MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 487ab4ef431390163568f0a89f4e8279d14717d7a9ced1ba45e34ad280b6b0de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 487ab4ef431390163568f0a89f4e8279d14717d7a9ced1ba45e34ad280b6b0de
SHA3-384 hash: d9b27812fa63428ef4f569f41bd5f6f9dbca07a1a0c68c0f80656f2315f712513df5c1b47a8fb3dfdacb26f5adcd164e
SHA1 hash: fddf8787c83f1eba44f564a3cf044b2cd4ba33a7
MD5 hash: af9177a9842ebb006bcce95446e82e95
humanhash: salami-dakota-harry-iowa
File name:300123.gif
Download: download sample
Signature Quakbot
Create hunting rule
File size:842'699 bytes
First seen:2023-01-31 14:50:58 UTC
Last seen:2023-01-31 16:32:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash bd00562f54da988c5e30d91b85fe5d10 (1 x Quakbot)
ssdeep 24576:sikjPg+4QceLhb6fMYaq4RPaOFm0jAjX:Bk0YBq6tjqX
TLSH T14005AF62F2B14C37C1B3263E9C1B5768A939BE1169389D473BF41E4C8F356903B252A7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:1675161160 BB12 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
US US
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/358687/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.3796.27804.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay
Link:
https://www.filescan.io/uploads/63d92ada447edb203a0243d3/reports/a6925be1-856e-49ac-9b3b-84f9013ecf63/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98226b27-ee31-4577-b01c-df9ee4fc8fb8
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1162480
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
DLL reload attack detected
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795236 Sample: 300123.gif.dll Startdate: 31/01/2023 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected CryptOne packer 2->39 41 Yara detected Qbot 2->41 43 2 other signatures 2->43 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 2 8->10         started        14 cmd.exe 1 8->14         started        16 conhost.exe 8->16         started        file5 31 C:\Users\user\AppData\Local\...3146FC0.dll, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\7CC96055.dll, PE32 10->33 dropped 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->49 51 Writes to foreign memory regions 10->51 53 Allocates memory in foreign processes 10->53 55 Maps a DLL or memory area into another process 10->55 18 wermgr.exe 8 15 10->18         started        22 wermgr.exe 10->22         started        24 rundll32.exe 14->24         started        signatures6 process7 dnsIp8 35 84.108.200.161, 443, 49719, 49720 BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL Israel 18->35 29 C:\Users\user\Desktop\300123.gif.dll, PE32 18->29 dropped 45 DLL reload attack detected 24->45 47 Contains functionality to detect sleep reduction / modifications 24->47 27 WerFault.exe 23 9 24->27         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/487ab4ef431390163568f0a89f4e8279d14717d7a9ced1ba45e34ad280b6b0de/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-01-31 14:51:07 UTC
File Type:
PE (Dll)
Extracted files:
40
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jb5lj32dcoibmnli6cuj6tucphiuof6xvhhndosf4nfnfafwwdpa._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb12 campaign:1675161160 banker stealer trojan
Link:
https://tria.ge/reports/230131-r75wwsgg67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
114.143.176.234:443
88.126.94.4:50000
103.252.7.228:443
87.10.205.117:443
82.15.58.109:2222
72.80.7.6:995
90.162.45.154:2222
47.34.30.133:443
50.68.204.71:993
112.141.184.246:995
73.165.119.20:443
91.169.12.198:32100
173.18.126.3:443
87.56.238.53:443
85.241.180.94:443
12.172.173.82:50001
92.154.17.149:2222
103.42.86.246:995
12.172.173.82:990
91.254.132.23:443
121.121.100.207:995
74.92.243.113:50000
69.119.123.159:2222
156.217.247.173:995
50.68.204.71:995
76.170.252.153:995
92.8.190.175:2222
69.159.158.183:2222
172.248.42.122:443
12.172.173.82:2087
197.148.17.17:2078
75.143.236.149:443
69.133.162.35:443
50.68.204.71:443
125.20.112.94:443
206.188.201.143:2222
92.27.86.48:2222
71.46.234.171:443
85.59.61.52:2222
12.172.173.82:995
71.112.212.166:443
27.0.48.233:443
130.43.172.217:2222
98.175.176.254:995
200.109.207.186:2222
103.141.50.151:995
107.146.12.26:2222
136.232.184.134:995
181.118.183.2:443
136.244.25.165:443
197.204.184.160:443
183.87.163.165:443
5.163.163.51:995
102.156.154.112:443
87.223.87.126:443
91.165.188.74:50000
89.115.196.99:443
87.221.197.113:2222
89.79.229.50:443
84.108.200.161:443
123.3.240.16:995
161.142.104.187:995
173.76.49.61:443
47.21.51.138:995
175.139.129.94:2222
58.247.115.126:995
60.254.51.168:443
184.153.132.82:443
116.75.63.184:443
70.66.199.12:443
162.248.14.107:443
75.98.154.19:443
202.142.98.62:995
93.24.192.142:20
202.142.98.62:443
78.193.176.97:443
87.202.101.164:50000
82.121.195.187:2222
88.169.33.180:2222
89.129.109.27:2222
85.7.61.22:2222
86.130.9.182:2222
24.228.132.224:2222
86.96.72.139:2222
24.9.220.167:443
91.231.173.199:995
217.128.91.196:2222
102.156.174.28:443
213.67.255.57:2222
176.202.38.188:443
98.145.23.67:443
217.128.200.114:2222
70.77.116.233:443
67.10.175.47:2222
74.33.196.114:443
31.53.29.161:2222
12.172.173.82:20
90.104.22.28:2222
27.0.48.205:443
103.212.19.254:995
86.195.14.72:2222
119.82.122.226:443
92.154.45.81:2222
151.65.168.222:443
2.98.146.106:995
213.31.90.183:2222
47.61.70.188:2078
27.109.19.90:2078
173.178.151.233:443
198.2.51.242:993
86.194.156.14:2222
76.80.180.154:995
174.104.184.149:443
12.172.173.82:465
12.172.173.82:32101
171.97.42.67:443
73.36.196.11:443
71.31.101.183:443
81.229.117.95:2222
Unpacked files
SH256 hash:
30e050daa21feed5c78bc6f103f4c298083364db0869bd1e0c08b08857dc1535
MD5 hash:
2cdaef095dfb1e23e1d266b27fd6c8fc
SHA1 hash:
384a7a47053749cf5c1aa015e2ec9da965b665b8
Link:
https://www.unpac.me/results/c77f8c31-b4bd-4a2e-9016-6a43a4b8f13a/
SH256 hash:
02120809d32490f2709efdedb885e6dc65243553bb2984869676046ae56fd5a0
MD5 hash:
3e3bc981a7fdbae10b40cd6683edacbb
SHA1 hash:
344b7adfdd716bfcc3fa349354b81d0532a2cbeb
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c77f8c31-b4bd-4a2e-9016-6a43a4b8f13a/
SH256 hash:
487ab4ef431390163568f0a89f4e8279d14717d7a9ced1ba45e34ad280b6b0de
MD5 hash:
af9177a9842ebb006bcce95446e82e95
SHA1 hash:
fddf8787c83f1eba44f564a3cf044b2cd4ba33a7
Link:
https://www.unpac.me/results/c77f8c31-b4bd-4a2e-9016-6a43a4b8f13a/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/487ab4ef4313/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/487ab4ef431390163568f0a89f4e8279d14717d7a9ced1ba45e34ad280b6b0de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:qakbot_api_hashing
Create hunting rule
Author:@Embee_Research
Reference:https://twitter.com/embee_research/status/1592067841154756610
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358687/

Comments