MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
SHA3-384 hash: 5dacd58acc408310f1444d473280305b50059434ee39ab420150d27ce1dc7e157f5f6331a9816ba3a70fc766bba660e1
SHA1 hash: 01a8b5d39a173801064d35b131dfc00c6a5fc91a
MD5 hash: 955bba82da675d1e00b736b6aa71010a
humanhash: robert-blossom-river-fish
File name:190.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:722'944 bytes
First seen:2022-06-21 18:24:55 UTC
Last seen:2022-06-21 18:24:56 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c7f3e11e6f6fe8a9de8b31827060af69 (8 x Quakbot)
ssdeep 12288:pSHEVZKP1O+hamzhv1fm3F7SxZF0WGNY:eSi7NvEhseY
Threatray 1'262 similar samples on MalwareBazaar
TLSH T1DDF49F36B3E04837C1771A7C8D1BB66898297D113E3C988A7BE41D4C5F3A781376A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll obama190 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282079/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/62b20d3f08903778452dcc6d/reports/732dff00-0761-482a-b5a1-e321429cfbf7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32a720d3-172b-44d8-82e4-c5a400005a58
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017390
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 649886 Sample: 190.dat Startdate: 21/06/2022 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected CryptOne packer 2->68 70 Sigma detected: Schedule system process 2->70 72 2 other signatures 2->72 9 loaddll32.exe 1 2->9         started        12 powershell.exe 11 2->12         started        14 powershell.exe 8 2->14         started        process3 signatures4 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->74 76 Injects code into the Windows Explorer (explorer.exe) 9->76 78 Writes to foreign memory regions 9->78 82 2 other signatures 9->82 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        80 Creates files in the system32 config directory 12->80 22 regsvr32.exe 12->22         started        24 conhost.exe 12->24         started        26 regsvr32.exe 14->26         started        28 conhost.exe 14->28         started        process5 file6 50 C:\Users\user\Desktop\190.dll, PE32 16->50 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 16->64 30 schtasks.exe 1 16->30         started        32 rundll32.exe 20->32         started        35 regsvr32.exe 22->35         started        37 regsvr32.exe 26->37         started        signatures7 process8 signatures9 39 conhost.exe 30->39         started        54 Contains functionality to detect sleep reduction / modifications 32->54 41 WerFault.exe 23 9 32->41         started        44 explorer.exe 32->44         started        56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->56 58 Injects code into the Windows Explorer (explorer.exe) 35->58 60 Writes to foreign memory regions 35->60 62 2 other signatures 35->62 46 explorer.exe 8 2 35->46         started        process10 dnsIp11 52 192.168.2.1 unknown unknown 41->52 48 conhost.exe 46->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 18:25:09 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iffrkdivcltuqqkoodbyaj4nqglbnjgeydaprilht4bgi2c7htjq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
Quakbot
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
Quakbot
1c5e20638c4e5892745a8bf2c9fed302d825be6bca58b46896f36116c637bc83
Quakbot
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
Quakbot
7b7c1e7e308228cc4a38adaf8ca66952f12eab0ec27d594d7b59815e0950fa2f
Quakbot
877b074b2f8f46154fed79d0ee820d365148c40131ab76fe1d55d9b23204b5b1
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
b674993c41ae982f26c752e411b4d3169f9b5e803df585261eb42b58dba91ded
Quakbot
ec8f7afb7234b7c5555907948439e5d48712c5ea66a5284bf46eb612cc70eca7
Quakbot
+ 1'252 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama190 campaign:1655819798 banker stealer trojan
Link:
https://tria.ge/reports/220621-w2l9tahfbm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
100.38.242.113:995
173.21.10.71:2222
72.252.157.93:995
72.252.157.93:990
72.252.157.93:993
202.134.152.2:2222
45.241.205.91:993
90.120.209.197:2078
188.136.218.225:61202
41.228.22.180:443
76.25.142.196:443
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
63.143.92.99:995
83.110.94.105:443
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
104.34.212.7:32103
102.182.232.3:995
120.150.218.241:995
208.107.221.224:443
92.137.225.8:2222
88.251.195.142:443
24.139.72.117:443
2.34.12.8:443
24.55.67.176:443
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
210.246.4.69:995
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
39.52.59.14:995
31.215.70.37:443
175.145.235.37:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
109.12.111.14:443
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
Unpacked files
SH256 hash:
aa4d244d4457c46e970df34318e43fa8aafd5010ab2af02e139ea8c1c1aa7ca3
MD5 hash:
4dc5296bbe08efa0ae068af09c275f60
SHA1 hash:
d64988cf117599c39e193a42d7081d626376fc40
Link:
https://www.unpac.me/results/effe82fa-957a-4c33-a19e-1a82377a0435/
SH256 hash:
1cfa8764c472987678175aa86d34aaf9b06bf1e7eb243b0e9abc2b512700c755
MD5 hash:
0a1b1909869db6a5d3521d757c39d5cf
SHA1 hash:
be04fbcfb11bff35332443d0e3d0d313b30548d5
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/effe82fa-957a-4c33-a19e-1a82377a0435/
Parent samples :
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff
SH256 hash:
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
MD5 hash:
955bba82da675d1e00b736b6aa71010a
SHA1 hash:
01a8b5d39a173801064d35b131dfc00c6a5fc91a
Link:
https://www.unpac.me/results/effe82fa-957a-4c33-a19e-1a82377a0435/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/414b150d1512/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282079/

Comments