MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411
SHA3-384 hash: 10ce516f310577feda331cbf466ac2e55c5942823ff4b8efd1c26a7d3b810fbd297b068073da091eceac1e5b37103f68
SHA1 hash: cc8b2111b22a72a1d7831751c64ff9b107fc545d
MD5 hash: 278dcd5147c869e6940e6baba52bb931
humanhash: social-solar-floor-eighteen
File name:unwarmed.tmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:454'656 bytes
First seen:2022-12-02 16:10:51 UTC
Last seen:2022-12-02 17:36:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b05f1116650d8c60a001fe8a94295c2b (1 x Quakbot)
ssdeep 12288:BWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:AOZuHk2JajfRO8
Threatray 1'817 similar samples on MalwareBazaar
TLSH T146A4CE47E0819FB3D4A9D93EC479A163DB692823FF63CB56120CC52579E309093EA72D
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:dll obama225 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/341950/
Detection(s):
SecuriteInfo.com.Backdoor.005928361.7092.13463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/638a239a04e0e79bdf40417c/reports/0a44c4ab-9ef1-4d2d-b1a5-24b2a5d56d24/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a746901-8ce8-489c-a663-b3a14a8b8c10
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126634
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Gathers network related connection and port information
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs a network lookup / discovery via ARP
Performs a network lookup / discovery via net view
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Uses nslookup.exe to query domains
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 759358 Sample: unwarmed.tmp.dll Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 68 196.207.146.214 WANANCHI-KE Kenya 2->68 70 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->70 72 95 other IPs or domains 2->72 86 Yara detected Qbot 2->86 88 C2 URLs / IPs found in malware configuration 2->88 10 loaddll32.exe 1 2->10         started        signatures3 process4 process5 12 cmd.exe 1 10->12         started        14 rundll32.exe 10->14         started        17 rundll32.exe 10->17         started        19 6 other processes 10->19 signatures6 21 rundll32.exe 12->21         started        110 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->110 112 Writes to foreign memory regions 14->112 114 Allocates memory in foreign processes 14->114 24 wermgr.exe 8 16 14->24         started        116 Maps a DLL or memory area into another process 17->116 28 wermgr.exe 17->28         started        30 WerFault.exe 24 9 19->30         started        32 WerFault.exe 9 19->32         started        34 WerFault.exe 2 9 19->34         started        36 3 other processes 19->36 process7 dnsIp8 90 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->90 92 Maps a DLL or memory area into another process 21->92 38 wermgr.exe 21->38         started        74 70.51.136.94, 2222, 49727 BACOMCA Canada 24->74 76 cisco.com 72.163.4.185, 443, 49725 CISCOSYSTEMSUS United States 24->76 78 www.cisco.com 24->78 66 C:\Users\user\Desktop\unwarmed.tmp.dll, PE32 24->66 dropped 94 Uses nslookup.exe to query domains 24->94 96 Gathers network related connection and port information 24->96 98 Performs a network lookup / discovery via net view 24->98 100 Performs a network lookup / discovery via ARP 24->100 41 nslookup.exe 24->41         started        44 net.exe 24->44         started        46 net.exe 24->46         started        48 5 other processes 24->48 80 192.168.2.1 unknown unknown 30->80 file9 signatures10 process11 dnsIp12 102 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 38->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->104 106 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->106 108 7 other signatures 38->108 82 _ldap._tcp.dc._msdcs.WORKGROUP 41->82 84 8.8.8.8.in-addr.arpa 41->84 50 conhost.exe 41->50         started        52 conhost.exe 44->52         started        54 net1.exe 44->54         started        56 conhost.exe 46->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        64 conhost.exe 48->64         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 16:11:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjx2owew6tokry5ntricia33cc3bxvfheoazvlyovfa7g6twgqiq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
Quakbot
442437ccaac1b92cbbacc116bdf7619a94008d8fc6b08278906859b291b74673
Quakbot
6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef
Quakbot
abe2930c83d646ca388b1bf050de6c84228069fd77e0f15de06f14b25f213427
Quakbot
c0fc5b84ba671a26027bddbd7a987eacc5917bdd1359cc1e72b754ba3517e805
Quakbot
+ 1'807 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama225 campaign:1669974461 banker stealer trojan
Link:
https://tria.ge/reports/221202-tmyyysgg2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
85.59.61.52:2222
66.191.69.18:995
186.64.67.9:443
174.104.184.149:443
91.165.188.74:50000
213.22.188.57:2222
173.18.126.3:443
90.89.95.158:2222
172.90.139.138:2222
78.100.230.10:995
184.153.132.82:443
41.100.146.58:443
85.152.152.46:443
75.99.125.235:2222
83.92.85.93:443
173.239.94.212:443
24.64.114.59:2222
74.66.134.24:443
98.145.23.67:443
213.67.255.57:2222
92.24.200.226:995
91.68.227.219:443
12.172.173.82:993
70.120.228.205:2083
216.196.245.102:2078
176.142.207.63:443
217.128.91.196:2222
24.228.132.224:2222
69.119.123.159:2222
201.208.139.250:2222
91.169.12.198:32100
64.121.161.102:443
87.221.197.110:2222
86.159.48.25:2222
103.141.50.117:995
41.62.182.1:443
92.186.69.229:2222
37.14.229.220:2222
123.3.240.16:995
70.160.80.210:443
176.128.178.251:443
12.172.173.82:995
94.63.65.146:443
78.163.33.44:443
74.92.243.113:50000
75.98.154.19:443
197.204.18.30:443
121.122.99.223:995
58.247.115.126:995
78.69.251.252:2222
213.91.235.146:443
76.80.180.154:995
130.43.99.103:995
93.156.103.241:443
93.24.192.142:20
41.62.220.86:995
12.172.173.82:465
92.185.204.18:2078
75.143.236.149:443
90.119.197.132:2222
80.13.179.151:2222
47.41.154.250:443
81.229.117.95:2222
92.189.214.236:2222
108.162.6.34:443
72.68.175.55:2222
84.35.26.14:995
12.172.173.82:990
188.54.99.243:995
92.239.81.124:443
92.27.86.48:2222
83.114.60.6:2222
216.196.245.102:2083
71.247.10.63:995
58.162.223.233:443
184.155.91.69:443
178.153.195.40:443
116.74.162.186:443
76.100.159.250:443
88.171.156.150:50000
156.216.253.65:995
73.161.176.218:443
70.115.104.126:995
109.159.119.169:2222
24.64.114.59:3389
87.223.89.157:443
89.129.109.27:2222
70.66.199.12:443
183.82.100.110:2222
142.161.27.232:2222
108.6.249.139:443
69.133.162.35:443
76.127.192.23:443
12.172.173.82:21
199.83.165.233:443
174.77.209.5:443
87.202.101.164:50000
90.104.22.28:2222
83.7.54.186:443
184.176.154.83:995
90.116.219.167:2222
92.207.132.174:2222
136.232.184.134:995
92.149.205.238:2222
86.225.214.138:2222
24.64.114.59:61202
198.2.51.242:993
70.51.136.94:2222
12.172.173.82:50001
75.158.15.211:443
85.61.165.153:2222
181.164.194.228:443
47.34.30.133:443
86.195.32.149:2222
41.34.106.203:993
72.200.109.104:443
196.207.146.214:443
24.206.27.39:443
172.117.139.142:995
190.18.236.175:443
Unpacked files
SH256 hash:
5b3dee41c9c883799ff239f900eac4d2eb4c87c5c064d6cc3430745ff7464b95
MD5 hash:
59b8c00935b647a5dde017ac98d655b5
SHA1 hash:
145d7516aff97586aedcee41f707cc11ee5087b6
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/fd93fa89-ec54-415b-b66f-ef02086c71e0/
SH256 hash:
4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411
MD5 hash:
278dcd5147c869e6940e6baba52bb931
SHA1 hash:
cc8b2111b22a72a1d7831751c64ff9b107fc545d
Link:
https://www.unpac.me/results/fd93fa89-ec54-415b-b66f-ef02086c71e0/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a6fa75896f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/341950/

Comments