MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1
SHA3-384 hash:	592e29361c6844158266a10eb5b3000247533a2b4291a3ba25d2f9ce819b40e1552a7945b7253ea6b6685f2c46adedcb
SHA1 hash:	7fe4eb7f1ccc59763e352defc3298f0c208f171b
MD5 hash:	ddd09db61d8f6565ba41c20695ea3ac2
humanhash:	fruit-high-music-zulu
File name:	01.gif
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'069'788 bytes
First seen:	2023-02-02 11:25:30 UTC
Last seen:	2023-02-02 12:54:20 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	42ed000be09992833541110261c2d8f2 (1 x Quakbot)
ssdeep	24576:aHjOfF1vLCeGI4e9GqEMAinTjc7c6LvWxGXaEA5:aAjDjt4cAAfc7bDWxGXw
TLSH	T1C035AFA2F2B14837C173263D9C2B9365982ABF113D286C467BF51E4C4F396817A352E7
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	1675326103 BB12 dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/359482/

Detection(s):

SecuriteInfo.com.W32.Qbot.CU.gen.Eldorado.12745.1892.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

keylogger overlay

Link:

https://www.filescan.io/uploads/63db9dce89bd67c10fdc3153/reports/6adeea0e-7001-4ea6-b808-7e57514f4fa8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/439aefe2-3316-425d-a711-1385ba880789

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2023-02-02 11:26:10 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=emxmik2r34ubkm6fk7mqcovfxpx7cmf4nyglrxt66hhzmxwyd2yq._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb12 campaign:1675326103 banker stealer trojan

Link:

https://tria.ge/reports/230202-njvt8sfh72/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Qakbot/Qbot

Malware Config

C2 Extraction:

47.203.227.114:443
1.162.248.14:27393
187.1.1.90:26646
98.145.23.67:443
1.70.77.116:59649
187.0.1.74:8644
12.172.173.82:995
1.109.159.118:15368
187.1.1.182:46185
86.130.9.182:2222
1.217.128.91:50184
70.66.199.12:443
1.27.109.19:23048
209.1.1.184:39300
174.104.184.149:443
1.81.151.102:57345
187.1.1.47:8734
87.202.101.164:50000
1.73.165.119:5121
181.118.206.65:995
1.86.195.14:18440
187.1.1.81:58741
86.225.214.138:2222
1.172.90.139:35336
76.80.180.154:995
1.171.97.42:17153
187.0.1.103:37065
80.0.74.165:443
1.27.0.48:52481
174.58.146.57:443
1.84.215.202:5633
156.217.208.137:995
1.87.10.205:29953
92.154.17.149:2222
1.74.92.243:29123
187.1.1.69:30587
193.92.232.75:995
12.172.173.82:2087
1.75.143.236:38145
187.1.1.73:41392
59.28.84.65:443
1.58.247.115:32259
82.212.112.189:443

Unpacked files

SH256 hash:

ab7c797fd66f8d3e7e7affe2f6b616ead1202acf5de3ff94cda0114eeb82753e

MD5 hash:

2535ca579dcdc851397ce4b32feb0ab3

SHA1 hash:

fcd38e87f790e7d6fa1e76f367805c3ff89582d6

Link:

https://www.unpac.me/results/ec714cff-b87e-4874-a719-513cc651bdae/

SH256 hash:

fad6f6b51ee766825ff63d97f6379fd5a8c163c3f7a0185381758ac4cbe748c7

MD5 hash:

df43b9efa256a4411fe9b94663d32999

SHA1 hash:

152ee83d61596d3394e7dd3f9af9117758f2b443

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/ec714cff-b87e-4874-a719-513cc651bdae/

SH256 hash:

232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1

MD5 hash:

ddd09db61d8f6565ba41c20695ea3ac2

SHA1 hash:

7fe4eb7f1ccc59763e352defc3298f0c208f171b

Link:

https://www.unpac.me/results/ec714cff-b87e-4874-a719-513cc651bdae/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/232ec42b51df/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/232ec42b51df281533c557d9013aa5bbeff130bc6e0cb8de7ef1cf965ed81eb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	qakbot_api_hashing Create hunting rule
Author:	@Embee_Research
Reference:	https://twitter.com/embee_research/status/1592067841154756610

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359482/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample