MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55
SHA3-384 hash: 07da7c40ce340a2a4acfc5203584053a91d141ec0f7b08ed8e4d33be88becb0a9393fe1878984bf02abec4f368809044
SHA1 hash: ee3ead69ec6801721cde4ca6480f30ecff948c08
MD5 hash: 179d4849f8d096122d05de3c7bebb4bd
humanhash: berlin-nebraska-mobile-magazine
File name:batteryacid.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:508'020 bytes
First seen:2023-06-06 21:38:43 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 8e0a1f2284a5f7dab96c697a66241e4a (1 x Quakbot)
ssdeep 12288:W5XwIjvPgzGgQChM5u/7hIYArytfqYsgzelZ7CPZUeQ58:njhhArytfqYsgalZWPRQ58
TLSH T1B9B4D011E782D0F2C0AA1076916B6A275AF94B311735D9F7B7B14E2E8F217D01A7E3C2
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter pr0xylife
Tags:1685959443 BB31 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396268/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-Banker.Win32.Qbot.gen.6425.18932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed qbot
Link:
https://www.filescan.io/uploads/647fa7767798c0cc4acd5229/reports/8fe77d22-de33-463d-a141-92a98bda3184/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2034b7ba-5ac7-410f-a6eb-79adada59b4f
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1249863
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Sigma detected: Execute DLL with spoofed extension
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 882879 Sample: batteryacid.dat.dll Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 32 89.115.200.234 VODAFONE-PTVodafonePortugalPT Portugal 2->32 34 123.3.240.16 VOCUS-RETAIL-AUVocusRetailAU Australia 2->34 36 96 other IPs or domains 2->36 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Qbot 2->48 50 3 other signatures 2->50 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 8 other processes 8->17 signatures6 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->52 54 Writes to foreign memory regions 10->54 56 Allocates memory in foreign processes 10->56 58 Injects a PE file into a foreign processes 10->58 19 wermgr.exe 8 14 10->19         started        22 rundll32.exe 13->22         started        24 WerFault.exe 24 9 15->24         started        26 WerFault.exe 9 17->26         started        28 WerFault.exe 9 17->28         started        30 WerFault.exe 2 9 17->30         started        process7 dnsIp8 38 92.184.102.115, 2078 FranceTelecom-OrangeFR France 19->38 40 74.14.39.7, 2222, 49722, 49723 BACOMCA Canada 19->40 42 2 other IPs or domains 19->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-06-06 18:20:00 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5voo4ff2vxnriwp4jrodfrwhnoibzmenddg743m36ohkmdmfrkq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230606-1hlamagd3x/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
56c5533fccf74c9347b30a1219ff5163fd41322db620c40b20d4498b748879b5
MD5 hash:
3a55be5e230de73c303065773b69f0d9
SHA1 hash:
643911ffb9ab33961d1e2df752fe6dab339944e0
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a1c6d007-0ce9-4bb0-9a67-9dfaf3b58754/
SH256 hash:
2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55
MD5 hash:
179d4849f8d096122d05de3c7bebb4bd
SHA1 hash:
ee3ead69ec6801721cde4ca6480f30ecff948c08
Link:
https://www.unpac.me/results/a1c6d007-0ce9-4bb0-9a67-9dfaf3b58754/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396268/

Comments