:443
50.68.204.71:443
24.69.84.237:443
87.65.160.87:995
73.36.196.11:443
76.68.151.148:2222
89.203.252.238:443
81.131.210.167:443
96.255.66.51:995
12.172.173.82:465
95.23.15.84:2222
67.61.71.201:443
66.191.69.18:995
51.211.219.211:443
79.13.202.140:443
77.86.98.236:443
70.115.104.126:995
152.170.17.136:443
70.120.228.205:443
178.153.5.54:443
12.172.173.82:20
91.254.132.23:443
72.88.245.71:443
45.230.169.132:995
142.118.49.193:2222
65.95.85.172:2222
136.35.241.159:443
69.159.156.133:2222
92.8.187.85:2222
69.133.162.35:443
184.68.116.146:50010
86.130.9.250:2222
149.74.159.67:2222
176.133.4.230:995
46.10.198.106:443
2.14.96.234:2222
78.101.91.215:2222
92.154.45.81:2222
79.77.142.22:2222
12.172.173.82:22
12.172.173.82:32101
90.66.229.185:2222
86.225.214.138:2222
173.18.126.3:443
174.104.184.149:443
90.89.95.158:2222
162.248.14.107:443
190.249.241.149:443
78.18.42.55:443
184.68.116.146:61202
64.123.103.123:443
12.172.173.82:990
38.166.221.92:2087
184.176.154.83:995
92.207.132.174:2222
75.98.154.19:443
142.161.27.232:2222
84.113.121.103:443
90.104.22.28:2222
75.84.234.68:443
198.2.51.242:993
86.139.213.115:443
50.68.204.71:993
201.210.114.115:993
71.31.101.183:443
74.33.196.114:443
87.252.106.197:995
Unpacked files
SH256 hash:
68d12f4a1b7a28eec2dc849cc82b08a5e45bc6fff0195413ce90403a106739d2
MD5 hash:
cfb44886b2dad562d827e4aeac5700c9
SHA1 hash:
5e4914c62bb7efe8bd5e07ca422223f2503edca6
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff7da2da-1bfd-4c3d-bb1d-a04376324df0/
Parent samples :
22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079
88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48
36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78
012747575632a83c77d73b90450612446664d78c5a6a1af082c5da1485f6e9e1
SH256 hash:
80768aeba3b57f46bbb6c7e0667f2e356f1492c73deb1ed7e06646ef413e6153
MD5 hash:
dcfac4af94881fee1b4986549462ec36
SHA1 hash:
c3ef2098ea89158e75037d591625f9d81d7e71ef
Link:
https://www.unpac.me/results/ff7da2da-1bfd-4c3d-bb1d-a04376324df0/
SH256 hash:
22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079
MD5 hash:
11e4e853b7c06118060a98b9bd828daf
SHA1 hash:
e75bed7e30fcbe1d4e1e8c4dcaf1f49484bb029b
Link:
https://www.unpac.me/results/ff7da2da-1bfd-4c3d-bb1d-a04376324df0/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22c5d9c52f3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/348867/

Comments