MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
SHA3-384 hash: dd9c7638dfb0b59aadf3e09ed77074f15a2ad4398c8fe28f4d9aae33ed88de690527875623e6feb8bcc846b47d9f3032
SHA1 hash: 70b3ad23b8674c721041c53e8485db9e65ae51f1
MD5 hash: 365ecfc2421b3c920e7b35190687895d
humanhash: west-nitrogen-mirror-single
File name:35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
Download: download sample
Signature Quakbot
Create hunting rule
File size:613'228 bytes
First seen:2022-05-23 10:48:59 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 47d3bd4563954296ee69a5d38fd7bc7a (3 x Quakbot)
ssdeep 12288:7D3bxhaDahCvVUcbQTku++L/KqYcY5oeoqi5w0sifQuy3:7Llh3CvVUegIc1qiJi
Threatray 1'111 similar samples on MalwareBazaar
TLSH T17BD49E23B7908837D26315389D5B77B4A836BE403E755CC62BE41E4C5F393813ABA297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 293 x GCleaner, 137 x ArkeiStealer)
Reporter proxylife
Tags:AA dll Qakbot Quakbot VALENTINA SP Z O O

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273604/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay qbot
Link:
https://www.filescan.io/uploads/628b66ac054dcf0ecae2aa0f/reports/ecfd1bfe-1c0f-4b05-82f3-24402fcb6ff0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7239a43-5027-43c7-917d-c1490912abc5
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999688
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632184 Sample: Cpif21OsaW Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 61 Found malware configuration 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected CryptOne packer 2->65 67 4 other signatures 2->67 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->69 71 Injects code into the Windows Explorer (explorer.exe) 9->71 73 Writes to foreign memory regions 9->73 75 3 other signatures 9->75 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 47 C:\Users\user\Desktop\Cpif21OsaW.dll, PE32 16->47 dropped 49 Uses cmd line tools excessively to alter registry or file data 16->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 16->51 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->53 55 Injects code into the Windows Explorer (explorer.exe) 22->55 57 Writes to foreign memory regions 22->57 59 3 other signatures 22->59 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        77 Contains functionality to detect sleep reduction / modifications 28->77 35 WerFault.exe 23 9 28->35         started        79 Uses cmd line tools excessively to alter registry or file data 31->79 37 reg.exe 1 1 31->37         started        39 reg.exe 1 1 31->39         started        41 conhost.exe 31->41         started        process10 process11 43 conhost.exe 37->43         started        45 conhost.exe 39->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 10:50:10 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxvr5t4obf7ajfn3rxgb5p3bgli2escxjakpsrmsfdehvoagtxwq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec
Quakbot
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
Quakbot
656cbbf5c06e2fdc9c1dbed574568a4e1502ea08733081c8aa89e752c53dfd0f
Quakbot
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
Quakbot
aff35e96af3100894ce8e080804e647ef3396e2d66ba04b393052545483d4d71
Quakbot
d2c969098c9a689728a5f5ac942fa4f75c88738d0367d471276ac4c470504ded
Quakbot
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
Quakbot
+ 1'101 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1653295661 banker stealer trojan
Link:
https://tria.ge/reports/220523-mwne9achh6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
2.50.4.57:443
24.178.196.158:2222
91.177.173.10:995
187.207.131.50:61202
81.129.112.49:2078
124.40.244.118:2222
176.67.56.94:443
140.82.49.12:443
86.97.11.30:443
108.60.213.141:443
84.241.8.23:32103
202.134.152.2:2222
39.44.66.76:995
