MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253
SHA3-384 hash: 7fe01f6a4b7a087be493db0d3aa91d1876eecce8ba4f4434e691f02eaf80a8655c038444e18675e58d636a686e3bef98
SHA1 hash: 607888d9cd0a9af5ebaa2483ef87c2c465b4606a
MD5 hash: d4b2471bfe6e1f07768b6fb8c262d647
humanhash: california-one-four-video
File name:templates733.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:431'104 bytes
First seen:2022-11-01 17:13:45 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0ee02506e28d6ab342866f0848f25556 (5 x Quakbot)
ssdeep 12288:Pkpde329VEdv++607q6YP4uo7N9YIegv8JowUShUPw:Pudy29ChzEowQ0Uw
Threatray 1'637 similar samples on MalwareBazaar
TLSH T18E94E182F4A37EE1E77BA43B0251725E079D2D618B82DF97A204037BBD546C12D378E6
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1667294768 BB05 dll Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326861/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.12080.13506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/636153dea5db8d309cbc37eb/reports/675d294a-5daa-49ae-9c33-8d08cf630fe7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f74fd40-0451-46d1-9eeb-84d6229ea22c
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1102665
Signature
Allocates memory in foreign processes
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Register DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735326 Sample: templates733.png.dll Startdate: 01/11/2022 Architecture: WINDOWS Score: 84 39 Yara detected Qbot 2->39 41 Sigma detected: Register DLL with spoofed extension 2->41 43 Sigma detected: Execute DLL with spoofed extension 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->45 8 loaddll32.exe 1 2->8         started        process3 signatures4 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->55 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 61 Maps a DLL or memory area into another process 8->61 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 regsvr32.exe 8->16         started        18 2 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->63 65 Writes to foreign memory regions 13->65 67 Allocates memory in foreign processes 13->67 23 wermgr.exe 13->23         started        69 Maps a DLL or memory area into another process 16->69 25 wermgr.exe 8 14 16->25         started        process7 dnsIp8 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->47 49 Writes to foreign memory regions 20->49 51 Allocates memory in foreign processes 20->51 53 Maps a DLL or memory area into another process 20->53 29 wermgr.exe 20->29         started        33 49.175.72.56, 443, 49699, 49700 POWERVIS-AS-KRLGPOWERCOMMKR Korea Republic of 25->33 35 www.google.com 142.250.147.106, 443, 49698 GOOGLEUS United States 25->35 37 google.com 142.250.147.139, 443, 49697 GOOGLEUS United States 25->37 31 C:\Users\user\Desktop\templates733.png.dll, PE32 25->31 dropped file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 17:14:11 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kex53wjcudrql5tzgpevaamnbvmouvl3rlulgamfezz2jfb7mjjq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
Quakbot
3673e67108d268144a56740412a8df09d18f7e1e3565738df4ee299ca89f9928
Quakbot
592dc94d71effe762414d7d1ab10df18bf999340dd5851f0c132509d3f525dc2
Quakbot
68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
Quakbot
e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2
Quakbot
eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e
Quakbot
+ 1'627 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb05 campaign:1667294768 banker stealer trojan
Link:
https://tria.ge/reports/221101-vrzlqaeegq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
136.232.184.134:995
1.65.20.175:53249
187.0.1.154:63263
50.68.204.71:995
74.92.243.113:50000
1.149.126.159:57345
187.0.1.182:17093
123.3.240.16:995
76.68.34.167:2222
172.219.147.156:3389
94.49.5.116:443
187.0.1.181:14507
206.1.223.234:2087
187.0.1.186:18828
131.23.1.187:1
23.233.254.195:443
76.125.91.160:443
187.0.1.90:42349
70.51.139.148:2222
187.0.1.76:47526
151.213.183.141:995
187.0.1.45:9057
152.170.17.136:443
92.185.204.18:2078
187.0.1.47:3813
105.103.103.142:443
66.37.239.222:2078
41.141.112.224:443
66.37.239.222:995
Unpacked files
SH256 hash:
026285a1665fc27564ea0d6caa2343afa705940a8b5b1d62f6a4446566a55d48
MD5 hash:
9ce801efc2872c554f463f601a790090
SHA1 hash:
9ff0464edb0cc0b12e861b20dcbba91dc3c5bb84
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/413793d2-0e5e-4e37-88f3-8f4a400fdd98/
SH256 hash:
512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253
MD5 hash:
d4b2471bfe6e1f07768b6fb8c262d647
SHA1 hash:
607888d9cd0a9af5ebaa2483ef87c2c465b4606a
Link:
https://www.unpac.me/results/413793d2-0e5e-4e37-88f3-8f4a400fdd98/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/512fddd922a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326861/

Comments