MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d
SHA3-384 hash: df507659e058b7295518c3310e7c2c016402e037cfc92bc163ef069db7f970287b44cb90ec2433e7e968546e6ce40a4a
SHA1 hash: 2191a754a644ac9780b8e7e7eced53c9b92f5b48
MD5 hash: 7d0f6c345cdaf9e290551b220d53cd14
humanhash: skylark-green-freddie-wisconsin
File name:7d0f6c345cdaf9e290551b220d53cd14.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:492'470 bytes
First seen:2021-04-30 05:57:09 UTC
Last seen:2021-04-30 06:03:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a7358e273420e00f3ba4c1e15be44db1 (1 x Quakbot)
ssdeep 6144:4jpCzcjuQ/9zoaV3EeVHq/Ca6VbrdRNMA:4jQojuS9zoadEYHq/CjtN
Threatray 1'352 similar samples on MalwareBazaar
TLSH 53A4BF7CEB62C967E2242FF462C35F541A13D9D17570650E42B11F2E3EA93E5383BA88
Reporter abuse_ch
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147185/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/704075
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Sigma detected: Schedule REGSVR windows binary
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 400960 Sample: PZUypSNb95.dll Startdate: 30/04/2021 Architecture: WINDOWS Score: 96 66 Malicious sample detected (through community Yara rule) 2->66 68 Sigma detected: Schedule REGSVR windows binary 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 2 other signatures 2->72 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->74 76 Injects code into the Windows Explorer (explorer.exe) 8->76 78 Maps a DLL or memory area into another process 8->78 15 cmd.exe 1 8->15         started        17 regsvr32.exe 8->17         started        20 rundll32.exe 8->20         started        26 2 other processes 8->26 22 regsvr32.exe 11->22         started        24 regsvr32.exe 13->24         started        process5 file6 29 rundll32.exe 15->29         started        56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->56 58 Injects code into the Windows Explorer (explorer.exe) 17->58 60 Writes to foreign memory regions 17->60 32 explorer.exe 17->32         started        62 Allocates memory in foreign processes 20->62 64 Maps a DLL or memory area into another process 20->64 34 explorer.exe 20->34         started        36 WerFault.exe 22->36         started        48 C:\Users\user\Desktop\PZUypSNb95.dll, PE32 26->48 dropped 38 iexplore.exe 146 26->38         started        41 schtasks.exe 26->41         started        signatures7 process8 dnsIp9 82 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->82 84 Injects code into the Windows Explorer (explorer.exe) 29->84 86 Writes to foreign memory regions 29->86 88 2 other signatures 29->88 43 explorer.exe 29->43         started        50 img.img-taboola.com 38->50 52 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49727, 49728 YAHOO-DEBDE United Kingdom 38->52 54 10 other IPs or domains 38->54 46 conhost.exe 41->46         started        signatures10 process11 signatures12 80 Uses schtasks.exe or at.exe to add and modify task schedules 43->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 03:06:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6to2zyh2h4o7ftgw5m4nl4kvon6vehr2pvxwhfntz7l5lnstggq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1e4f2b520eeeea8aa56cb3b743830b2e189f74d2b2787eb1b719d9120e583eb2
Quakbot
1ffe1567aefbfe5709ae229d6a5619f8123611a90806cff57dc83db54f41216c
Quakbot
3cbc437b1cd10eb5946a5252fc1848e34b385d052de27d1052b0f428fc953c93
Quakbot
5ea8c6070ac6931bda4600b4f1de3df21808f6b9cc0fee056f13d125a5451532
Quakbot
602860ccf6ab94ba1e09e921d3239fb7396a93462aa613cb0302c59e37d6fc31
Quakbot
62a7a41745efc5a4314c5ec233c7e6381c8aaf55800361e1ea25bb982ce52d75
Quakbot
6a1ff8895e465dcb6f9f6f8cbc1e553244348114b4d90d860e6a329c2435f26c
Quakbot
9ac05dc49c732d74ff3bb6082296426a7d1640cafb26d2ba8ec9055367dbae13
Quakbot
d74d0b88dac0afd8f0b008964215fddc9a126e5337a26557c01b2574f1e70277
Quakbot
f47d4cc0fd011a1f8a74ced31d693742378f2ccb6b3d0b6b8d322cd31e62f897
