MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c0c4314624497645c426ed6e9fbfd37042f7aceb51e60a894135ea4a42851c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c0c4314624497645c426ed6e9fbfd37042f7aceb51e60a894135ea4a42851c0
SHA3-384 hash: 2e4947b36b6e1ce35888c4458dc16ff5e21c27db73421b8ad670cd915716705526026bfb2b54cd3158a49063c1f9d4e6
SHA1 hash: 3147e258e01223ce2bff0e0346e9d90ca53859d1
MD5 hash: a736ea84089591e4b6ed3b4051f393d0
humanhash: potato-low-yankee-hydrogen
File name:lemur.temp
Download: download sample
Signature Quakbot
Create hunting rule
File size:501'760 bytes
First seen:2022-11-21 12:34:40 UTC
Last seen:2022-11-21 14:48:14 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 810b9d64448e259ee668bca43f7cf520 (2 x Quakbot)
ssdeep 6144:GIZQLN2lkgFJUdgAPJgwEpPWD44TICMUFOvctTWzpbTNEh6BgFJ+twd737Kn:GSlkcAPJr4WhTUiwz4agFwid7e
Threatray 1'801 similar samples on MalwareBazaar
TLSH T10DB4E000FD939CB1D4AB443131A4B62B5F2C2A311B2CD7DBE7541B3BAE706917D2A16B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:1669024152 BB07 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/336755/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.15807.12051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637b707aa0efd596b82f0842/reports/f74c7a8c-607c-4763-ac07-37c00e77e8c4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89d6c25f-7bca-4744-89e4-2746e84821d6
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1118093
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 750805 Sample: lemur.temp.dll Startdate: 21/11/2022 Architecture: WINDOWS Score: 84 33 89.115.196.99 VODAFONE-PTVodafonePortugalPT Portugal 2->33 35 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->35 37 98 other IPs or domains 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Qbot 2->41 43 C2 URLs / IPs found in malware configuration 2->43 45 2 other signatures 2->45 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->55 57 Maps a DLL or memory area into another process 9->57 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 regsvr32.exe 9->17         started        19 2 other processes 9->19 process6 file7 22 rundll32.exe 12->22         started        59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->59 61 Writes to foreign memory regions 14->61 63 Allocates memory in foreign processes 14->63 25 wermgr.exe 14->25         started        65 Maps a DLL or memory area into another process 17->65 27 wermgr.exe 17->27         started        31 C:\Users\user\Desktop\lemur.temp.dll, PE32 19->31 dropped signatures8 process9 signatures10 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->47 49 Writes to foreign memory regions 22->49 51 Allocates memory in foreign processes 22->51 53 Maps a DLL or memory area into another process 22->53 29 wermgr.exe 22->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c0c4314624497645c426ed6e9fbfd37042f7aceb51e60a894135ea4a42851c0/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 12:35:10 UTC
File Type:
PE (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqgegfdcislwixccn3lot675g4cc66wowupgbkeucnpkjjbikhaa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
40d050f531b57ebeef82d047638bd11795b203ac9132ff9203d1096843f68e44
Quakbot
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
Quakbot
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Quakbot
a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1
Quakbot
b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c
Quakbot
e4525d4812d75697a4b6524258a3e0325e49fce605c1691ba9fb6c2cfd2620ce
Quakbot
+ 1'791 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb07 campaign:1669024152 banker stealer trojan
Link:
https://tria.ge/reports/221121-psckpaea61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
69.119.123.159:2222
197.148.17.17:2078
174.104.184.149:443
12.172.173.82:995
91.68.227.219:443
85.241.180.94:443
83.7.53.150:443
213.22.188.57:2222
71.46.234.170:443
190.75.150.58:2222
86.98.15.100:995
89.115.196.99:443
83.31.254.67:2222
46.162.109.183:443
2.84.98.228:2222
78.69.251.252:2222
12.172.173.82:465
75.143.236.149:443
47.229.96.60:443
80.121.8.212:995
74.92.243.113:50000
86.225.214.138:2222
183.82.100.110:2222
86.175.128.143:443
105.103.41.128:990
121.122.99.151:995
82.121.237.106:2222
83.248.199.56:443
81.156.198.115:2222
24.228.132.224:2222
87.243.146.59:443
174.112.25.29:2078
84.35.26.14:995
174.45.15.123:443
83.110.90.214:995
87.65.160.87:995
172.90.139.138:2222
71.247.10.63:2083
47.41.154.250:443
80.103.77.44:2222
92.11.189.236:2222
81.229.117.95:2222
91.169.12.198:32100
62.31.130.138:465
188.92.64.68:443
58.186.75.42:443
85.59.61.52:2222
94.63.65.146:443
80.13.179.151:2222
24.206.27.39:443
170.253.25.35:443
157.231.42.190:995
184.153.132.82:443
174.101.111.4:443
23.240.47.58:995
217.128.91.196:2222
62.35.67.88:443
184.155.91.69:443
86.176.144.202:2222
86.213.224.109:2222
90.104.22.28:2222
76.80.180.154:995
174.77.209.5:443
184.176.154.83:995
58.247.115.126:995
69.133.162.35:443
71.183.236.133:443
102.47.130.52:995
103.141.50.117:995
116.75.63.124:443
70.66.199.12:443
92.185.204.18:2078
130.43.107.232:995
92.24.200.226:995
81.111.108.123:443
98.145.23.67:443
197.0.235.159:443
92.137.74.174:2222
92.207.132.174:2222
12.172.173.82:50001
76.127.192.23:443
12.172.173.82:21
176.142.207.63:443
83.110.223.247:443
71.247.10.63:50003
108.6.249.139:443
24.69.87.61:443
90.89.95.158:2222
89.129.109.27:2222
91.254.215.167:443
71.247.10.63:995
47.34.30.133:443
86.130.9.140:2222
70.64.77.115:443
87.223.80.45:443
180.151.104.143:443
109.57.68.154:443
103.55.67.180:443
75.99.125.238:2222
50.68.204.71:995
73.36.196.11:443
105.184.161.242:443
187.199.224.16:32103
105.103.41.128:32103
75.156.125.215:995
170.249.59.153:443
2.91.187.6:995
87.202.101.164:50000
105.103.41.128:465
74.66.134.24:443
172.117.139.142:995
87.1.202.122:443
105.103.41.128:2078
12.172.173.82:990
86.171.75.63:443
12.172.173.82:2087
105.103.41.128:22
24.142.218.202:443
66.191.69.18:995
45.248.169.101:443
Unpacked files
SH256 hash:
fee7f9ff57604a53c3a6d457ab208e56f27b7a862e64c22a399b9466f513da40
MD5 hash:
5715f339f2a2ea9fcd6fbf33fd1b898b
SHA1 hash:
c4a43d3d2f2f085b921aca5d348425b0d40d91f3
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/fc2b3288-8e6a-4fe8-ab3b-06c3684881cb/
SH256 hash:
3c0c4314624497645c426ed6e9fbfd37042f7aceb51e60a894135ea4a42851c0
MD5 hash:
a736ea84089591e4b6ed3b4051f393d0
SHA1 hash:
3147e258e01223ce2bff0e0346e9d90ca53859d1
Link:
https://www.unpac.me/results/fc2b3288-8e6a-4fe8-ab3b-06c3684881cb/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c0c43146244/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c0c4314624497645c426ed6e9fbfd37042f7aceb51e60a894135ea4a42851c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336755/

Comments