MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135
SHA3-384 hash: b9c913c9752eaf1b41e8060f70b4c321872b611ea82153c95e298d9bc80bdd2a316997cfc4e0eb171ee78307e6df41d9
SHA1 hash: c45277d49f1ebf373b32df86ef591c6d6f27957f
MD5 hash: 152d7fed0cdad59736c8519f0d00a4fd
humanhash: earth-spring-violet-william
File name:qbot.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:783'088 bytes
First seen:2022-10-05 16:44:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9fc5700f82859d524c68c279be8dc005 (11 x Quakbot)
ssdeep 12288:zxnt9hlMvNICAY0KEkAOl7G79Ph0TF38ME:tt9+JFEkAmGAB38M
Threatray 1'465 similar samples on MalwareBazaar
TLSH T156F4AF33A2D14877D1631A7CDD3B636C94267D003B2CE94B7BE41D4D9F3A6803A6A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316977/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.2448.5603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
DNS request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/633db49049c58ce767c63eb5/reports/eb906b4c-55be-4e40-83cc-3643fec8cfc9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f721255f-e168-4961-964e-6524dab99a16
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084296
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716859 Sample: qbot.dll Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected CryptOne packer 2->31 33 3 other signatures 2->33 8 loaddll32.exe 1 2->8         started        process3 signatures4 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->37 39 Writes to foreign memory regions 8->39 41 Allocates memory in foreign processes 8->41 43 2 other signatures 8->43 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        25 C:\Users\user\Desktop\qbot.dll, PE32 13->25 dropped 21 conhost.exe 16->21         started        process7 signatures8 35 Contains functionality to detect sleep reduction / modifications 18->35 23 WerFault.exe 23 9 18->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 16:45:10 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfiwcqmnj2xhe4lv3keu7g3ph3eeta2lpg6acyqqnfbqit5ace2q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a
Quakbot
5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959
Quakbot
cb786f48cda7665e5dd07e80672e0c5facb6b6300335561327b95e58029ea376
Quakbot
e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Quakbot
e59e68973ee13a5a7525e73e48d6837ab85c9c3b129fb8df9b9519c6b3eba472
Quakbot
ea28be72dc6fda30d9e33a1a805d3dd95b88904804cb806dc39b5129e1bbd3a2
Quakbot
+ 1'455 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221005-t9darsfbep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
212.23.85.128:59073
89.115.21.41:31024
23.165.95.80:12178
176.226.92.22:9854
35.154.129.250:7200
173.250.166.209:61090
189.210.3.199:49760
197.245.4.245:57728
96.233.132.207:0
132.168.179.138:20766
26.255.76.168:3287
254.237.190.31:62182
132.152.138.73:10655
225.191.50.179:48231
230.231.229.10:5218
162.146.95.76:4069
210.171.138.163:28723
140.209.96.28:889
245.192.239.164:57833
36.194.73.27:12466
78.40.66.105:12805
75.123.208.239:20740
180.36.231.156:23458
0.32.140.49:55794
48.93.85.150:61088
61.42.19.37:48298
140.154.97.47:5036
161.111.113.177:16760
96.230.198.18:26683
73.74.2.126:52894
146.160.108.132:48359
126.30.91.173:59640
69.141.81.192:16753
225.73.134.162:51626
132.112.51.93:40962
223.99.222.199:19648
51.241.108.163:54485
190.147.59.247:15271
115.52.238.120:22318
52.31.146.86:16731
245.152.84.23:49643
94.77.21.13:22829
79.199.57.30:34908
231.98.184.102:35665
164.10.70.96:64351
8.34.249.39:4260
253.7.63.49:0
Unpacked files
SH256 hash:
d7acf348906ff2c99c0aece101ae5a584c976a807c6eb7eee9895211a3342b1e
MD5 hash:
d844605cc0854b06a1e14f41d0ec4f85
SHA1 hash:
ea3c6ddc54d03ab7feddef4e1d3fd198008b0a28
Link:
https://www.unpac.me/results/d939b23c-6b46-452f-9a8e-87a1b3429e59/
SH256 hash:
fb1ed7a6e4848ff0c7b38f473ddb3110cfa0a176186fd9031fa64a98e4575750
MD5 hash:
e48f86c83fbf8d5a7280163fe1df557d
SHA1 hash:
3209676ac230aea3973a4dae02465625075643c7
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d939b23c-6b46-452f-9a8e-87a1b3429e59/
Parent samples :
cb786f48cda7665e5dd07e80672e0c5facb6b6300335561327b95e58029ea376
595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135
9e51a1d3598dfbd7ad11f96be2947550e64fe2e1c3a31ebf4b3bc79b9e85f86b
f62cb5e80fdc9b25cd30ee002a9af4deadf78d6f9bbef6df22cd4a37bc6c1cf9
SH256 hash:
595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135
MD5 hash:
152d7fed0cdad59736c8519f0d00a4fd
SHA1 hash:
c45277d49f1ebf373b32df86ef591c6d6f27957f
Link:
https://www.unpac.me/results/d939b23c-6b46-452f-9a8e-87a1b3429e59/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/595161418d4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316977/

Comments