MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2
SHA3-384 hash: 67e32bc1126f2ee827153f277602d7e16d7077af5ef2d92847ed68a6495c86c64e50062aa7d9b4b8a5c386fc997580c5
SHA1 hash: fd97b9875641a5eb8b95b716fb17d1d36ff81afd
MD5 hash: 4a1fbd71010494ad1cb579cd6c395c80
humanhash: spring-angel-bulldog-glucose
File name:1.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:475'309 bytes
First seen:2023-02-03 08:55:23 UTC
Last seen:2023-02-03 10:35:14 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1ccffc494b14223940b5ff7c5d6ed9fb (1 x Quakbot)
ssdeep 6144:C3P9EKUug7ptz0KE05TG2mLsh0H7wiWsxhQsjdDKlos8Wno8Kdygm/K+VybKK:iEKU/I8kLFUi/sRJKYK+4bKK
Threatray 1'921 similar samples on MalwareBazaar
TLSH T15BA4F91D7A16F034D49A00BEBC18D1FE4468B930566D4893BBC2BB172CD52FA9CA2F57
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter 0xSnowl
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
TH TH
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359804/
Detection(s):
SecuriteInfo.com.Win32.Trojan.PSE.AC09GX.29115.2561.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/63dccc2389bd67c10fdc5159/reports/2c7c1a74-2b41-4d1e-b7d3-b5171c8afa92/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a03b269b-e90d-421d-9201-d5f9528e2db6
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1164946
Signature
Allocates memory in foreign processes
DLL reload attack detected
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 797717 Sample: 1.png.dll Startdate: 03/02/2023 Architecture: WINDOWS Score: 92 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Qbot 2->69 71 Sigma detected: Execute DLL with spoofed extension 2->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->73 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 3 8->10         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 3 8->16         started        18 7 other processes 8->18 file5 51 C:\Users\user\AppData\Local\...\4C98AF7A.dll, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\005A1C6D.dll, PE32 10->53 dropped 83 DLL reload attack detected 10->83 85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->85 87 Writes to foreign memory regions 10->87 20 wermgr.exe 8 15 10->20         started        24 wermgr.exe 10->24         started        26 rundll32.exe 3 14->26         started        55 C:\Users\user\AppData\Local\...\4D9B493C.dll, PE32 16->55 dropped 57 C:\Users\user\AppData\Local\...\0836A3F9.dll, PE32 16->57 dropped 89 Allocates memory in foreign processes 16->89 91 Maps a DLL or memory area into another process 16->91 29 wermgr.exe 16->29         started        31 wermgr.exe 16->31         started        33 WerFault.exe 24 9 18->33         started        35 WerFault.exe 11 18->35         started        37 WerFault.exe 11 18->37         started        39 WerFault.exe 18->39         started        signatures6 process7 dnsIp8 59 90.78.51.182, 2222 FranceTelecom-OrangeFR France 20->59 61 www.linkedin.com 20->61 63 linkedin.com 20->63 45 C:\Users\user\Desktop\1.png.dll, PE32 20->45 dropped 47 C:\Users\user\AppData\Local\...\C9892CEF.dll, PE32 26->47 dropped 49 C:\Users\user\AppData\Local\...\293FA154.dll, PE32 26->49 dropped 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->75 77 Writes to foreign memory regions 26->77 79 Allocates memory in foreign processes 26->79 81 Maps a DLL or memory area into another process 26->81 41 wermgr.exe 26->41         started        43 wermgr.exe 26->43         started        65 192.168.2.1 unknown unknown 33->65 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 08:56:08 UTC
File Type:
PE (Dll)
Extracted files:
49
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2s4gubuqahhq2uxsnmljtmgzqk53342xx3rd7jnhtjyxjm64tba._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
Quakbot
1b1a6b891687bea71774e3f1776b73fee79602f960eb9cae891ad2c5acb277cf
