MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b3a17806d05211b9eec5ba1617aa508e874cd3f806fe0ef2ddd53f4b1a964ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b3a17806d05211b9eec5ba1617aa508e874cd3f806fe0ef2ddd53f4b1a964ea
SHA3-384 hash: fc5f2b5780ae1c540a4313a7b4aefe863df5abd27111e52ab930071c672a8a221aed2b4f16763891b783aeb7bc97ebc6
SHA1 hash: 910ec25290829c8c76a6290ba7d0329731187940
MD5 hash: 68fdf743bff4c9044bc81eb6fe4ee1e9
humanhash: one-emma-missouri-september
File name:5b3a17806d05211b9eec5ba1617aa508e874cd3f806fe0ef2ddd53f4b1a964ea
Download: download sample
Signature Quakbot
Create hunting rule
File size:977'865 bytes
First seen:2022-03-01 11:07:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a2c4c1cc45cf157e67048505a3f85c3c (8 x Quakbot, 2 x Gozi)
ssdeep 12288:Zg4d/lpygJCNLgUgYUypwKzpVCD2aep4Xl8I1JV5OwBi6fC8a/ZnFH08hXhQrVNP:ZdddhCN3tVwV1Twh/n/qVh
Threatray 95 similar samples on MalwareBazaar
TLSH T1F025F94286642A0DFD3DCEFB6F3AA3ED40664F70192AB256E350288951B81F1723DF57
File icon (PE):PE icon
dhash icon 6edbb12b17172b96 (10 x Quakbot, 9 x Heodo, 7 x BazaLoader)
Reporter JAMESWT_WT
Tags:dll Qakbot Quakbot THE FAITH SP Z O O

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245725/
Detection(s):
Win.Packed.Lazy-9940222-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for many windows
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/621dfe970cd58dbd925a44fd/reports/2a11a04f-dc8e-457e-bef2-524b320b8c28/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b949b666-a07a-4761-9254-5912fc9847b4
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948086
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 580576 Sample: pkLWgSUnh2 Startdate: 01/03/2022 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Qbot 2->59 61 2 other signatures 2->61 10 loaddll32.exe 1 2->10         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 process4 16 regsvr32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        27 3 other processes 10->27 23 regsvr32.exe 12->23         started        25 regsvr32.exe 14->25         started        signatures5 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->45 47 Injects code into the Windows Explorer (explorer.exe) 16->47 49 Writes to foreign memory regions 16->49 29 explorer.exe 16->29         started        32 rundll32.exe 19->32         started        51 Allocates memory in foreign processes 21->51 53 Maps a DLL or memory area into another process 21->53 34 explorer.exe 21->34         started        process6 signatures7 63 Uses schtasks.exe or at.exe to add and modify task schedules 29->63 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->65 67 Injects code into the Windows Explorer (explorer.exe) 32->67 69 Writes to foreign memory regions 32->69 71 2 other signatures 32->71 36 explorer.exe 8 1 32->36         started        process8 file9 43 C:\Users\user\Desktop\pkLWgSUnh2.dll, PE32 36->43 dropped 39 schtasks.exe 1 36->39         started        process10 process11 41 conhost.exe 39->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b3a17806d05211b9eec5ba1617aa508e874cd3f806fe0ef2ddd53f4b1a964ea/
Threat name:
Win32.Trojan.KBot
Create hunting rule
Status:
Malicious
First seen:
2022-02-26 15:55:49 UTC
File Type:
PE (Dll)
Extracted files:
20
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
036c25ca8f8bfd424dc22bdacdfc1b1b101afd51fa60391253a757c075b62964
Quakbot
5f2eabaaf2ee1da8c6e329fe6d8d14961b89dfdad0c8675bbf743cbfe2332cc6
Quakbot
60728c385808ee88d6ddda6081dca17a768c0a10bb0198618ecb1aa9050d8de2
Quakbot
67486db1b558b02235a0a8edaa7183ab707c3c8d12ec87231cd12445856e2398
Quakbot
86b7c0da29365910925ee6656bba35a9540c89a486851112122811780507012d
Quakbot
af9ff6ecb351b6b63446c24677070b767b8f77b0a53feccdfde2c42c1205c258
Quakbot
c1c8bacb9d1cbcef187da4adfde7761c91543e84223a37385fd5c25803e1d16f
Quakbot
d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94
Quakbot
dae73c93f3c862ac67fea41bcf621616826a108c1a54e6de272a098382eb40d5
Quakbot
ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79
Quakbot
+ 85 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1645451777 banker evasion stealer trojan
Link:
https://tria.ge/reports/220301-m8kj5abchp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Suspicious use of NtCreateProcessExOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
31.35.28.29:443
105.186.167.230:995
72.252.201.34:990
40.134.247.125:995
186.64.87.194:443
2.50.41.69:61200
217.164.119.29:2222
161.142.53.137:443
74.15.2.252:2222
149.135.101.20:443
92.177.45.46:2078
190.73.3.148:2222
81.213.206.182:443
180.233.150.134:995
217.164.115.166:2222
144.202.2.175:443
105.184.116.32:995
47.180.172.159:50010
96.21.251.127:2222
140.82.49.12:443
176.67.56.94:443
66.230.104.103:443
206.217.0.154:995
47.180.172.159:443
75.99.168.194:443
24.178.196.158:2222
173.220.98.101:443
71.74.12.34:443
116.74.71.73:443
89.86.33.217:443
78.96.235.245:443
103.139.242.30:990
188.50.250.205:995
217.165.146.122:32101
173.174.216.62:443
78.101.202.183:6883
190.189.33.6:32101
47.23.89.60:993
70.45.27.254:443
102.65.38.67:443
89.101.97.139:443
69.14.172.24:443
136.143.11.232:443
103.142.10.177:443
38.70.253.226:2222
217.128.171.34:2222
197.165.161.159:995
82.152.39.39:443
111.125.245.116:995
130.164.206.70:443
39.44.136.96:995
144.202.2.175:995
75.99.168.194:61201
105.155.218.181:443
75.156.151.34:443
197.167.10.103:995
217.128.122.65:2222
102.47.31.216:995
124.41.193.166:443
67.209.195.198:443
32.221.231.1:443
182.191.92.203:995
78.101.82.120:2222
120.150.218.241:995
84.241.8.23:32103
103.87.95.131:2222
190.206.211.182:443
197.167.10.103:993
180.183.99.37:2222
39.52.203.68:995
190.189.33.6:443
39.52.121.208:995
41.36.82.58:3389
118.161.10.126:995
70.57.207.83:443
120.61.3.58:443
128.106.123.43:443
136.232.34.70:443
118.161.10.126:443
217.164.119.29:1194
89.137.52.44:443
175.137.153.178:443
208.107.221.224:443
86.98.150.158:995
39.41.254.161:995
76.25.142.196:443
45.46.53.140:2222
173.21.10.71:2222
47.23.89.60:995
73.151.236.31:443
189.146.51.56:443
67.165.206.193:993
109.12.111.14:443
75.188.35.168:443
86.198.170.170:2222
41.84.229.145:995
31.215.206.13:443
80.6.192.58:443
80.191.52.137:61202
103.230.180.119:443
197.92.132.79:443
86.98.55.231:995
5.237.251.118:995
41.230.62.211:993
5.89.175.136:443
86.98.11.110:443
84.241.8.23:2083
139.64.34.193:995
41.232.210.78:443
209.210.95.228:32100
70.51.137.204:2222
100.1.108.246:443
46.176.197.48:995
39.49.80.188:995
73.30.132.246:443
72.252.201.34:995
196.203.37.215:80
114.79.148.170:443
103.17.101.139:995
78.180.172.122:995
41.84.234.250:443
203.99.177.128:443
37.211.189.48:61202
108.4.67.252:443
201.40.225.216:443
200.104.16.99:993
181.98.246.214:443
217.165.109.191:993
197.89.21.163:443
188.210.148.245:443
185.113.58.135:443
39.53.116.250:995
39.52.21.207:993
72.66.116.235:995
184.149.30.83:2222
41.228.22.180:443
45.9.20.200:443
24.231.158.110:995
24.152.219.253:995
96.246.158.154:995
86.108.123.52:443
107.171.241.236:2222
5.48.205.15:443
103.116.178.85:443
182.176.180.73:443
102.132.145.147:443
47.180.172.159:993
177.205.182.145:443
24.53.49.240:443
Unpacked files
SH256 hash:
5b3a17806d05211b9eec5ba1617aa508e874cd3f806fe0ef2ddd53f4b1a964ea
MD5 hash:
68fdf743bff4c9044bc81eb6fe4ee1e9
SHA1 hash:
910ec25290829c8c76a6290ba7d0329731187940
Link:
https://www.unpac.me/results/2dc36982-ff2c-4476-858a-f5cad2d7ad5a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b3a17806d05211b9eec5ba1617aa508e874cd3f806fe0ef2ddd53f4b1a964ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/245725/

Comments