MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5467c27a047c728562781e46d7c10960617a7579c70ac487f371b8888b4e5ae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	5467c27a047c728562781e46d7c10960617a7579c70ac487f371b8888b4e5ae9
SHA3-384 hash:	2b9691048624fdbaea29411536a8bc41fe2a314c7e19d38056cc87f73616afc0128f4c84e03267ec789222eb48d437e0
SHA1 hash:	c38dfd229653231d3284ac4dfbda860c06ea6606
MD5 hash:	6357313411883e697906ed776e50333f
humanhash:	alpha-eleven-network-shade
File name:	templates117.png
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	431'104 bytes
First seen:	2022-11-01 19:11:56 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	0ee02506e28d6ab342866f0848f25556 (5 x Quakbot)
ssdeep	12288:Pkpde329VEdv++607q6YP4uo7N9SIegv8JowUShUPw:Pudy29ChzEoaQ0Uw
Threatray	1'646 similar samples on MalwareBazaar
TLSH	T1C094E182F4A37EE1E77BA43B0251725E079D2D618B82DF97A204037BBD546C12D378E6
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	malwarelabnet
Tags:	BB05 dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/326879/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.12080.13506.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Modifying an executable file

Creating a window

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63616f8458409ff7bc0c7a06/reports/c82e8c35-7faf-4cf9-a812-a0ec0cb4dd60/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b598d38-ac4b-45af-8b61-0089f490ac08

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5467c27a047c728562781e46d7c10960617a7579c70ac487f371b8888b4e5ae9/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-11-01 19:12:09 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=krt4e6qeprzikytydzdnpqijmbqxu5lzy4fmjb7tog4irc2olluq._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

3673e67108d268144a56740412a8df09d18f7e1e3565738df4ee299ca89f9928

Quakbot

3ed0b69a6916fd0be742a0771f3f060396215617fd57c87ccda639b2f1da2086

Quakbot

512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253

Quakbot

592dc94d71effe762414d7d1ab10df18bf999340dd5851f0c132509d3f525dc2

Quakbot

68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a

Quakbot

e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2

Quakbot

eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e

Quakbot

+ 1'636 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb05 campaign:1667294768 banker stealer trojan

Link:

https://tria.ge/reports/221101-xwgyksfbfn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Qakbot/Qbot

Malware Config

C2 Extraction:

136.232.184.134:995
1.65.20.175:53249
187.0.1.154:63263
50.68.204.71:995
74.92.243.113:50000
1.149.126.159:57345
187.0.1.182:17093
123.3.240.16:995
76.68.34.167:2222
172.219.147.156:3389
94.49.5.116:443
187.0.1.181:14507
206.1.223.234:2087
187.0.1.186:18828
131.23.1.187:1
23.233.254.195:443
76.125.91.160:443
187.0.1.90:42349
70.51.139.148:2222
187.0.1.76:47526
151.213.183.141:995
187.0.1.45:9057
152.170.17.136:443
92.185.204.18:2078
187.0.1.47:3813
105.103.103.142:443
66.37.239.222:2078
41.141.112.224:443
66.37.239.222:995

Unpacked files

SH256 hash:

09013e47e6bc555219ad40dbd0221518a9d4b586a310bfb2766f6630da374a95

MD5 hash:

7e22f073defc690049b689f4e4975515

SHA1 hash:

d53b103a13cae4f2d947c8d01324bf9c5a59645a

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/c7d8ca12-6ec5-4e67-b189-4f9967d414ab/

SH256 hash:

5467c27a047c728562781e46d7c10960617a7579c70ac487f371b8888b4e5ae9

MD5 hash:

6357313411883e697906ed776e50333f

SHA1 hash:

c38dfd229653231d3284ac4dfbda860c06ea6606

Link:

https://www.unpac.me/results/c7d8ca12-6ec5-4e67-b189-4f9967d414ab/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5467c27a047c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5467c27a047c728562781e46d7c10960617a7579c70ac487f371b8888b4e5ae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326879/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample