MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb8f04d41fe34706ff61cba06788faaaca87494721fcf8e86d20b897890a3b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cb8f04d41fe34706ff61cba06788faaaca87494721fcf8e86d20b897890a3b1
SHA3-384 hash: 2c7ed04da15df36e149448f1efad0d1f5ff745ccd01aae9dc33d01a62614fdaa7675e5fca76fac9b1880b1eac8de6b75
SHA1 hash: 224e0ee45b5de31d75a8870c7936d85b311374c5
MD5 hash: cab39f756b7ab98d799939819a248b54
humanhash: spring-indigo-six-connecticut
File name:nissan.tmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:636'416 bytes
First seen:2022-11-15 12:38:04 UTC
Last seen:2022-11-15 14:49:05 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 16a005db1a5d5224502118b798d4ad48 (6 x Quakbot)
ssdeep 12288:+Wd5j2OjX3bnp68a92ckM2MLt0tcETKvnp1Rau4Vvqs9sjW:+W5jHr7cV2xTOpkVvxo
Threatray 1'778 similar samples on MalwareBazaar
TLSH T154D4AE0AD9F54F8BDC375AB80EB7DC2819AF87B03306A47F260EA3553D0526853D2796
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter proxylife
Tags:1668492308 BB06 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/334300/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.18538.6170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Sending a custom TCP request
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/637388674dc24c6f80b81f98/reports/489e03ca-ecfe-4ac0-90fb-a12878a2b572/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dc82846-6057-4e39-b8ad-2b5461f2f7a7
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1113767
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Run temp file via regsvr32
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 746463 Sample: nissan.tmp.dll Startdate: 15/11/2022 Architecture: WINDOWS Score: 88 33 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->33 35 123.3.240.16 VOCUS-RETAIL-AUVocusRetailAU Australia 2->35 37 98 other IPs or domains 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Qbot 2->41 43 Sigma detected: Run temp file via regsvr32 2->43 45 2 other signatures 2->45 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->55 57 Writes to foreign memory regions 9->57 59 Allocates memory in foreign processes 9->59 61 Maps a DLL or memory area into another process 9->61 12 rundll32.exe 9->12         started        15 cmd.exe 1 9->15         started        17 regsvr32.exe 9->17         started        19 2 other processes 9->19 process6 signatures7 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->63 65 Writes to foreign memory regions 12->65 67 Allocates memory in foreign processes 12->67 21 wermgr.exe 8 1 12->21         started        24 rundll32.exe 15->24         started        69 Maps a DLL or memory area into another process 17->69 27 wermgr.exe 17->27         started        process8 file9 31 C:\Users\user\Desktop\nissan.tmp.dll, PE32 21->31 dropped 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->47 49 Writes to foreign memory regions 24->49 51 Allocates memory in foreign processes 24->51 53 Maps a DLL or memory area into another process 24->53 29 wermgr.exe 24->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cb8f04d41fe34706ff61cba06788faaaca87494721fcf8e86d20b897890a3b1/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-15 12:39:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fs4patkb7y2ha37wds5am6epvkwkq5euoip47dug2ifys6equoyq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
Quakbot
442437ccaac1b92cbbacc116bdf7619a94008d8fc6b08278906859b291b74673
Quakbot
6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef
Quakbot
abe2930c83d646ca388b1bf050de6c84228069fd77e0f15de06f14b25f213427
Quakbot
c0fc5b84ba671a26027bddbd7a987eacc5917bdd1359cc1e72b754ba3517e805
Quakbot
+ 1'768 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668492308 banker stealer trojan
Link:
https://tria.ge/reports/221115-pvlw5sdh76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
49.175.72.56:443
81.229.117.95:2222
47.41.154.250:443
69.133.162.35:443
84.35.26.14:995
68.47.128.161:443
156.217.219.147:995
87.65.160.87:995
174.101.111.4:443
82.127.174.33:2222
91.169.12.198:32100
24.28.121.122:443
157.231.42.190:995
90.89.95.158:2222
74.33.84.227:443
24.64.114.59:2222
80.13.179.151:2222
64.207.237.118:443
24.206.27.39:443
170.253.25.35:443
151.30.53.233:443
86.225.214.138:2222
76.80.180.154:995
24.142.218.202:443
67.10.175.47:2222
90.104.22.28:2222
105.103.27.80:32103
80.0.74.165:443
142.161.27.232:2222
108.6.249.139:443
47.34.30.133:443
92.207.132.174:2222
172.117.139.142:995
137.186.193.226:3389
184.153.132.82:443
74.66.134.24:443
105.184.161.242:443
94.63.65.146:443
70.64.77.115:443
92.189.214.236:2222
58.247.115.126:995
100.16.107.117:443
2.84.98.228:2222
109.11.175.42:2222
193.92.233.183:995
174.0.224.214:443
172.90.139.138:2222
102.157.73.215:995
82.31.37.241:443
58.162.223.233:443
81.129.134.53:443
91.165.188.74:50000
87.223.80.45:443
46.177.99.230:995
180.151.104.143:443
174.77.209.5:443
157.231.42.190:443
24.49.232.96:443
73.165.119.20:443
82.41.186.124:443
213.91.235.146:443
50.68.204.71:443
99.229.146.120:443
193.3.19.137:443
73.36.196.11:443
24.116.45.121:443
76.80.180.154:993
199.83.165.233:443
41.96.224.19:443
86.133.237.3:443
85.59.61.52:2222
98.30.233.14:443
98.145.23.67:443
24.49.232.96:995
27.110.134.202:995
173.239.94.212:443
50.68.204.71:995
176.142.207.63:443
75.99.125.238:2222
90.221.5.105:443
64.123.103.123:443
79.37.204.67:443
76.68.34.167:2222
84.209.52.11:443
78.69.251.252:2222
76.127.192.23:443
149.126.159.224:443
77.126.81.208:443
186.64.67.39:443
123.3.240.16:995
70.50.3.214:2222
190.24.45.24:995
92.106.70.62:2222
24.228.132.224:2222
84.113.121.103:443
75.143.236.149:443
170.249.59.153:443
75.98.154.19:443
74.92.243.113:50000
174.104.184.149:443
200.233.108.153:995
190.18.236.175:443
76.9.168.249:443
92.109.39.207:443
190.78.64.132:993
131.106.168.223:443
2.88.219.187:443
79.92.15.6:443
73.88.173.113:443
94.70.37.145:2222
70.121.198.103:2078
174.115.87.57:443
82.154.201.177:443
41.109.78.231:995
209.171.163.72:995
72.82.136.90:443
200.93.14.206:2222
Unpacked files
SH256 hash:
fc93bb224d1fc600b8ca8b6cf7900901f855ff9dae4695d3b39e2989a6edd72b
MD5 hash:
97de71fb520f677e5ffedf2f08dfef83
SHA1 hash:
14abcf98fa79c74b1e1084729b9fb34a4ccf6a83
Link:
https://www.unpac.me/results/d632acfe-aad4-46b1-a508-115193b8be71/
SH256 hash:
55b540eb424578a0b932cbea767a6f0610c4e776391d8f57c4e146fce06001ea
MD5 hash:
3641e68f53c7d373aae745997a14e5bc
SHA1 hash:
29b53ed69c5f650a1f9cb84aaf5d08b2331f8a3e
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d632acfe-aad4-46b1-a508-115193b8be71/
SH256 hash:
2cb8f04d41fe34706ff61cba06788faaaca87494721fcf8e86d20b897890a3b1
MD5 hash:
cab39f756b7ab98d799939819a248b54
SHA1 hash:
224e0ee45b5de31d75a8870c7936d85b311374c5
Link:
https://www.unpac.me/results/d632acfe-aad4-46b1-a508-115193b8be71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cb8f04d41fe34706ff61cba06788faaaca87494721fcf8e86d20b897890a3b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/334300/

Comments