MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA 9 File information Comments

SHA256 hash:	49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f
SHA3-384 hash:	4d56e2c4b792c36b3c1fab1bfd7b8fa83f858431425cc10dcf01c656a69a9fb7b5477ed56a2ee53ed71b46c421244d04
SHA1 hash:	8b5bc7a2ebce7015b5c16f1c23491002292d9e90
MD5 hash:	5a3fc217a7b821a632c8e939b034c8c9
humanhash:	nine-table-cardinal-pasta
File name:	peasanthood.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	643'400 bytes
First seen:	2022-10-31 14:17:59 UTC
Last seen:	2022-10-31 16:12:25 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	34d094cea0fc040405cd0327eba81d57 (7 x Quakbot)
ssdeep	12288:8x8IFmbH8yS5XXUrIVcxxa/5IOT2LY/O9bBoY//w:R6y8bRZAchI/LoO9bBoY/4
Threatray	1'624 similar samples on MalwareBazaar
TLSH	T18CD49E22B2E8C037D13256F99C3B46A85C7BFD0139299C096FD51F4D4E39A413B6A3A7
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	malwarelabnet
Tags:	dll obama218 Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/326450/

Detection(s):

SecuriteInfo.com.Variant.Zusy.440708.32628.28507.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching a process

Modifying an executable file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

apt greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/635fd91e736e9d884f0db03c/reports/2a8c1331-edad-4231-ad20-44cc25a6851b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-31 14:18:11 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jglb53tpjmrlfgcvq3kmzl647aptjqndhkq6wgkdbmhw72gb4nhq._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f

Quakbot

62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76

Quakbot

9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06

Quakbot

aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4

Quakbot

e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

Quakbot

+ 1'614 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama218 campaign:1666870886 banker stealer trojan

Link:

https://tria.ge/reports/221031-rl9yqacabp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

24.206.27.39:443
1.102.156.146:8707
187.1.1.118:44751
172.117.139.142:995
1.181.118.183:31745
45.35.97.45:443
187.0.1.27:28294
58.247.115.126:995
1.24.9.220:42753
187.1.1.186:48208
112.141.184.246:995
201.223.169.238:32100
68.62.199.70:443
45.49.137.80:443
187.0.1.172:28709
102.159.236.29:443
183.242.1.187:1
186.48.161.130:995
191.33.187.192:2222
154.181.228.27:995
90.165.109.4:2222
187.0.1.24:53089
41.97.205.96:443
187.0.1.160:45207
91.171.72.214:32100
187.0.1.181:11298
24.177.111.153:443
184.159.76.47:443
187.0.1.105:39831
93.156.96.171:443

Unpacked files

SH256 hash:

ddf67c9f64ba9af9adbff29a69431bd3601ff8eb89dfbe23de2cafe7b2ca87dc

MD5 hash:

bd006fa935296e7e0d046a802d29b1cb

SHA1 hash:

27f1a9d1bd1c9b14fbc3c4d74a52495e8cc10059

Link:

https://www.unpac.me/results/d9d19e40-4b4e-4159-9361-d79cc0a2ccbd/

SH256 hash:

0dcd86692d92c058625ab343e472eef571514cc62d676288044ad26caa263fad

MD5 hash:

4fbebc9879ec1f95e759cb8b5d9fb89d

SHA1 hash:

3bef00c57f1e00b2e182f2f9955003568b6455dc

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/d9d19e40-4b4e-4159-9361-d79cc0a2ccbd/

Parent samples :

9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06
5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f
49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f

SH256 hash:

49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f

MD5 hash:

5a3fc217a7b821a632c8e939b034c8c9

SHA1 hash:

8b5bc7a2ebce7015b5c16f1c23491002292d9e90

Link:

https://www.unpac.me/results/d9d19e40-4b4e-4159-9361-d79cc0a2ccbd/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49961eee6f4b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326450/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample