MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e
SHA3-384 hash: 66698e8e450123af1d4dcd8370138c848ed2637059bbdc08cfe7cc6a2bc1db10320e6d2f0cb3bfadc045d5c32d6f1151
SHA1 hash: 718be8f702abb817a095da80978037c7012d6a1d
MD5 hash: 57a9bfe6f15e00c02403af50f684a464
humanhash: helium-wisconsin-indigo-november
File name:3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e
Download: download sample
Signature Quakbot
Create hunting rule
File size:984'570 bytes
First seen:2022-03-01 11:07:40 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a2c4c1cc45cf157e67048505a3f85c3c (8 x Quakbot, 2 x Gozi)
ssdeep 12288:Zg4d/lpygJCNLgUgYUypwKzpVCD2aep4Xl8I1JV5OwBi6fC8a/ZnFH08hXhQrVNP:ZdddhCN3tVwV1Twh/n/qVh
TLSH T12B25F94286642A0DFD3DCEFB6F3AA3ED40664F70192AB256E350288951B81F1723DF57
File icon (PE):PE icon
dhash icon 6edbb12b17172b96 (10 x Quakbot, 9 x Heodo, 7 x BazaLoader)
Reporter JAMESWT_WT
Tags:dll Qakbot Quakbot THE FAITH SP Z O O

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245724/
Detection(s):
Win.Packed.Lazy-9940222-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for many windows
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
kbot overlay packed qakbot qbot ursnif
Link:
https://www.filescan.io/uploads/621dfe95b94fb38cb42db676/reports/14fa3e75-8643-480e-9c9a-820c5de15d38/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/988e09d5-6346-4363-b6cd-7b8e3032e9db
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/948087
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 580577 Sample: YylP5Eu46P Startdate: 01/03/2022 Architecture: WINDOWS Score: 88 34 store-images.s-microsoft.com 2->34 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Qbot 2->40 42 Sigma detected: Suspicious Call by Ordinal 2->42 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 3 other processes 9->18 signatures6 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Injects code into the Windows Explorer (explorer.exe) 11->54 56 Writes to foreign memory regions 11->56 20 explorer.exe 8 1 11->20         started        23 rundll32.exe 14->23         started        58 Allocates memory in foreign processes 16->58 60 Maps a DLL or memory area into another process 16->60 26 explorer.exe 16->26         started        process7 file8 32 C:\Users\user\Desktop\YylP5Eu46P.dll, PE32 20->32 dropped 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->44 46 Injects code into the Windows Explorer (explorer.exe) 23->46 48 Writes to foreign memory regions 23->48 50 2 other signatures 23->50 28 explorer.exe 23->28         started        30 BackgroundTransferHost.exe 13 23->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 04:30:00 UTC
File Type:
PE (Dll)
Extracted files:
20
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1645451777 banker evasion stealer trojan
Link:
https://tria.ge/reports/220301-m8j9csbchn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Suspicious use of NtCreateProcessExOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
31.35.28.29:443
105.186.167.230:995
72.252.201.34:990
40.134.247.125:995
186.64.87.194:443
2.50.41.69:61200
217.164.119.29:2222
161.142.53.137:443
74.15.2.252:2222
149.135.101.20:443
92.177.45.46:2078
190.73.3.148:2222
81.213.206.182:443
180.233.150.134:995
217.164.115.166:2222
144.202.2.175:443
105.184.116.32:995
47.180.172.159:50010
96.21.251.127:2222
140.82.49.12:443
176.67.56.94:443
66.230.104.103:443
206.217.0.154:995
47.180.172.159:443
75.99.168.194:443
24.178.196.158:2222
173.220.98.101:443
71.74.12.34:443
116.74.71.73:443
89.86.33.217:443
78.96.235.245:443
103.139.242.30:990
188.50.250.205:995
217.165.146.122:32101
173.174.216.62:443
78.101.202.183:6883
190.189.33.6:32101
47.23.89.60:993
70.45.27.254:443
102.65.38.67:443
89.101.97.139:443
69.14.172.24:443
136.143.11.232:443
103.142.10.177:443
38.70.253.226:2222
217.128.171.34:2222
197.165.161.159:995
82.152.39.39:443
111.125.245.116:995
130.164.206.70:443
39.44.136.96:995
144.202.2.175:995
75.99.168.194:61201
105.155.218.181:443
75.156.151.34:443
197.167.10.103:995
217.128.122.65:2222
102.47.31.216:995
124.41.193.166:443
67.209.195.198:443
32.221.231.1:443
182.191.92.203:995
78.101.82.120:2222
120.150.218.241:995
84.241.8.23:32103
103.87.95.131:2222
190.206.211.182:443
197.167.10.103:993
180.183.99.37:2222
39.52.203.68:995
190.189.33.6:443
39.52.121.208:995
41.36.82.58:3389
118.161.10.126:995
70.57.207.83:443
120.61.3.58:443
128.106.123.43:443
136.232.34.70:443
118.161.10.126:443
217.164.119.29:1194
89.137.52.44:443
175.137.153.178:443
208.107.221.224:443
86.98.150.158:995
39.41.254.161:995
76.25.142.196:443
45.46.53.140:2222
173.21.10.71:2222
47.23.89.60:995
73.151.236.31:443
189.146.51.56:443
67.165.206.193:993
109.12.111.14:443
75.188.35.168:443
86.198.170.170:2222
41.84.229.145:995
31.215.206.13:443
80.6.192.58:443
80.191.52.137:61202
103.230.180.119:443
197.92.132.79:443
86.98.55.231:995
5.237.251.118:995
41.230.62.211:993
5.89.175.136:443
86.98.11.110:443
84.241.8.23:2083
139.64.34.193:995
41.232.210.78:443
209.210.95.228:32100
70.51.137.204:2222
100.1.108.246:443
46.176.197.48:995
39.49.80.188:995
73.30.132.246:443
72.252.201.34:995
196.203.37.215:80
114.79.148.170:443
103.17.101.139:995
78.180.172.122:995
41.84.234.250:443
203.99.177.128:443
37.211.189.48:61202
108.4.67.252:443
201.40.225.216:443
200.104.16.99:993
181.98.246.214:443
217.165.109.191:993
197.89.21.163:443
188.210.148.245:443
185.113.58.135:443
39.53.116.250:995
39.52.21.207:993
72.66.116.235:995
184.149.30.83:2222
41.228.22.180:443
45.9.20.200:443
24.231.158.110:995
24.152.219.253:995
96.246.158.154:995
86.108.123.52:443
107.171.241.236:2222
5.48.205.15:443
103.116.178.85:443
182.176.180.73:443
102.132.145.147:443
47.180.172.159:993
177.205.182.145:443
24.53.49.240:443
Unpacked files
SH256 hash:
3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e
MD5 hash:
57a9bfe6f15e00c02403af50f684a464
SHA1 hash:
718be8f702abb817a095da80978037c7012d6a1d
Link:
https://www.unpac.me/results/8f409b07-0ab4-49b5-b757-c2fccb12f6c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b2eb2cd3cf0a65c1ff286c6c44bb06a30082a9d532832a28c9fca436d998f7e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/245724/

Comments