MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7
SHA3-384 hash: 2934eb149050d511b7c31a234a6e74592c4d5b78cc26c6f024035f618351644b4b46ee4ed2dc5e05b99119ca6d5f66a1
SHA1 hash: ae3969dab2c9c3b759d92c9bfd60d484fc163758
MD5 hash: 4b624e71c119d8e98a9377510770358c
humanhash: cardinal-fruit-fanta-kitten
File name:222222.png
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'070'568 bytes
First seen:2020-10-21 19:12:20 UTC
Last seen:2020-10-21 20:09:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 82c23e1ee79c35a4b779a3040d232a07 (54 x QuakBot)
ssdeep 3072:PU2P4gYgzuBeXRTZnDNNlJ06KEzGZV8uv793SVHrgCuo2zh2kB3dCrMOr3HhYvdj:PJ2gzwETZnl1Kj0sSwo2zzOxmvdVqC
Threatray 701 similar samples on MalwareBazaar
TLSH A035D0D0E3A07C09E9633AB18771C6710C797C6BC570EA9F147A3316E5B32416B92B6B
Reporter Anonymous
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74291/
Detection(s):
SecuriteInfo.com.Trojan.QakBot.11.29486.2040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506413
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302322 Sample: 222222.png Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Qbot 2->37 39 4 other signatures 2->39 7 222222.exe 4 2->7         started        11 222222.exe 2->11         started        13 222222.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\...\cgudtvk.exe, PE32 7->29 dropped 31 C:\Users\user\...\cgudtvk.exe:Zone.Identifier, ASCII 7->31 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Detected unpacking (overwrites its own PE header) 7->45 47 Contains functionality to detect virtual machines (IN, VMware) 7->47 49 Contains functionality to compare user and computer (likely to detect sandboxes) 7->49 15 cgudtvk.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 222222.exe 7->20         started        signatures5 process6 signatures7 51 Antivirus detection for dropped file 15->51 53 Multi AV Scanner detection for dropped file 15->53 55 Detected unpacking (changes PE section rights) 15->55 57 7 other signatures 15->57 22 explorer.exe 1 15->22         started        25 cgudtvk.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 41 Contains functionality to compare user and computer (likely to detect sandboxes) 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 21:49:39 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7kuoitq2h2oelpmhctatpi3ue62tdyealnabbkdk2sdjxjv5h3q._file
Verdict:
malicious
Similar samples:
2dc8c6d4a258da90c8264ed93eea388c46f2e0206604a62d1325ed0c80eae78d
QuakBot
3ad143fe091e2398207ac89ed82cc31f5bee574def93abd938e001b35898fbbc
QuakBot
664772bd38ffaf9acb17b9485747ba706d7ddf1d8374f8fd6594251d1df85be9
QuakBot
7544a45d6a25cd6cd54c73b1c9fc67bf090c778b542eed3ed3b463935d418687
QuakBot
7acf54afb2da619579c75936b67be5d13997bce00fca3959696e3956bcf628fb
QuakBot
80ff62e6e116eae4e4430d1c9b222ef2279874cbcbe81f8585d698ff65353d95
QuakBot
9d3d2f050b18db0f64de13e177451eafe444a0efae7ca187a8e19fada9bab69a
QuakBot
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
QuakBot
aaa0da1c0fb9454c515f728a3f1f96522acbec7e19af77d4b29dbcb429989b06
QuakBot
aab44f6fba494a13034b1212a7150e4fbf06b6cc72ea6080135ab0b5543fe3b1
QuakBot
+ 691 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201021-9vz1q3ex9e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Malware Config
C2 Extraction:
5.193.181.221:2078
50.104.68.223:443
82.210.157.185:443
81.98.133.106:443
134.0.196.46:995
24.27.82.216:2222
24.234.86.201:995
86.126.108.242:2222
188.26.132.214:443
68.225.60.77:443
100.1.239.189:443
72.204.242.138:20
2.7.65.32:2222
85.204.189.105:443
2.50.131.64:443
140.82.27.132:443
207.246.70.216:443
45.32.155.12:995
96.30.198.161:443
45.32.165.134:443
45.63.104.123:443
77.27.174.49:995
65.131.47.228:995
187.155.58.60:443
93.86.1.140:995
84.78.128.76:2222
73.228.1.246:443
80.14.209.42:2222
86.164.27.59:2222
134.228.24.29:443
76.167.240.21:443
72.28.255.159:995
146.200.250.36:2222
74.73.27.35:443
78.97.3.6:443
98.38.47.1:443
47.138.201.136:443
197.57.63.131:443
72.36.59.46:2222
24.55.66.125:443
141.158.47.123:443
72.204.242.138:32102
92.99.20.249:8443
117.199.10.174:443
189.231.212.189:443
217.165.96.127:990
74.75.237.11:443
79.112.18.199:443
203.198.96.200:443
47.28.131.209:443
72.16.56.171:443
108.46.145.30:443
31.215.98.218:443
81.133.234.36:2222
50.96.234.132:995
188.27.178.166:443
75.137.239.211:443
71.19.217.23:443
216.201.162.158:443
41.228.8.163:443
45.77.193.83:443
207.246.75.201:443
5.12.216.111:2222
114.43.133.96:443
24.231.54.185:2222
98.115.243.237:443
100.4.179.64:443
24.122.0.90:443
172.78.30.215:443
24.43.22.220:993
72.204.242.138:443
80.195.103.146:2222
68.190.152.98:443
86.121.121.14:2222
68.235.155.202:443
208.99.100.129:443
5.202.227.32:995
72.66.47.70:443
151.73.115.246:443
24.201.79.208:2078
108.5.33.110:443
71.221.92.98:443
45.32.154.10:443
199.247.22.145:443
80.240.26.178:443
108.31.15.10:995
174.101.35.214:443
86.176.25.92:2222
173.245.152.231:443
47.44.217.98:443
103.238.231.35:443
68.46.142.48:995
72.204.242.138:995
75.136.40.155:443
85.121.42.12:995
217.162.149.212:443
203.106.195.67:443
93.149.253.201:2222
68.14.210.246:22
71.187.170.235:443
72.241.205.69:443
72.214.55.195:995
50.244.112.10:995
89.32.218.148:443
144.139.47.206:443
212.54.116.210:443
59.26.204.144:443
24.205.42.241:443
41.225.231.43:443
5.14.124.35:443
45.32.155.12:2222
45.32.155.12:443
45.32.162.253:443
95.179.247.224:443
46.53.20.52:443
41.225.13.128:8443
199.247.16.80:443
71.163.222.203:443
41.98.120.105:443
86.125.47.110:443
78.97.110.47:443
213.31.203.109:2222
78.96.199.79:443
95.77.223.148:443
73.200.219.143:443
84.247.55.190:443
197.210.96.222:995
188.27.173.144:443
188.247.252.243:443
203.45.104.33:443
173.21.10.71:2222
73.90.4.146:443
81.97.154.100:443
24.28.183.107:995
31.5.21.66:443
95.76.27.6:443
108.30.125.94:443
5.13.84.191:443
67.6.55.77:443
69.47.26.41:443
65.102.136.20:995
74.222.204.82:443
24.40.173.134:443
36.77.151.211:443
173.173.1.164:443
74.195.88.59:995
69.123.116.167:2222
66.215.32.224:443
Unpacked files
SH256 hash:
bf6f3e04249cf4a34f7556636c679ff1c78e2414fd37868eef6d100cb7282fae
MD5 hash:
df598a3910b9f05031cdf890b7f46d13
SHA1 hash:
0cf9d9322c4f984cbf917b6e58afde58721f6ff7
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c51f2899-f6d5-45a8-83ef-175e3bc3e11c/
Parent samples :
c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e
2dc8c6d4a258da90c8264ed93eea388c46f2e0206604a62d1325ed0c80eae78d
9d3d2f050b18db0f64de13e177451eafe444a0efae7ca187a8e19fada9bab69a
3ad143fe091e2398207ac89ed82cc31f5bee574def93abd938e001b35898fbbc
aaa0da1c0fb9454c515f728a3f1f96522acbec7e19af77d4b29dbcb429989b06
664772bd38ffaf9acb17b9485747ba706d7ddf1d8374f8fd6594251d1df85be9
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
0d933e515644aa66a7966a9b130c0dfea79387519ffece98c9b532beb465c0f6
27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7
e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
d3d383c69c158752996ccacaa56ddbdb43622ae9c09881a5748619127081550d
235568c5852d8e14ba67dc20a3ec55ea149102a31e91de23e9a0195694b4a023
e7f59c4c54d50daafd2a75a679887f45353de0ffec9b01bebdb3c07bf99ee648
2bdf1c126de8c061c5f06b07848f4a8cd739d65775b15523689d3640c5782cbe
0c2785c84f3b4698ce6b2b45293c04b108d89c224d65aac5fe17a41aeaa3370b
6d591e0b8cadc9b48c8dd2d10b71d5ef71807c2a209d00dbebbc92ee86d5c3b3
1dbca928e5e4c046ed38226be564a4f9d42954105d59fa5e126d9027fe0071e8
31fab81e147c18646273b5ae04cefbccfab355800e6b247de513cb494e0cfd26
a1797622ac302556748e768a266c38a661c64fa4dc5644c5b671e075f6d60b07
ff04c2946ed2b1a35e2df86e483046e7789c89d024fb1bfed62aa008ff83801d
b91a1b6bebb18aeb5f8be1f1d68041b370de1c5e081786f283698932ed6ae1af
608eb9fb00e7ca6e5e892af6ef0186c1bcd21238284e7dfe217e178b1dcc9a26
c7d441730268513a93810fb4249f534259fd9d330ea7605ffc6c6b20ff528a73
4501f4605ab99f013c75de4c2ee39bba7632479ab28733de38bc5c7ad78dfac0
e3a9d373d1b1702563c2d233f45ecd5a6c04af88bb950b5d273ac75374c1b4d6
308c0bc34011d739fe7546bbef874c6267e77a7e1bea698380bd9602971e00b8
bc42b5ac4bd1c089c3db960be4011cb25e170573236444df0e6861eab87b4243
676c897d933e6d0123b54f1be67690aa7a02a93622a29bc77e2cfc0d34ade3bd
39aece13ac26b4bbe6fda8a7338482f28bede5d089dfb5ab0d0e3803d878d36d
0b759c4168882c3fdf101507c2a5cb246244f792eb478b5a5195433a0a8eae69
SH256 hash:
73405dd30b629dd492f5494fdd459b97d341772e921a39a4a94324bbd52ec343
MD5 hash:
f8c768fd4b494ca7a06b9d18013c0dd9
SHA1 hash:
31ae04187a650be6ae81a44dc27bbb4ba0e70366
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c51f2899-f6d5-45a8-83ef-175e3bc3e11c/
SH256 hash:
27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7
MD5 hash:
4b624e71c119d8e98a9377510770358c
SHA1 hash:
ae3969dab2c9c3b759d92c9bfd60d484fc163758
Link:
https://www.unpac.me/results/c51f2899-f6d5-45a8-83ef-175e3bc3e11c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuakBot

Executable exe 27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74291/
  
URLhaus
https://urlhaus.abuse.ch/url/718638/

Comments