Quakbot
+ 1'342 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1618935072 banker stealer trojan
Link:
https://tria.ge/reports/210430-7kda8vrj1a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
140.82.49.12:443
190.85.91.154:443
96.37.113.36:993
71.41.184.10:3389
186.31.46.121:443
73.25.124.140:2222
109.12.111.14:443
24.229.150.54:995
45.32.211.207:443
45.77.117.108:443
45.77.117.108:8443
149.28.98.196:443
149.28.98.196:2222
144.202.38.185:443
144.202.38.185:995
45.32.211.207:995
207.246.116.237:995
149.28.99.97:995
45.63.107.192:2222
149.28.101.90:995
45.77.115.208:2222
45.32.211.207:8443
45.32.211.207:2222
45.77.115.208:443
207.246.116.237:443
45.77.117.108:2222
149.28.98.196:995
45.63.107.192:443
149.28.101.90:8443
24.152.219.253:995
149.28.101.90:443
149.28.101.90:2222
45.77.115.208:995
45.77.115.208:8443
207.246.77.75:8443
207.246.77.75:2222
207.246.116.237:2222
45.77.117.108:995
149.28.99.97:443
144.202.38.185:2222
207.246.77.75:995
207.246.77.75:443
207.246.116.237:8443
24.55.112.61:443
47.22.148.6:443
216.201.162.158:443
197.45.110.165:995
24.117.107.120:443
71.163.222.243:443
189.210.115.207:443
149.28.99.97:2222
45.63.107.192:995
151.205.102.42:443
75.118.1.141:443
105.198.236.101:443
72.252.201.69:443
67.8.103.21:443
136.232.34.70:443
75.67.192.125:443
72.240.200.181:2222
75.137.47.174:443
78.63.226.32:443
95.77.223.148:443
81.97.154.100:443
105.198.236.99:443
83.110.109.164:2222
50.29.166.232:995
115.133.243.6:443
27.223.92.142:995
45.46.53.140:2222
173.21.10.71:2222
71.74.12.34:443
98.252.118.134:443
76.25.142.196:443
24.226.156.153:443
47.196.192.184:443
67.165.206.193:993
73.151.236.31:443
98.192.185.86:443
24.139.72.117:443
94.59.106.186:2078
188.26.91.212:443
184.185.103.157:443
172.78.47.100:443
195.6.1.154:2222
86.190.41.156:443
108.14.4.202:443
24.43.22.219:993
86.220.62.251:2222
97.69.160.4:2222
90.65.236.181:2222
71.187.170.235:443
50.244.112.106:443
96.61.23.88:995
64.121.114.87:443
144.139.47.206:443
222.153.174.162:995
77.27.207.217:995
24.95.61.62:443
77.211.30.202:995
92.59.35.196:2222
125.62.192.220:443
195.12.154.8:443
68.186.192.69:443
75.136.40.155:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
83.196.56.65:2222
81.214.126.173:2222
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Unpacked files
SH256 hash:
a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56
MD5 hash:
618fc58d489e69f8301ac45ff32b3c08
SHA1 hash:
abb211a554367a3a097c89eb9bc590ef7c3f7099
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ee93ad97-34f0-4884-bd9c-25f8f7cad132/
Parent samples :
53bd776c525c7f8998d2504fdd2454819267d9f4eb5c1ca53b9388ce5dfcdcff
8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55
27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d
4920b2f647aa16bd4e806c88a1af679fbfec0c6790372ceb878efa787a5e55bb
5e317f119a35d4b03733b6bbe4976b0bfaa8d0aa9fd3e8469d18ce1b7c0a45ce
4a14a8b28709afd3003beb39044bbbfde5bdffdd1f9b24f836dbaa1d73ab617f
b8027c886bcb6e314a7b45492887a108bc894429d6765bd9de3d448066e1287d
023c1c23b7560d03076bec4c717a1cc690e3538541228de0adc40421493d974d
8cbf33bfda27eae17d2290c775ab58469dbbd8fd86748088cf4760ca6ef13f5c
6a58d842dd9202b1dbb4636a80c030fd73afdbe14a9187acd6cbff4b61c8302f
a19dbb7fd21b7e2cd51d0942874d33a9cbb1ec70acba3265a6147652c8f5518d
2f7d29be2d877a68803d29ca5ca64d84d5f0e49705c1ff84f0bd5dfc91fbced9
c8d67b97aa1aa6681877091479081aa89186e3e4bab25dc3adabebf58ecc40f8
SH256 hash:
27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d
MD5 hash:
7d0f6c345cdaf9e290551b220d53cd14
SHA1 hash:
2191a754a644ac9780b8e7e7eced53c9b92f5b48
Link:
https://www.unpac.me/results/ee93ad97-34f0-4884-bd9c-25f8f7cad132/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

DLL dll 27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1144316/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/147185/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 05:59:57 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data