MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
SHA3-384 hash:	3f36921aaaeb8584337189a7b757d0fc3edca8a85a3d0bef7d6af244fa84d885e44ef1ac233146d4d422924a025f4b71
SHA1 hash:	f86d3de29123d9f56114c542f31f091ca4c8fbb6
MD5 hash:	c48d309b2f59581cf8b8c1fd1790ebdb
humanhash:	orange-bravo-mobile-fifteen
File name:	dour.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'632'072 bytes
First seen:	2022-10-31 12:15:35 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	d7ce16ef29cd3ae5d899da15f45284cd (4 x Quakbot)
ssdeep	24576:hdOBKJGDcYOGm+FpvC04Rl3ZC499TlgxE29S3GPOk8YdSkQh:hs9dm+n60YZCZY3KR8Ydkh
Threatray	1'623 similar samples on MalwareBazaar
TLSH	T18E758E22F2D1C437E472177C9C7BA399982A7D512E28884B7FE54F4C4F3A6413E29297
TrID	28.8% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) 12.9% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	1667208557 BB05 dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

463

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/326402/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.12758.24308.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching a process

Modifying an executable file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger overlay packed

Link:

https://www.filescan.io/uploads/635fbc8558409ff7bc0c5f6a/reports/6f079cd0-1975-4186-bcf7-2171d7f53d0e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/61f9875d-74d7-48ca-b528-b0caf26586bf

Result

Threat name:

Qbot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1101656

Signature

Allocates memory in foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Execute DLL with spoofed extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-31 12:16:18 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=esxmg4dxdlisbcxlkrzbaz6j4oytti3i6e5lnmjr3r6wye62ketq._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

540033fa84f80fb1e31c73139d2a043790a980191c5c5e4416bcfa51d4394a4f

Quakbot

62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76

Quakbot

9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06

Quakbot

aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4

Quakbot

dae5768e9a2f692512613af462d3ea8d96ce9f38eee1c06ddc52cde8dec2e0a2

Quakbot

e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

Quakbot

+ 1'613 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb05 campaign:1667208557 banker stealer trojan

Link:

https://tria.ge/reports/221031-pff3caahe2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

174.77.209.5:443
187.0.1.74:23795
24.206.27.39:443
1.156.220.169:30723
156.216.39.119:995
58.186.75.42:443
1.156.197.160:30467
187.1.1.190:4844
186.18.210.16:443
1.181.56.171:771
90.165.109.4:2222
187.0.1.186:39742
87.57.13.215:443
187.0.1.207:52344
227.26.3.227:1
98.207.190.55:443
187.0.1.197:7017
188.49.56.189:443
102.156.160.115:443
187.0.1.24:17751
70.51.139.148:2222
187.0.1.109:34115
14.164.18.210:443
187.0.1.97:30597
205.161.22.189:443
187.0.1.151:54711
196.217.63.248:443
187.0.1.160:45243
66.37.239.222:443
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993

Unpacked files

SH256 hash:

e14accb675e83df00fe0ecc95ea8e70ab873efb1cd5d321310aade8e804579f1

MD5 hash:

2ad9636507a1496ed71edc42ea7f1b66

SHA1 hash:

d7f2f6d3da2226d68a631257ff1024802fbc2054

Link:

https://www.unpac.me/results/182090d5-a667-4e49-9466-cd633a94c50f/

SH256 hash:

daa3557a9a632d9f897a8d7c1ef0e40a5715f0badc424f57f5ea50525fdd7122

MD5 hash:

66a0741f8f43b584e387459b367097c1

SHA1 hash:

3794e128ba8d8b29404d036423493a722d521b6b

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/182090d5-a667-4e49-9466-cd633a94c50f/

Parent samples :

24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2

SH256 hash:

24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127

MD5 hash:

c48d309b2f59581cf8b8c1fd1790ebdb

SHA1 hash:

f86d3de29123d9f56114c542f31f091ca4c8fbb6

Link:

https://www.unpac.me/results/182090d5-a667-4e49-9466-cd633a94c50f/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/24aec370771a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326402/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample