MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca
SHA3-384 hash: 1e64c9183ac3a4ff89f0d326e9af94504f97f03097eb87fd488063052ef91ff8c0aaf8d42f3ee2099b5b311411963288
SHA1 hash: 73301699042a4ffa75585fa5caf49489fb1e3c50
MD5 hash: 9947ee8e85f10d9733fe3613bcc4571b
humanhash: lithium-speaker-william-fillet
File name:3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca
Download: download sample
Signature Quakbot
Create hunting rule
File size:723'568 bytes
First seen:2022-05-26 11:26:13 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash df2c97204ed982b8b3e7393fd2a71059 (7 x Quakbot)
ssdeep 12288:LD25c7bMl3XyN6VqX1bFJf44pnlG2LniEE2DY04zyHHsPNasifQu8z:H8Aw3CowXrJf44pnw2Ln1RY04uHHsPNp
Threatray 1'130 similar samples on MalwareBazaar
TLSH T198F4AF22E3D04C77C1772A789C2B7768A839BE112D7899C72BE42D4C4F3568136362B7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter j_dubp
Tags:dll qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274733/
Detection(s):
Win.Malware.Qbot-9943460-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/628f63e5054dcf0ecaf15229/reports/fffc810a-6d35-421b-a3e7-f5e077eb3e8d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a06ea90d-5aec-4729-9a30-0457a72140eb
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001070
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633561 Sample: aamkogwc.dll Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Yara detected CryptOne packer 2->66 68 Yara detected Qbot 2->68 70 2 other signatures 2->70 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->72 74 Injects code into the Windows Explorer (explorer.exe) 9->74 76 Writes to foreign memory regions 9->76 78 3 other signatures 9->78 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 48 C:\Users\user\Desktop\aamkogwc.dll, PE32 16->48 dropped 52 Uses cmd line tools excessively to alter registry or file data 16->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 16->54 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->56 58 Injects code into the Windows Explorer (explorer.exe) 22->58 60 Writes to foreign memory regions 22->60 62 3 other signatures 22->62 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        80 Contains functionality to detect sleep reduction / modifications 28->80 35 WerFault.exe 20 9 28->35         started        82 Uses cmd line tools excessively to alter registry or file data 31->82 38 reg.exe 1 1 31->38         started        40 reg.exe 1 1 31->40         started        42 conhost.exe 31->42         started        process10 dnsIp11 50 192.168.2.1 unknown unknown 35->50 44 conhost.exe 38->44         started        46 conhost.exe 40->46         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 05:40:29 UTC
File Type:
PE (Dll)
Extracted files:
62
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gumwilo32gzkmzkhag5a62tcj7vkklazrwj4swdonn7md4fmndfa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
Quakbot
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
Quakbot
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
Quakbot
6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805
Quakbot
aff35e96af3100894ce8e080804e647ef3396e2d66ba04b393052545483d4d71
Quakbot
d2c969098c9a689728a5f5ac942fa4f75c88738d0367d471276ac4c470504ded
Quakbot
+ 1'120 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1652710567 banker stealer trojan
Link:
https://tria.ge/reports/220526-nkd8wabaa6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
79.129.121.68:995
173.174.216.62:443
217.128.122.65:2222
187.16.64.194:2222
70.51.137.64:2222
186.90.153.162:2222
177.157.156.136:443
173.22.32.101:443
75.99.168.194:61201
197.164.163.81:993
86.98.208.214:2222
46.107.48.202:443
93.48.80.198:995