39.44.62.55:995
197.87.182.35:443
67.209.195.198:443
182.191.92.203:995
39.52.77.102:995
103.116.178.85:995
2.34.12.8:443
217.165.109.187:993
148.64.96.100:443
197.94.85.72:443
121.7.223.59:2222
37.208.155.29:6883
37.34.253.233:443
82.152.39.39:443
90.120.65.153:2078
179.145.13.69:32101
45.241.222.104:993
1.161.122.145:443
75.99.168.194:443
37.186.54.254:995
175.145.235.37:443
93.48.80.198:995
75.99.168.194:61201
80.11.74.81:2222
183.82.103.213:443
47.23.89.60:993
39.41.249.181:995
173.174.216.62:443
78.101.84.56:2222
173.21.10.71:2222
74.14.5.179:2222
103.246.242.202:443
92.132.172.197:2222
217.128.122.65:2222
72.27.86.98:443
186.90.153.162:2222
120.150.218.241:995
78.180.86.123:443
172.114.160.81:995
148.0.15.41:443
69.14.172.24:443
32.221.224.140:995
70.46.220.114:443
46.107.48.202:443
2.50.137.155:443
86.98.208.214:2222
144.202.2.175:443
144.202.3.39:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
45.76.167.26:995
140.82.63.183:443
144.202.2.175:995
149.28.238.199:443
45.63.1.12:443
144.202.3.39:995
149.28.238.199:995
76.25.142.196:443
210.246.4.69:995
117.248.109.38:21
180.129.108.214:995
67.165.206.193:993
45.46.53.140:2222
73.151.236.31:443
174.69.215.101:443
85.246.82.244:443
208.107.221.224:443
82.41.63.217:443
79.80.80.29:2222
217.164.117.199:1194
196.203.37.215:80
41.228.22.180:443
41.84.238.50:995
111.125.245.118:995
120.61.2.124:443
38.70.253.226:2222
106.51.48.170:50001
187.172.219.103:443
89.137.52.44:443
109.12.111.14:443
76.70.9.169:2222
179.158.105.44:443
39.49.23.236:995
72.66.116.235:995
125.168.47.127:2222
172.115.177.204:2222
190.36.232.221:2222
190.252.242.69:443
187.208.122.239:443
101.50.67.212:995
72.76.94.99:443
181.208.248.227:443
47.156.131.10:443
70.51.138.133:2222
40.134.246.185:995
100.1.108.246:443
24.139.72.117:443
189.223.134.157:443
46.176.192.130:995
72.252.157.93:990
201.172.23.68:2222
72.252.157.93:995
189.253.111.196:443
200.148.9.225:32101
72.252.157.93:993
191.250.188.54:443
187.16.64.193:2222
102.182.232.3:995
186.105.119.233:443
24.55.67.176:443
79.129.121.68:995
86.195.158.178:2222
217.164.117.199:2222
125.24.193.41:443
118.161.37.101:995
89.86.33.217:443
47.157.227.70:443
103.107.113.83:443
41.38.167.179:995
113.89.6.31:995
41.84.233.96:443
203.122.46.130:443
197.165.163.159:995
67.69.166.79:2222
81.215.196.174:443
63.143.92.99:995
187.251.132.144:22
68.204.7.158:443
177.157.156.136:443
194.36.28.62:443
5.32.41.45:443
5.193.138.70:2222
173.22.32.101:443
94.36.195.102:2222
76.23.237.163:995
96.37.113.36:993
Unpacked files
SH256 hash:
9e31c836849a31be4cea0b17cda9745251d311aca709bc07019c6a667a38aa44
MD5 hash:
f5507bcd98d8593dba4ad3e47669af4c
SHA1 hash:
bfcdf0bab6ed19edaee42df410a6f015d6a658fb
Link:
https://www.unpac.me/results/b88ffce6-7c8b-4207-9b50-1da26e009d53/
SH256 hash:
985254c18178d7d1d50b51549b5365273db3a286a8c03955cd02f977080f0b97
MD5 hash:
019117f66e43de489b3ff56377f9907b
SHA1 hash:
4fc8cd21b51034e3ca5e21e7975769257ea591a5
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b88ffce6-7c8b-4207-9b50-1da26e009d53/
Parent samples :
35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
22c107e74ac92a9269c28b9184cc718d772be469f590ad6c069ffcc53dc2cca3
69700dfbcbe60d5b9085ca551ca1fe25556b9e78db8bca5125380bf6aba6a690
ed67b3bed0f3b27b49bcd90d7786901ffc9e31e687aa2ddc5155e1fd319236b0
12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0
f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
60c225589579f7667684deff14c30d16c2f14c7c98fbd25b8ab36af7dab019a7
SH256 hash:
35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
MD5 hash:
365ecfc2421b3c920e7b35190687895d
SHA1 hash:
70b3ad23b8674c721041c53e8485db9e65ae51f1
Link:
https://www.unpac.me/results/b88ffce6-7c8b-4207-9b50-1da26e009d53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273604/

Comments