MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3603edd9bba069c5a26d1a88fae7ba22d7cdfc876f6d7524f4807878ba888fba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3603edd9bba069c5a26d1a88fae7ba22d7cdfc876f6d7524f4807878ba888fba
SHA3-384 hash: cbe73fe6dc415cfb165b44a355227c9d9ec95525729a012a9f0aeea827a188077ab6f9fa17682e5976b30acbaf632d8d
SHA1 hash: 6fefd43b0548c4fe564f6bd724cdaff3d5a52d8a
MD5 hash: dbd792f916c340ba9645e6f36528a489
humanhash: queen-table-delta-kitten
File name:2.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'261'033 bytes
First seen:2022-04-13 10:04:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b6ae7dc3cef2f202348b0723e309755e (5 x Quakbot)
ssdeep 24576:mC4A6JgoHbipiJfTczv8ojLBV4+1fTp6yCQgi3n8u+bPK5azHuC:mj
Threatray 458 similar samples on MalwareBazaar
TLSH T1F345B0B875047DD6E66E067BDE96ACDD13B6363289C7A9CD4066BBC30963332EE01C05
Reporter JAMESWT_WT
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263395/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50119070.14661.7382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching a service
Creating a file
Sending a custom TCP request
DNS request
Launching a process
Сreating synchronization primitives
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/6256a056ffe27d5119c06180/reports/5c0984b3-d569-47da-a8bf-dc9b68783c75/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05a17124-5a36-433a-acfd-262d9ec5870e
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/976089
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608576 Sample: 2.dll Startdate: 13/04/2022 Architecture: WINDOWS Score: 88 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Qbot 2->36 38 Sigma detected: Suspicious Call by Ordinal 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->40 42 Injects code into the Windows Explorer (explorer.exe) 8->42 44 Writes to foreign memory regions 8->44 46 2 other signatures 8->46 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->48 50 Injects code into the Windows Explorer (explorer.exe) 11->50 52 Writes to foreign memory regions 11->52 54 2 other signatures 11->54 20 explorer.exe 8 1 11->20         started        22 rundll32.exe 14->22         started        24 WerFault.exe 2 9 16->24         started        26 WerFault.exe 9 18->26         started        28 WerFault.exe 9 18->28         started        process7 process8 30 WerFault.exe 23 9 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3603edd9bba069c5a26d1a88fae7ba22d7cdfc876f6d7524f4807878ba888fba/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 10:05:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gyb63wn3ubu4litndkepvz52ell437ehn5wxkjhuqb4hrouir65a._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
223dc6a91cb23a998fac9b41861fedb015ea53092c6de46b64da81316315c558
Quakbot
509553272b0a639d2bcd41e5358be61f4caad435bcdac1cb02fa825034068009
Quakbot
6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
Quakbot
795dfd11462e52d90eff5777f2842e503bb352441e86877e1822708631fab34c
Quakbot
df8d431b3d7193b0d0d6667b269ef1b2431086343bf86a41c3a2a2488d9f1567
Quakbot
f2f87129d1786fd86f0ec659457aae0e186c023a19f63d207c17b28dc63ae2e9
Quakbot
f696d06d6579ee33cf8be2987f292370abe1b4b64a0d88631f5860f451e87320
Quakbot
f6e7187a8e0aa202fe89008b5a5cc5e99dc5c3aaede7213283cae41dc7cb3ebc
Quakbot
fe736c1118633748586090fdf6c8df78355d622b636b32792798f2ce00f66069
Quakbot
+ 448 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1649660590 banker stealer trojan
Link:
https://tria.ge/reports/220413-l4g3rsecb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
41.228.22.180:443
47.23.89.62:995
176.67.56.94:443
103.107.113.120:443
148.64.96.100:443
47.180.172.159:443
181.118.183.98:443
140.82.49.12:443
103.87.95.133:2222
96.21.251.127:2222
197.167.62.14:993
46.107.48.202:443
24.43.99.75:443
172.115.177.204:2222
80.11.74.81:2222
66.98.42.102:443
75.99.168.194:61201
173.174.216.62:443
45.9.20.200:443
39.41.158.185:995
187.207.48.194:61202
41.84.237.10:995
93.48.80.198:995
105.226.83.196:995
144.202.2.175:443
45.76.167.26:995
144.202.3.39:443
144.202.3.39:995
140.82.63.183:443
45.63.1.12:995
140.82.63.183:995
144.202.2.175:995
45.63.1.12:443
149.28.238.199:443
45.76.167.26:443
149.28.238.199:995
47.180.172.159:50010
71.13.93.154:2222
86.98.33.141:443
31.35.28.29:443
113.11.89.165:995
175.145.235.37:443
117.248.109.38:21
94.59.138.62:2222
32.221.224.140:995
5.95.58.211:2087
81.215.196.174:443
176.88.238.122:995
94.59.138.62:1194
92.132.172.197:2222
70.46.220.114:443
78.87.206.213:995
197.89.108.252:443
39.44.144.159:995
176.205.119.81:2078
91.177.173.10:995
72.76.94.99:443
24.178.196.158:2222
1.161.71.109:995
172.114.160.81:995
173.21.10.71:2222
1.161.71.109:443
86.97.11.43:443
217.128.122.65:2222
86.98.33.141:995
203.122.46.130:443
89.211.181.64:2222
37.186.54.254:995
86.98.208.214:2222
83.110.75.97:2222
202.134.152.2:2222
120.150.218.241:995
45.46.53.140:2222
180.129.102.214:995
217.164.210.192:443
217.165.147.83:993
84.241.8.23:32103
180.183.128.80:2222
74.15.2.252:2222
76.70.9.169:2222
47.23.89.62:993
75.113.214.234:2222
208.107.221.224:443
76.169.147.192:32103
190.73.3.148:2222
76.69.155.202:2222
96.29.208.97:443
108.60.213.141:443
75.99.168.194:443
182.191.92.203:995
73.151.236.31:443
38.70.253.226:2222
39.52.75.201:995
121.74.167.191:995
201.211.64.196:2222
71.74.12.34:443
191.99.191.28:443
85.246.82.244:443
101.50.103.193:995
182.253.189.74:2222
67.209.195.198:443
90.120.65.153:2078
37.34.253.233:443
96.37.113.36:993
181.62.0.59:443
41.38.167.179:995
197.205.127.234:443
45.241.232.25:995
185.69.144.209:443
2.50.137.197:443
73.67.152.98:2222
76.25.142.196:443
125.168.47.127:2222
201.145.189.252:443
109.12.111.14:443
102.182.232.3:995
72.12.115.90:22
47.156.191.217:443
174.69.215.101:443
70.51.138.126:2222
186.105.121.166:443
179.158.105.44:443
94.36.195.250:2222
109.228.220.196:443
120.61.2.95:443
103.88.226.30:443
103.139.243.207:990
68.204.7.158:443
196.233.79.3:80
39.57.76.82:995
187.250.114.15:443
103.246.242.202:443
190.252.242.69:443
5.32.41.45:443
100.1.108.246:443
72.252.201.34:995
191.17.223.93:32101
40.134.246.185:995
187.102.135.142:2222
191.34.199.129:443
181.208.248.227:443
138.204.24.70:443
209.197.176.40:995
42.235.146.7:2222
82.152.39.39:443
41.230.62.211:993
31.48.166.122:2078
187.251.132.144:22
143.0.34.185:443
88.228.250.126:443
Unpacked files
SH256 hash:
3603edd9bba069c5a26d1a88fae7ba22d7cdfc876f6d7524f4807878ba888fba
MD5 hash:
dbd792f916c340ba9645e6f36528a489
SHA1 hash:
6fefd43b0548c4fe564f6bd724cdaff3d5a52d8a
Link:
https://www.unpac.me/results/51f70314-16ff-4f19-a6fb-52706c96d637/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3603edd9bba0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3603edd9bba069c5a26d1a88fae7ba22d7cdfc876f6d7524f4807878ba888fba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263395/

Comments