MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25
SHA3-384 hash:	ee0e3cd31321ef49bb476b222efa79f8194cb00430f0d3d4e5171399e2dc5f9d6b01cb6f9414c37a27df871005bfee05
SHA1 hash:	1ef32f07ffb2f1cf5198203b7d263fd74d50939b
MD5 hash:	069fbff5bbfa4dd3295442b26893c6bb
humanhash:	mirror-timing-illinois-mexico
File name:	pennyworth.db
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	719'872 bytes
First seen:	2022-09-21 09:13:03 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	cdfb2f2fcd0de6d94c4dff42d5af20df (1 x Quakbot)
ssdeep	12288:10cDgZApguXaZhjxA8DPG+WAHlKHnhMIEe5UT+QD1lNMABa:6w76Za8Gy8HnP5w9Mqa
TLSH	T1C3E49F32F2E05477D273263C9C3B52AD983A7D102F2998473BE81E4D5F396817A66393
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	BB dll Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312016/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

Modifying an executable file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/632ad5e336ba812561a72668/reports/152f6149-6066-4c72-a46e-16e113765738/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f34fd738-6a41-48dd-afb5-dcb0d51353da

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1074485

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-09-20 19:52:10 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ikwr5bb7istsljtgnu6sp4imvkrckkqf4g6axhb4gfkjm4upt4sq._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb campaign:1663698873 banker stealer trojan

Link:

https://tria.ge/reports/220921-k6sfvabecr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

173.218.180.91:443
134.35.13.43:443
197.94.84.128:443
70.51.132.197:2222
181.118.183.123:443
189.19.189.222:32101
41.111.1.60:995
70.49.33.200:2222
99.232.140.205:2222
139.228.33.176:2222
193.3.19.37:443
41.99.57.155:443
177.255.14.99:995
31.54.39.153:2078
191.97.234.238:995
105.159.30.48:443
217.165.146.41:993
119.82.111.158:443
66.181.164.43:443
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
64.207.215.69:443
109.155.5.164:993
190.44.40.48:995
187.205.222.100:443
76.169.76.44:2222
72.88.245.71:443
197.204.243.167:443
68.53.110.74:995
41.69.103.179:995
68.224.229.42:443
100.1.5.250:995
194.166.205.204:995
88.232.207.24:443
14.183.63.12:443
89.211.223.138:2222
85.98.206.165:995
191.254.74.89:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
180.180.131.95:443
191.84.204.214:995

Unpacked files

SH256 hash:

44562628f8c23fd65ab9039522005328b1fbc04d132d0808bf59a382e9584a4e

MD5 hash:

109bb106d14348ef570e797ffbcb26ab

SHA1 hash:

fa862fd967c140216e1a1b2b768fa5e8bfea1e70

Link:

https://www.unpac.me/results/087c1b6b-7645-4cfc-9a44-c2f438023022/

SH256 hash:

519ab2fa5f67c95ccd7238e347c3d27d86c4c1b255365cf015b9c3e3180d2715

MD5 hash:

9fa3ed8bed9633f1552c5579e110af65

SHA1 hash:

d92c3894847de03386212462999e02ed5176f2e3

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/087c1b6b-7645-4cfc-9a44-c2f438023022/

Parent samples :

42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25
5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1

SH256 hash:

42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25

MD5 hash:

069fbff5bbfa4dd3295442b26893c6bb

SHA1 hash:

1ef32f07ffb2f1cf5198203b7d263fd74d50939b

Link:

https://www.unpac.me/results/087c1b6b-7645-4cfc-9a44-c2f438023022/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/42ad1e843f44/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/312016/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample