MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4367ef10c26ce4b66be5a31f39529d7eb0a167da0321be894e43d4ed577385cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4367ef10c26ce4b66be5a31f39529d7eb0a167da0321be894e43d4ed577385cf
SHA3-384 hash: f4abefd82a82defe42f4d61c5ec9b2a3949c2bc5da596ed0adafb47ed6d808c020e2fb76884de422356a7070fea8dcf1
SHA1 hash: 7bfea40e9a4a99c925d814fc6323947249f62ab3
MD5 hash: a57ffd6724b8b316f9d14d9940650274
humanhash: coffee-robert-river-harry
File name:Insurance#1880.iso
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'161'216 bytes
First seen:2022-09-22 14:16:30 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:J0hmPu9hXDCXw1gnEjYNAeh4X668JA5w9Mqa:J046RDCA1gdKY
TLSH T179358D23A3900373C1B31B3CAE3F57E5A72878703B38955526D9491C2B25961AB3B7F6
TrID 99.4% (.NULL) null bytes (2048000/1)
0.2% (.ISO) ISO 9660 CD image (5100/59/2)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter pr0xylife
Tags:1663698873 BB iso Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:nervousness.png
File size:26'471 bytes
SHA256 hash: b8e86854c016771922e1ec327a2a63fcb63b03724d1512d1e1f18ee01baa66f1
MD5 hash: fb75930705f22e2a361e69c3174ea26b
MIME type:image/png
Signature Quakbot
File name:streakingTarrying.js
File size:192 bytes
SHA256 hash: c898f27577db87e72b0800ddab3f6040ea339ca6b7324b6916c7bbbd9ac9b4ca
MD5 hash: db4f3e89853e4bf12c70c8616c953bca
MIME type:text/plain
Signature Quakbot
File name:torpors.db
File size:869'888 bytes
SHA256 hash: 5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1
MD5 hash: e22a4ef15b7c6c9eb884e445cefa2ef9
MIME type:application/x-dosexec
Signature Quakbot
File name:enviousness.txt
File size:196'872 bytes
SHA256 hash: cf55d4b55ff609768bcd5d1b800061084fc2a00ad3ffd078d841e88897a3eb4f
MD5 hash: 9bb6a1c50bc2a84ee83577d285a27b23
MIME type:text/plain
Signature Quakbot
File name:reaganAsquith.cmd
File size:159 bytes
SHA256 hash: 2cc507bd552eb571d9d6cf7e695a2a76ca822cfa989273831bd6053b3c5cccf6
MD5 hash: 0f4075cd1217c87056d9852270cec455
MIME type:text/x-msdos-batch
Signature Quakbot
File name:Insurance.lnk
File size:1'265 bytes
SHA256 hash: 035e1577eeeef4d4e1678c55d30622ca92bd31ec5f5df4199408d0e06ffc287c
MD5 hash: 764c1c3f104e10245efdbfcfb43fd50a
MIME type:application/octet-stream
Signature Quakbot
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.ISOICEDAllTheWayOut.20220816.UNOFFICIAL
Create hunting rule

TwinWave.EviLNK.ICEDYouLearn.20220914.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/632c6ea1865ed83c011dfe73/reports/0f0d9d83-ed3e-444e-8476-289023dcdbd0/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4367ef10c26ce4b66be5a31f39529d7eb0a167da0321be894e43d4ed577385cf/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 14:17:09 UTC
File Type:
Binary (Archive)
Extracted files:
44
AV detection:
8 of 40 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=int66egcntslm27fumptsuu5p2ykcz62amq35ckoipko2v3tqxhq._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb campaign:1663698873 banker stealer trojan
Link:
https://tria.ge/reports/220922-rlpmsafdgl/
Behaviour
Enumerates physical storage devices
Malware Config
C2 Extraction:
173.218.180.91:443
134.35.13.43:443
197.94.84.128:443
70.51.132.197:2222
181.118.183.123:443
189.19.189.222:32101
41.111.1.60:995
70.49.33.200:2222
99.232.140.205:2222
139.228.33.176:2222
193.3.19.37:443
41.99.57.155:443
177.255.14.99:995
31.54.39.153:2078
191.97.234.238:995
105.159.30.48:443
217.165.146.41:993
119.82.111.158:443
66.181.164.43:443
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
64.207.215.69:443
109.155.5.164:993
190.44.40.48:995
187.205.222.100:443
76.169.76.44:2222
72.88.245.71:443
197.204.243.167:443
68.53.110.74:995
41.69.103.179:995
68.224.229.42:443
100.1.5.250:995
194.166.205.204:995
88.232.207.24:443
14.183.63.12:443
89.211.223.138:2222
85.98.206.165:995
191.254.74.89:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
180.180.131.95:443
191.84.204.214:995
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4367ef10c26ce4b66be5a31f39529d7eb0a167da0321be894e43d4ed577385cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iso_lnk
Create hunting rule
Author:tdawg
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments