MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b
SHA3-384 hash: bf4572d6e16bbd1f4166fb7d8041c5e5be81b5a7b13e501d789a11795bd614df4bb209d1e59b0ca6e55a10bc331a74c0
SHA1 hash: f30ef06bbe7214b87b8dfec1605631dce027fddd
MD5 hash: 9c727630351e28ce3b02d5c6e48e3329
humanhash: sierra-salami-bluebird-blossom
File name:D.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:324'348 bytes
First seen:2022-06-22 13:08:40 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dd7b75a6f94279e63a335cf4cb78aa0d (6 x Quakbot)
ssdeep 6144:cruCrhNglVQOKprBwxiAa4n9Ky9bsNwQpwtXLpI/27hJtsNNx0C/f:Uu0h+ITrBoimn979bywQyXa2NrwNHn
Threatray 1'268 similar samples on MalwareBazaar
TLSH T19064D0848943E1E3D517CAB1F3627B37240D13924D0C169EE6E52AB8AFCA37745772AC
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282300/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching a service
Searching for the window
Creating a window
Creating a file
Unauthorized injection to a recently created process
Modifying an executable file
Creating a process with a hidden window
DNS request
Moving a recently created file
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62b3148249d6271f1a76e94c/reports/92caae97-577d-4d80-a952-80c3eb864c1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d44d857-5515-4c5e-bef9-31e38accf4e6
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1017902
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 650395 Sample: D.png Startdate: 22/06/2022 Architecture: WINDOWS Score: 72 36 Yara detected Qbot 2->36 38 Machine Learning detection for sample 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->40 42 Injects code into the Windows Explorer (explorer.exe) 8->42 44 Writes to foreign memory regions 8->44 46 2 other signatures 8->46 11 regsvr32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->48 50 Injects code into the Windows Explorer (explorer.exe) 11->50 52 Writes to foreign memory regions 11->52 20 explorer.exe 11->20         started        54 Allocates memory in foreign processes 14->54 56 Maps a DLL or memory area into another process 14->56 22 explorer.exe 14->22         started        24 explorer.exe 8 1 16->24         started        27 rundll32.exe 18->27         started        30 explorer.exe 18->30         started        process7 file8 34 C:\Users\user\Desktop\D.dll, PE32 24->34 dropped 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->58 60 Injects code into the Windows Explorer (explorer.exe) 27->60 62 Maps a DLL or memory area into another process 27->62 32 explorer.exe 27->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 13:11:36 UTC
File Type:
PE (Dll)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hah27lucjnehermrx2n5irqp2pa6o72mwkgibmwcyhxhnxeux55q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
1c5e20638c4e5892745a8bf2c9fed302d825be6bca58b46896f36116c637bc83
Quakbot
55dff05b8bd54a21267a8320f44230b217188ad1134128f8a33c488937c0c407
Quakbot
7b7c1e7e308228cc4a38adaf8ca66952f12eab0ec27d594d7b59815e0950fa2f
Quakbot
b674993c41ae982f26c752e411b4d3169f9b5e803df585261eb42b58dba91ded
Quakbot
d521d0bac4c3686c76cb620df77379d0061b190704d9ac05ce34d32e8f5cdcc9
Quakbot
ec8f7afb7234b7c5555907948439e5d48712c5ea66a5284bf46eb612cc70eca7
Quakbot
+ 1'258 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1655878426 banker stealer trojan
Link:
https://tria.ge/reports/220622-qdsh2ahhb3/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
210.246.4.69:995
41.228.22.180:443
104.34.212.7:32103
24.178.196.158:2222
88.251.195.142:443
39.49.9.134:995
38.70.253.226:2222
47.23.89.60:993
120.150.218.241:995
197.89.128.138:443
208.107.221.224:443
92.137.225.8:2222
1.161.124.241:995
2.34.12.8:443
176.205.21.139:2222
176.45.232.204:995
176.205.21.139:1194
5.32.41.45:443
94.59.252.166:2222
189.78.107.163:32101
182.191.92.203:995
117.248.109.38:21
84.241.8.23:32103
74.14.5.179:2222
86.98.157.42:993
217.128.122.65:2222
71.13.93.154:2222
193.253.44.249:2222
91.177.173.10:995
108.60.213.141:443
40.134.246.185:995
39.41.89.221:995
70.51.132.161:2222
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
67.209.195.198:443
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
202.134.152.2:2222
100.38.242.113:995
173.21.10.71:2222
69.14.172.24:443
45.46.53.140:2222
148.0.43.48:443
121.7.223.45:2222
172.115.177.204:2222
81.193.30.90:443
187.208.115.219:443
187.250.202.2:443
47.156.131.10:443
72.252.157.93:995
72.252.157.93:990
72.252.157.93:993
76.25.142.196:443
177.45.64.254:32101
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
68.204.15.28:443
179.158.105.44:443
197.94.94.206:443
90.120.209.197:2078
188.136.218.225:61202
87.109.229.215:995
63.143.92.99:995
102.182.232.3:995
86.132.14.70:2078
196.203.37.215:80
81.250.191.49:2222
111.125.245.116:995
37.34.253.233:443
191.250.120.152:443
45.241.205.91:993
80.11.74.81:2222
83.110.94.105:443
201.176.6.24:995
173.174.216.62:443
1.161.124.241:443
39.52.59.14:995
31.215.70.37:443
175.145.235.37:443
174.69.215.101:443
187.172.164.12:443
201.172.23.68:2222
41.84.249.56:995
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.44.30.209:995
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
Unpacked files
SH256 hash:
b4917a291844273ba5276e19178bf4b79960d96ddbfc4d3ebe8b8eec25bff632
MD5 hash:
7f19ac2a7a368d305ff9c1c5f36b320c
SHA1 hash:
cee1829b0d332e478cba58fed61c12b507e2ddc0
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/669415d8-ad51-493a-acb6-dd4ac3056df3/
Parent samples :
24c073082ab88e2f95a7b60cc74f5b65f002c6960f5db61601de7ef7eee6980d
380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b
a8e30d0c9d9d7f17673d9c4fad1d5dddaf2afb69450e4b35301886e6d6abee4f
SH256 hash:
380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b
MD5 hash:
9c727630351e28ce3b02d5c6e48e3329
SHA1 hash:
f30ef06bbe7214b87b8dfec1605631dce027fddd
Link:
https://www.unpac.me/results/669415d8-ad51-493a-acb6-dd4ac3056df3/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/380fafae824b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282300/

Comments