47.23.89.60:993
181.208.248.227:443
100.1.108.246:443
201.172.23.68:2222
90.120.65.153:2078
72.252.157.172:990
72.252.157.172:995
76.70.9.169:2222
92.132.172.197:2222
148.0.15.41:443
72.76.94.99:443
73.151.236.31:443
144.202.2.175:443
45.63.1.12:995
45.63.1.12:443
149.28.238.199:995
140.82.63.183:995
45.76.167.26:995
45.76.167.26:443
149.28.238.199:443
140.82.63.183:443
144.202.3.39:443
144.202.3.39:995
144.202.2.175:995
108.60.213.141:443
80.11.74.81:2222
201.1.202.82:32101
179.145.13.69:32101
189.26.55.114:443
172.115.177.204:2222
70.46.220.114:443
24.178.196.158:2222
103.246.242.202:443
176.67.56.94:443
111.125.245.118:995
146.66.139.14:443
24.139.72.117:443
91.177.173.10:995
39.49.31.161:995
197.89.12.59:443
124.40.244.118:2222
208.107.221.224:443
24.55.67.176:443
37.186.54.254:995
94.36.195.102:2222
196.203.37.215:80
40.134.246.185:995
67.209.195.198:443
140.82.49.12:443
187.207.131.50:61202
2.34.12.8:443
81.129.112.49:2078
174.69.215.101:443
74.14.7.71:2222
32.221.224.140:995
5.32.41.45:443
38.70.253.226:2222
39.44.66.76:995
203.122.46.130:443
84.241.8.23:32103
148.64.96.100:443
37.210.158.242:2222
179.158.105.44:443
172.114.160.81:995
2.50.4.57:443
182.191.92.203:995
120.150.218.241:995
117.248.109.38:21
41.228.22.180:443
75.99.168.194:443
37.34.253.233:443
69.14.172.24:443
103.107.113.82:443
76.23.237.163:995
109.12.111.14:443
89.86.33.217:443
120.61.2.22:443
1.161.100.47:443
1.161.100.47:995
46.103.186.43:995
39.52.7.77:995
43.248.68.33:2222
45.46.53.140:2222
173.21.10.71:2222
121.7.223.59:2222
96.37.113.36:993
200.109.56.159:2222
122.118.146.205:995
47.157.227.70:443
37.208.129.81:6883
189.146.41.43:443
102.182.232.3:995
67.165.206.193:993
76.25.142.196:443
41.84.232.77:995
106.51.48.170:50001
131.0.196.234:443
197.162.117.38:995
5.193.138.70:2222
191.99.191.28:443
186.105.116.20:443
39.44.223.101:995
109.228.220.196:443
183.82.103.213:443
78.172.99.29:443
102.65.62.196:443
103.73.101.14:995
188.50.2.220:995
103.139.242.57:990
85.246.82.244:443
187.149.227.152:443
201.142.133.198:443
187.208.122.239:443
187.213.18.52:22
190.252.242.69:443
63.143.92.99:995
68.204.7.158:443
82.152.39.39:443
31.215.102.193:2078
217.165.147.77:993
89.101.97.139:443
82.41.63.217:443
86.190.159.132:443
39.41.194.45:995
121.74.167.191:995
115.164.63.113:443
86.97.247.101:2222
217.164.119.236:1194
41.84.248.225:443
189.253.111.196:443
86.195.158.178:2222
86.97.8.200:443
83.110.88.196:443
118.172.251.136:443
41.38.167.179:995
58.105.167.36:50000
128.106.123.187:443
Unpacked files
SH256 hash:
967bdb64c01a904860bb4577c8716dbd79bf205dbbb6ea3950c08c7713b53613
MD5 hash:
249994002d28ecead0f912da22f6cba9
SHA1 hash:
cb102d215fd97f298b3f2df26837e7b28058f014
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/720714a1-2690-4fb9-9aea-524ef32f5d1d/
Parent samples :
d2c969098c9a689728a5f5ac942fa4f75c88738d0367d471276ac4c470504ded
aff35e96af3100894ce8e080804e647ef3396e2d66ba04b393052545483d4d71
3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca
SH256 hash:
0661d585a44783dbec3a92b9059f866bb4959f8607cdea334840501dbf312d09
MD5 hash:
1b04ec95b835fa766be7f23270abea02
SHA1 hash:
379bab458e36c4e78534b9e515e5f9e878be072b
Link:
https://www.unpac.me/results/720714a1-2690-4fb9-9aea-524ef32f5d1d/
SH256 hash:
3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca
MD5 hash:
9947ee8e85f10d9733fe3613bcc4571b
SHA1 hash:
73301699042a4ffa75585fa5caf49489fb1e3c50
Link:
https://www.unpac.me/results/720714a1-2690-4fb9-9aea-524ef32f5d1d/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3519642ddbd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3519642ddbd1b2a6654701ba0f6a624feaa52c198d93c9586e6b7ec1f0ac68ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274733/

Comments