MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
SHA3-384 hash: de7d0d86c5ae809cbfed3070479be272ea86961d9caa0ce3b74ee2621d86fed029eb556038d852c870a8de4e25887389
SHA1 hash: 06016f1406caef27dfb0d497ce6a66faa8e8480a
MD5 hash: 7b6c782117efe6572f9d1c224a3ad4ce
humanhash: magazine-black-eleven-king
File name:bla.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:761'344 bytes
First seen:2022-10-06 07:54:00 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9fc5700f82859d524c68c279be8dc005 (11 x Quakbot)
ssdeep 12288:zxnt9hlMvNICAY0KEkAOl7G79/EXjGOyw3MW:tt9+JFEkAmGwj26M
Threatray 1'477 similar samples on MalwareBazaar
TLSH T19FF4AF33A2E14877D1621A7CDD3B636C94267D003B2CE94B7FE41D4D9F3A680366A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter ankit_anubhav
Tags:dll obama209 Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317154/
Detection(s):
SecuriteInfo.com.Variant.Zusy.439412.14708.13417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
DNS request
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/633e899b0d3d21420ccaa77d/reports/2bd6e04f-b8a1-4723-a663-5c218a39ca3d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d49f821b-612a-47e4-8482-e9cf2a6ad7f3
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084727
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717285 Sample: bla.dll Startdate: 06/10/2022 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected CryptOne packer 2->29 31 3 other signatures 2->31 8 loaddll32.exe 1 2->8         started        process3 signatures4 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->35 37 Writes to foreign memory regions 8->37 39 Allocates memory in foreign processes 8->39 41 2 other signatures 8->41 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        23 C:\Users\user\Desktop\bla.dll, PE32 13->23 dropped process7 signatures8 33 Contains functionality to detect sleep reduction / modifications 18->33 21 WerFault.exe 20 9 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 07:54:10 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnbk7go2jxtetcbxgeqegbecpuaz3szblikq2cimp5w75557joiq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
Quakbot
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135
Quakbot
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
Quakbot
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
Quakbot
95f6e67cb136c2e2b798835a017b80d0979cb526121bfb89d89977d2d69fee0a
Quakbot
9e51a1d3598dfbd7ad11f96be2947550e64fe2e1c3a31ebf4b3bc79b9e85f86b
Quakbot
cb786f48cda7665e5dd07e80672e0c5facb6b6300335561327b95e58029ea376
Quakbot
ee334c9cc092acc0ba59caa04044b54ffe56bbdae54c74a561f837584cc08b1c
Quakbot
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
Quakbot
+ 1'467 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221006-jrjdysgfe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
15.114.17.14:1442
56.9.100.20:53368
88.117.146.12:40265
200.215.143.195:52771
134.133.152.217:5132
227.189.195.57:42370
76.219.151.168:17454
17.1.24.235:65225
217.27.142.33:46036
13.16.220.0:0
156.36.22.250:12263
73.225.210.175:40922
19.138.81.187:38748
191.101.43.136:10968
145.20.244.169:39814
74.30.254.35:15530
138.94.26.23:49965
218.175.98.133:15428
181.245.40.43:1982
24.10.174.212:30807
253.219.195.173:1546
51.182.7.163:21304
191.68.117.56:28754
246.29.132.217:16625
149.181.112.217:33637
136.20.21.112:41199
80.65.15.199:35765
0.222.227.111:63041
209.240.1.52:53226
66.57.60.202:19263
204.187.37.185:59783
177.172.2.9:36791
98.78.50.99:11939
11.5.197.37:32044
75.234.214.212:7741
49.66.110.196:42474
97.107.137.246:58239
0.141.208.192:39992
185.156.9.78:29812
219.151.188.60:3622
28.86.80.9:6038
138.226.185.49:25801
99.128.65.72:12277
90.175.231.93:54035
198.125.102.127:36652
148.215.17.55:16834
211.255.222.125:38939
198.140.91.23:0
Unpacked files
SH256 hash:
d7acf348906ff2c99c0aece101ae5a584c976a807c6eb7eee9895211a3342b1e
MD5 hash:
d844605cc0854b06a1e14f41d0ec4f85
SHA1 hash:
ea3c6ddc54d03ab7feddef4e1d3fd198008b0a28
Link:
https://www.unpac.me/results/58d5fbb8-f7fd-49da-89c7-5ca04509670c/
SH256 hash:
37ee19eaf0a3e1dee88152c3ba0673c6994e14648e381aba725e40e94337da86
MD5 hash:
0237cae59e3d959378452902faa2ccf8
SHA1 hash:
66ef4362f632fa43ac9d00107c5563b073bf9b03
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/58d5fbb8-f7fd-49da-89c7-5ca04509670c/
Parent samples :
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e
SH256 hash:
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
MD5 hash:
7b6c782117efe6572f9d1c224a3ad4ce
SHA1 hash:
06016f1406caef27dfb0d497ce6a66faa8e8480a
Link:
https://www.unpac.me/results/58d5fbb8-f7fd-49da-89c7-5ca04509670c/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3342af99da4d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317154/

Comments