MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b
SHA3-384 hash:	96855edd167694b14bbbe79765e3bd4c2547c30f8e6ab2a15b8b1977591445bf925727876ec57bd36c4fb13ab742a2d0
SHA1 hash:	b2c75d59e18a19c31832bc6ff80e8acbc3a41e24
MD5 hash:	7af16fcfdb8a89e6fca437313be9e64d
humanhash:	blossom-speaker-harry-batman
File name:	gobbledygook.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	642'888 bytes
First seen:	2022-10-27 09:40:21 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	34d094cea0fc040405cd0327eba81d57 (7 x Quakbot)
ssdeep	12288:cx8IFmbH8yS5XXUrIVcxxUnMnwldJOCP6HcD5q:x6y8bRZAWM6dMCSHc4
Threatray	1'591 similar samples on MalwareBazaar
TLSH	T132D49E22B2E8C437D13256F99C3B4298987BFD0139399C096FD51F4D4E35A813B6A3A7
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	1666776497 BB04 dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/324810/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching a process

Modifying an executable file

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6414c2b9-7f9c-4eeb-be2a-0e83de77055c

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099165

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Execute DLL with spoofed extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-27 09:52:02 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ixylpw7u7qz7kyftknmrze5pfbdsyzur7d47spvqc5e3ycdwgufq._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

4df936e24707cbb9332c99488a20f5fa0f9e0ac5cc3a2ea4d509f3539ea79200

Quakbot

5c1eb12dc76bcbb34ad726ffb072076a24a1b5205ce81d3bf8b8b1ee268da336

Quakbot

97bb01022eaa46e69d39cbddd770c5d5312b806d0b94836f96d026db1d54bf03

Quakbot

c729f364bc952590a87aa014b4e4289716ca0f2b8be27965194ce58d174087f2

Quakbot

+ 1'581 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb04 campaign:1666776497 banker stealer trojan

Link:

https://tria.ge/reports/221027-lnrl9sbgem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

197.204.53.242:443
83.244.63.21:443
27.110.134.202:995
173.49.74.62:443
181.164.194.228:443
24.116.45.121:443
41.47.249.185:443
24.206.27.39:443
113.183.223.8:443
186.188.80.134:443
64.207.237.118:443
156.216.134.70:995
58.247.115.126:995
180.151.116.67:443
41.140.63.187:443
144.202.15.58:443
190.199.97.108:993
172.117.139.142:995
45.230.169.132:995
24.9.220.167:443
190.24.45.24:995
193.3.19.137:443
201.68.209.47:32101
68.62.199.70:443
167.58.254.85:443
156.197.230.148:995
175.205.2.54:443
200.233.108.153:995
105.106.60.149:443
102.159.110.79:995
2.88.206.121:443
190.193.180.228:443
216.131.22.236:995
190.37.174.11:2222
206.1.203.0:443
186.188.96.197:443
190.74.248.136:443
206.1.128.203:443
201.249.100.208:995
190.33.241.216:443
190.75.151.66:2222
198.2.51.242:993
90.165.109.4:2222
71.199.168.185:443
181.56.171.3:995
41.103.1.16:443
24.207.97.117:443
105.157.86.118:443
201.223.169.238:32100
47.14.229.4:443
70.60.142.214:2222
142.181.183.42:2222
41.62.165.152:443
41.97.205.96:443
41.97.14.60:443
151.213.183.141:995
75.84.234.68:443
186.18.210.16:443
41.96.204.196:443
64.123.103.123:443
186.48.174.77:995
152.170.17.136:443
160.176.151.70:995
78.179.135.247:443
191.33.187.192:2222
98.207.190.55:443
196.65.217.253:995
78.50.124.220:443
91.171.72.214:32100
186.154.189.162:995
101.109.44.197:995
97.92.4.205:8443
41.36.159.36:993
70.115.104.126:443
181.44.34.172:443
88.240.75.201:443
24.130.228.100:443
41.109.228.108:995
24.177.111.153:443
60.54.65.27:443
189.129.38.158:2222
190.203.51.133:2222
96.46.230.10:443
222.117.141.133:443
190.207.137.189:2222
208.78.220.120:443
105.108.223.181:443
41.104.155.245:443
65.140.11.170:443
184.159.76.47:443
105.98.223.169:443
197.0.225.39:443
41.101.193.38:443
105.155.151.29:995
196.207.146.151:443
190.37.112.223:2222
14.54.83.15:443
93.156.96.171:443
58.186.75.42:443
189.110.3.60:2222
186.18.77.99:443
41.107.78.169:443
149.126.159.224:443
156.196.169.222:443
190.100.149.122:995
1.0.215.176:443
202.5.53.143:443
206.1.199.156:2087
102.156.162.83:443
220.134.54.185:2222
88.132.109.147:443
190.29.228.61:443
41.101.183.90:443
94.36.5.31:443
102.184.30.42:443
102.187.63.127:995
190.33.87.140:443
187.198.16.39:443
62.46.231.64:443

Unpacked files

SH256 hash:

3ed35ab5af7db6f926b63a07324b8efda40bdbe0a0e820d2da46bb9e0aa44415

MD5 hash:

7cf07a35bc046cc2a8da53617684dbd7

SHA1 hash:

8bbf678217e1008a4e3f44e97aa5cf3076f34473

Link:

https://www.unpac.me/results/0f4673aa-61e6-4c27-8ee2-70ed3f624c6b/

SH256 hash:

fc64f51c1e1ff1c4ccd717ed7eb8298c70640864e3abba9f2ee1836fd8b1aa53

MD5 hash:

85c7e46bcb8b197c314d73162ca0c7fa

SHA1 hash:

42bd4a22e041f847afab962204b626b90c167d5f

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/0f4673aa-61e6-4c27-8ee2-70ed3f624c6b/

Parent samples :

45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b
77f9342fe09395b0d5bec271006bb46fa1b92e998794116730875ce2ecd1350c
ea45b3a3a743820bde72418bd1699152d28735fddc9337d018cbc901480b7245

SH256 hash:

45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b

MD5 hash:

7af16fcfdb8a89e6fca437313be9e64d

SHA1 hash:

b2c75d59e18a19c31832bc6ff80e8acbc3a41e24

Link:

https://www.unpac.me/results/0f4673aa-61e6-4c27-8ee2-70ed3f624c6b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/324810/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample