MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
SHA3-384 hash: d5b7dc22f0bb3079535ec3f21e57b73b97863a2fec525b1ca0ea6879c8a9cab71a0506fe881d124e3509250c0cc5b0ac
SHA1 hash: 6ead9880d493d016f4b454472b6a5c072c646220
MD5 hash: dd36a35ad1b505d254dd24f36a497bde
humanhash: butter-orange-two-foxtrot
File name:44686.6703287037.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:758'784 bytes
First seen:2022-05-05 14:10:34 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1f323ccab9817929388091e1b9ddaddf (9 x Quakbot)
ssdeep 12288:b0tFRlN3qlI7Sq77ti3kKvKJPXWwvPiu0Q1acvZRz5Bt:bUzrOKfQUDZCw1RZRdBt
Threatray 1'020 similar samples on MalwareBazaar
TLSH T104F48E22A3D34836DD77163D8C5B93949825FD413D34DCFA2BE4EE6C8E39A403A1529B
TrID 59.1% (.EXE) InstallShield setup (43053/19/16)
19.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
2.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll obama182 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268912/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware hacktool keylogger packed remote.exe
Link:
https://www.filescan.io/uploads/6273db162b32b1c37c995731/reports/98990ace-81cf-462b-80aa-8279e8d99741/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3805106-2aa0-49a9-a1b8-58919b00ed41
Result
Threat name:
CryptOne Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988567
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621067 Sample: 44686.6703287037.dat Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Yara detected CryptOne packer 2->65 67 Yara detected Qbot 2->67 69 2 other signatures 2->69 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 77 2 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 49 C:\Users\user\Desktop\44686.6703287037.dll, PE32 16->49 dropped 51 Uses cmd line tools excessively to alter registry or file data 16->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 16->53 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->55 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 3 other signatures 22->61 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        79 Maps a DLL or memory area into another process 28->79 81 Contains functionality to detect sleep reduction / modifications 28->81 35 WerFault.exe 23 9 28->35         started        37 explorer.exe 28->37         started        83 Uses cmd line tools excessively to alter registry or file data 31->83 39 reg.exe 1 1 31->39         started        41 reg.exe 1 1 31->41         started        43 conhost.exe 31->43         started        process10 process11 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 14:11:08 UTC
File Type:
PE (Dll)
Extracted files:
58
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzlimsddnqp3xej6f3ce3kqwcetwq22bvwvpa5vkenju5bkxdyla._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e
Quakbot
532f5a32f685a1acdb7c0982bb4fd721852af1e9fb278bf5d0faa82a6741f3c8
Quakbot
67486db1b558b02235a0a8edaa7183ab707c3c8d12ec87231cd12445856e2398
Quakbot
790951787b259b98ea0f3b7face9c805643bd5e36b2d8a9d92d6d20a7107971b
Quakbot
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
Quakbot
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
Quakbot
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
Quakbot
+ 1'010 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220505-rg9gdsahhl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
c5655c5f9a9aa83bc254d287d1859ae6708fc61c5565b4b6bdf1c609c5425c19
MD5 hash:
679840f58d00b06175547357f8c2985f
SHA1 hash:
d5c2de76e405e8993473a16da7a1a3d940e4e794
Link:
https://www.unpac.me/results/2408124f-e7bd-4db7-baa1-a7014fbec747/
SH256 hash:
931a012c14e0289cffd0ef48b433493e2b6d0fc4100e8e36ad1af9966e314286
MD5 hash:
aa20ad2e6405b98fc552282d089447e9
SHA1 hash:
a1b8f7721560ea8120e2da2e25d54ebd32b9c19b
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2408124f-e7bd-4db7-baa1-a7014fbec747/
Parent samples :
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
c4e64cace2a3d08bcd96617d935bc90e204ba0b734c8b07f9a5039f2bbf80b49
44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
d762057dd5a76075f38baf15f8f453416cb5c446253a5aff0427f09a3755e302
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
81e6b3957773675320a240ef080cf4a52e2fa72c66a60a716296b68121cefd06
SH256 hash:
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
MD5 hash:
dd36a35ad1b505d254dd24f36a497bde
SHA1 hash:
6ead9880d493d016f4b454472b6a5c072c646220
Link:
https://www.unpac.me/results/2408124f-e7bd-4db7-baa1-a7014fbec747/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e568648636c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268912/

Comments