MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f3efd6c40d562ef37c921c7aa9e710c743638acc2d16580e1a560060142fc68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f3efd6c40d562ef37c921c7aa9e710c743638acc2d16580e1a560060142fc68
SHA3-384 hash: 9dcb44b4f052bade25d97fbd55034275f9b381c9cb49496490f6689d3d1e9ca26a5343e2d56d9da636bfd6d36849abec
SHA1 hash: 4770851128972bb1955a36d13e97d444e988a861
MD5 hash: 2135477510d718180c3261dc1dbfa403
humanhash: mexico-fruit-cardinal-william
File name:humors.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'404'928 bytes
First seen:2022-10-10 13:42:27 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 785da9c54c1d786e59e79db4a3337c6b (2 x Quakbot)
ssdeep 12288:XYKepSeIUqeXPwyITtxGvvVeHTe7ezGNTTYmRs867u0iROkDQStu8ahKFaXjGOyz:oLo2ftMzeaKYKu7u0i9UNj26Mn
Threatray 1'508 similar samples on MalwareBazaar
TLSH T1FE556C22BE9E8873C47B2A389D2B6358583A7D103A38585B6BF50D4CCF397407D6539B
TrID 62.7% (.EXE) InstallShield setup (43053/19/16)
14.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
6.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
3.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll obama211 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318444/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.23739.570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/634421697a6f3f03619da00f/reports/66f99879-c683-4282-8204-3e37fc46e2f4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0205dbed-18ad-4800-85be-15d7ce560300
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f3efd6c40d562ef37c921c7aa9e710c743638acc2d16580e1a560060142fc68/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 13:43:19 UTC
File Type:
PE (Dll)
Extracted files:
140
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h47p23ca2vro6n6jehd2vhtrbr2dmofmyliwlahbuvqamakc7rua._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a
Quakbot
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
Quakbot
95f6e67cb136c2e2b798835a017b80d0979cb526121bfb89d89977d2d69fee0a
Quakbot
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
Quakbot
fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8
Quakbot
+ 1'498 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221010-qz8r5scbhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
221.44.158.12:15899
135.59.24.163:19546
94.7.79.144:54878
227.150.243.114:39154
215.194.96.116:37650
45.64.184.122:25478
85.137.184.169:59234
107.26.25.92:56712
226.156.21.185:57237
29.90.187.89:14834
206.16.38.205:59801
155.151.97.59:36109
47.219.184.104:36930
252.7.46.182:4067
140.243.25.205:24064
94.93.131.253:65187
28.236.43.99:25246
110.175.218.118:43672
159.220.92.54:39126
233.60.229.213:1774
40.238.73.215:25641
168.152.8.85:14726
51.27.237.220:643
38.179.148.136:10087
155.35.214.28:45472
174.73.95.203:57098
253.87.188.28:55082
146.111.123.235:53182
69.139.176.16:5091
174.247.113.60:16625
82.34.204.163:29554
38.149.44.210:27362
75.150.190.231:49453
233.28.178.189:51109
156.55.175.218:18225
226.245.201.147:56691
30.208.231.241:3060
242.154.104.135:0
62.228.78.206:44566
88.203.47.199:48997
23.115.133.62:57748
217.190.219.41:29447
236.129.127.216:10887
179.121.12.220:50554
156.164.32.211:21954
239.86.43.169:5793
139.44.244.27:5564
193.133.234.0:0
Unpacked files
SH256 hash:
769cbbd802e51201b8664078043d34588593f237d7139fd67850adf2ed6be0c6
MD5 hash:
2ad3f0ad6b421e676420c38658e0f2ec
SHA1 hash:
c73746053b23c98de7388d0a938fb569ebec200c
Link:
https://www.unpac.me/results/42c7ec81-2a01-4a38-9a0b-b2241ef4dcd5/
SH256 hash:
5ef27986b7ef4f221c7c7ed2bb1cc50eeb304c2f41e4c5c6b3288f752dc6591e
MD5 hash:
0f5f61804e97020ee67ada4122431d8f
SHA1 hash:
e94c460d44f1be5b4b05af538d1e2bc8c66f9dde
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/42c7ec81-2a01-4a38-9a0b-b2241ef4dcd5/
SH256 hash:
3f3efd6c40d562ef37c921c7aa9e710c743638acc2d16580e1a560060142fc68
MD5 hash:
2135477510d718180c3261dc1dbfa403
SHA1 hash:
4770851128972bb1955a36d13e97d444e988a861
Link:
https://www.unpac.me/results/42c7ec81-2a01-4a38-9a0b-b2241ef4dcd5/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f3efd6c40d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3f3efd6c40d562ef37c921c7aa9e710c743638acc2d16580e1a560060142fc68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318444/

Comments