MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
SHA3-384 hash: 2bf5000b0d54c56f9baa21e571c2c885326e8fba3545481b909e029327896b10bd2afec9d3d5116b96870f650492ec01
SHA1 hash: 263344a540fac232473e9f770c68b53cbd11fae4
MD5 hash: 38ad770f8403537ebf40f4c124a3336d
humanhash: montana-lithium-ohio-sad
File name:Knhfn.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:771'465 bytes
First seen:2022-05-07 21:15:00 UTC
Last seen:2022-05-07 21:33:00 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1f323ccab9817929388091e1b9ddaddf (9 x Quakbot)
ssdeep 12288:b0tFRlN3qlI7Sq77ti3kKvKJPXWwvPi/0Q1B0vZRzIBt:bUzrOKfQUDZC91UZRMBt
Threatray 1'035 similar samples on MalwareBazaar
TLSH T1BBF48E22A3D34836DD77163D8C5B93949825FD413D34DCFA2BE4EE6C8E39A403A1529B
TrID 59.1% (.EXE) InstallShield setup (43053/19/16)
19.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
2.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269274/
Detection(s):
SecuriteInfo.com.Variant.Zusy.423190.22739.16174.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware hacktool kbot keylogger overlay packed qakbot qbot remote.exe zusy
Link:
https://www.filescan.io/uploads/6276e194be0219041a7d5075/reports/b21be207-ad69-41bf-9124-8d8765240aac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/728f4d00-357b-414a-b156-9fc98dde0b42
Result
Threat name:
CryptOne Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989554
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622050 Sample: Knhfn.png Startdate: 07/05/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected CryptOne packer 2->67 69 3 other signatures 2->69 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 77 3 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 49 C:\Users\user\Desktop\Knhfn.dll, PE32 16->49 dropped 51 Uses cmd line tools excessively to alter registry or file data 16->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 16->53 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->55 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 3 other signatures 22->61 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        79 Contains functionality to detect sleep reduction / modifications 28->79 35 WerFault.exe 23 9 28->35         started        37 explorer.exe 28->37         started        81 Uses cmd line tools excessively to alter registry or file data 31->81 39 reg.exe 1 1 31->39         started        41 reg.exe 1 1 31->41         started        43 conhost.exe 31->43         started        process10 process11 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2022-05-07 15:26:04 UTC
File Type:
PE (Dll)
Extracted files:
58
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlslkv6vggm2gpucop27xriap62ltananb3ebubiear7ld7dqohq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
Quakbot
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
Quakbot
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
Quakbot
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
Quakbot
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
Quakbot
+ 1'025 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1651732978 banker stealer trojan
Link:
https://tria.ge/reports/220507-z3v5wsege5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
24.178.196.158:2222
91.177.173.10:995
181.208.248.227:443
103.107.113.120:443
80.11.74.81:2222
2.50.17.128:2222
148.0.57.85:443
179.179.162.9:993
37.186.54.254:995
120.150.218.241:995
176.67.56.94:443
108.60.213.141:443
208.107.221.224:443
113.53.151.59:443
58.105.167.36:50000
141.237.86.114:995
70.46.220.114:443
74.14.7.71:2222
172.115.177.204:2222
189.146.78.175:443
194.36.28.102:443
32.221.224.140:995
113.110.253.185:995
24.152.219.253:995
197.83.230.61:443
104.34.212.7:32103
47.23.89.62:993
38.70.253.226:2222
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
2.50.4.57:443
118.161.34.21:995
67.209.195.198:443
187.207.47.198:61202
140.82.49.12:443
203.122.46.130:443
217.128.122.65:2222
118.161.34.21:443
83.110.218.155:993
5.32.41.45:443
72.76.94.99:443
76.70.9.169:2222
2.34.12.8:443
92.132.172.197:2222
75.99.168.194:61201
46.107.48.202:443
103.139.243.207:990
103.87.95.133:2222
63.143.92.99:995
173.174.216.62:443
174.69.215.101:443
86.98.208.214:2222
76.25.142.196:443
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
45.76.167.26:995
149.28.238.199:995
140.82.63.183:995
144.202.2.175:995
45.63.1.12:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
173.21.10.71:2222
73.151.236.31:443
67.165.206.193:993
45.46.53.140:2222
191.99.191.28:443
180.129.20.164:995
85.246.82.244:443
149.135.101.20:443
31.35.28.29:443
187.208.0.99:443
201.142.133.198:443
82.41.63.217:443
201.172.23.68:2222
72.252.157.172:990
190.252.242.69:443
70.51.152.61:2222
90.120.65.153:2078
217.118.46.41:2222
72.252.157.172:995
39.33.170.57:995
177.102.2.175:32101
40.134.246.185:995
5.193.104.246:2222
100.1.108.246:443
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
69.14.172.24:443
94.36.195.102:2222
89.101.97.139:443
47.156.191.217:443
179.158.105.44:443
2.191.231.178:443
37.34.253.233:443
109.12.111.14:443
41.215.148.115:995
103.157.122.130:21
93.48.80.198:995
86.195.158.178:2222
105.99.204.185:443
96.37.113.36:993
86.132.13.91:2078
183.82.103.213:443
196.203.37.215:80
89.86.33.217:443
186.64.67.8:443
67.69.166.79:2222
103.233.141.208:2222
121.74.167.191:995
190.36.233.41:2222
68.204.7.158:443
197.94.84.67:443
79.129.121.68:995
106.51.48.170:50001
72.66.116.235:995
82.152.39.39:443
72.12.115.78:22
103.139.243.207:993
89.137.52.44:443
103.246.242.202:443
191.34.199.46:443
120.61.0.220:443
98.50.191.202:443
96.45.66.216:61202
102.182.232.3:995
89.211.182.31:2222
84.241.8.23:32103
172.114.160.81:995
217.164.117.87:1194
45.9.20.200:443
47.23.89.62:995
187.172.191.97:443
24.43.99.75:443
103.88.226.30:443
182.191.92.203:995
39.44.144.64:995
45.241.254.110:993
39.57.56.19:995
121.7.223.59:2222
94.140.8.55:2222
172.114.160.81:443
39.49.69.112:995
102.65.23.65:443
103.116.178.85:995
Unpacked files
SH256 hash:
c5655c5f9a9aa83bc254d287d1859ae6708fc61c5565b4b6bdf1c609c5425c19
MD5 hash:
679840f58d00b06175547357f8c2985f
SHA1 hash:
d5c2de76e405e8993473a16da7a1a3d940e4e794
Link:
https://www.unpac.me/results/29a72f47-b73f-4876-8c7b-a88e4c68a249/
SH256 hash:
d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
MD5 hash:
e110303afe7c390d9130805818e3bf76
SHA1 hash:
83cd9be98486c753da2dfe8972123caf4b655785
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/29a72f47-b73f-4876-8c7b-a88e4c68a249/
Parent samples :
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
1a5dbff80ba1a6061196db8b27033a38c154d1822f6de2f9affc0631bf8e82ee
d52343262162d81a5c2651aa871ae1315f4bd4f35ceecde414d4445664e4f9e4
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
SH256 hash:
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
MD5 hash:
38ad770f8403537ebf40f4c124a3336d
SHA1 hash:
263344a540fac232473e9f770c68b53cbd11fae4
Link:
https://www.unpac.me/results/29a72f47-b73f-4876-8c7b-a88e4c68a249/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ae4b557d531/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269274/

Comments