MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c
SHA3-384 hash: dd62fd7404b030867c2edf127af47e1ab2762bf4ec4f4d717f970beaf9604b269be77980faf7dd72fe71a86fff987c15
SHA1 hash: 349c80462113b0fa9a99de4bd2550f0be20017c2
MD5 hash: 49e14e69a5252c4716601a233ed48809
humanhash: helium-delta-leopard-potato
File name:bb10.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:753'664 bytes
First seen:2022-12-12 22:21:05 UTC
Last seen:2022-12-12 23:30:13 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f181b947d0531cbd123f4eb06366bb2b (5 x Quakbot)
ssdeep 12288:aeY5BmFRiqAoWyeDngR2wLBd4qClKqt8nwd8QxD68gvg8xEcmXXtFWs/:1go9WngRjClKqKJNyc2dFJ
TLSH T160F42602EDC55F6BC93EA17209DF89611AB6C8447F128A27B7AC1A263423754BFD371C
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1670829462 BB10 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345657/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21477.1183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6397a98b0c6473d1671ab275/reports/e1152de3-b571-48d4-9da5-93fe500fafda/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2af0d270-1ec4-4a83-8928-3ecf8b0dd609
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1133102
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 765826 Sample: bb10.dll Startdate: 12/12/2022 Architecture: WINDOWS Score: 72 40 123.3.240.16 VOCUS-RETAIL-AUVocusRetailAU Australia 2->40 42 108.6.249.139 UUNETUS United States 2->42 44 96 other IPs or domains 2->44 54 Yara detected Qbot 2->54 56 C2 URLs / IPs found in malware configuration 2->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->58 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 7 other processes 9->18 signatures6 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->60 62 Writes to foreign memory regions 11->62 64 Allocates memory in foreign processes 11->64 20 wermgr.exe 11->20         started        66 Maps a DLL or memory area into another process 14->66 24 wermgr.exe 14->24         started        26 rundll32.exe 16->26         started        28 WerFault.exe 18 9 18->28         started        30 WerFault.exe 2 9 18->30         started        32 WerFault.exe 9 18->32         started        34 WerFault.exe 18->34         started        process7 dnsIp8 46 60.254.51.168, 443, 49719 HATHWAY-NET-APHathwayIPOverCableInternetIN India 20->46 48 xfinity.com 20->48 50 www.xfinity.com 20->50 38 C:\Users\user\Desktop\bb10.dll, PE32 20->38 dropped 36 WerFault.exe 7 9 26->36         started        52 192.168.2.1 unknown unknown 28->52 file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 22:22:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkjp4yjmvnqy2dysjan2pnrlizyxuzkcow2gb5pnxw5bfnsk3jwa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221212-1979gach79/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c
MD5 hash:
49e14e69a5252c4716601a233ed48809
SHA1 hash:
349c80462113b0fa9a99de4bd2550f0be20017c2
Link:
https://www.unpac.me/results/63eef6bf-7203-45ad-bf64-0809661f8e3a/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a92fe612cab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345657/

Comments