Quakbot
284f0fabbdfc1172cb1cbf74473321668c4b31789d93158669f6735bec124817
Quakbot
2e698c8ff8399eaf27d2dda8fed11d151fcf4d723715468fe1dcc298ac32aa36
Quakbot
3de82b2ddaafc7205365b88a5033be0260b97946dfeb10372b9d4c1db7f59c22
Quakbot
57f86a03dcb2a9ebdd6d7184201cef6ba9d70f57aa524682857d4e7a27ec57ae
Quakbot
845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c
Quakbot
abe2930c83d646ca388b1bf050de6c84228069fd77e0f15de06f14b25f213427
Quakbot
c259bf6cdeab63308fdcd798420eb4cc01505602210388a17d8b276112fd3956
Quakbot
cfef52c6925ba86878bf04f20ad3561de1f0bd0bec7a3719a677c397a29bd934
Quakbot
+ 1'911 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb12 campaign:1675352134 banker stealer trojan
Link:
https://tria.ge/reports/230203-kv1yvadd92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
213.67.255.57:2222
86.96.72.139:2222
119.82.122.226:443
86.96.34.182:2222
12.172.173.82:50001
107.146.12.26:2222
97.116.78.96:443
47.61.70.188:2078
197.148.17.17:2078
82.127.204.82:2222
82.121.195.187:2222
73.155.10.79:443
91.231.173.199:995
86.196.12.21:2222
90.78.51.182:2222
90.165.109.4:2222
202.186.177.88:443
92.27.86.48:2222
88.171.156.150:50000
78.130.215.67:443
70.66.199.12:443
47.203.227.114:443
162.248.14.107:443
75.98.154.19:443
83.248.199.56:443
64.237.207.9:443
82.36.36.76:443
183.82.112.209:443
98.145.23.67:443
70.77.116.233:443
49.245.127.223:2222
105.99.105.0:443
209.142.97.83:995
74.33.196.114:443
75.156.125.215:995
189.222.55.8:443
70.160.80.210:443
194.166.90.227:443
12.172.173.82:20
12.172.173.82:995
91.68.227.219:443
91.170.115.68:32100
70.51.133.160:2222
90.104.22.28:2222
86.161.143.7:2222
173.76.49.61:443
24.64.112.40:2222
92.154.45.81:2222
84.219.213.130:6881
47.21.51.138:995
86.130.9.182:2222
78.16.206.181:443
217.128.91.196:2222
74.214.61.68:443
92.239.81.124:443
72.188.121.121:443
181.118.206.65:995
200.109.207.186:2222
12.172.173.82:465
86.165.225.227:2222
208.180.17.32:2222
24.64.112.40:50010
184.153.132.82:443
151.65.168.222:443
72.80.7.6:995
79.9.64.37:995
174.104.184.149:443
24.64.112.40:3389
81.151.102.224:443
108.2.111.66:995
47.34.30.133:443
50.68.204.71:993
123.3.240.16:995
103.12.133.134:2222
47.196.203.73:443
73.165.119.20:443
86.172.79.135:443
41.250.182.207:443
217.128.200.114:2222
47.6.243.7:443
156.217.208.137:995
12.172.173.82:32101
73.36.196.11:443
173.18.126.3:443
81.229.117.95:2222
190.191.35.122:443
84.35.26.14:995
37.14.229.220:2222
90.162.45.154:2222
24.71.120.191:443
86.225.214.138:2222
172.90.139.138:2222
92.207.132.174:2222
217.165.235.126:443
104.35.24.154:443
69.159.158.183:2222
24.123.211.131:443
67.61.71.201:443
86.194.156.14:2222
197.14.77.92:443
184.189.41.80:443
103.169.83.89:443
86.151.21.134:2222
23.251.92.57:2222
71.31.101.183:443
99.254.167.145:443
198.2.51.242:993
76.80.180.154:995
92.11.194.53:995
88.126.94.4:50000
121.121.100.207:995
92.154.17.149:2222
74.92.243.113:50000
68.150.18.161:443
69.119.123.159:2222
50.68.204.71:995
93.238.63.3:995
201.244.108.183:995
92.8.190.175:2222
Unpacked files
SH256 hash:
39eb6cf12237089b0a3047f60ec12b66adb44fd3fe1f967cc18e7d12bbaf93ef
MD5 hash:
225ad5564c211314be7137d66b0715c8
SHA1 hash:
7808c6a9276a0ea65415fd37e6306b33c856673f
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e0de6b3-00af-4670-8e53-bbd7a6b65569/
SH256 hash:
26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2
MD5 hash:
4a1fbd71010494ad1cb579cd6c395c80
SHA1 hash:
fd97b9875641a5eb8b95b716fb17d1d36ff81afd
Link:
https://www.unpac.me/results/7e0de6b3-00af-4670-8e53-bbd7a6b65569/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26a5c3503480/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:qakbot_api_hashing
Create hunting rule
Author:@Embee_Research
Reference:https://twitter.com/embee_research/status/1592067841154756610
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/359804/

Comments