MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a
SHA3-384 hash: fbede7cc18ef77d74bd85226453fdba27787dfb1f1c39585cdfc4c87342d678d8327394a86839cce9b5e542090c45fc6
SHA1 hash: a4136e907c3b9c23c273d97ae04c85c6dc6c86c4
MD5 hash: 5c61fb20950f28d07ef3ad35c08dce85
humanhash: tennis-mars-magnesium-coffee
File name:anything191.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:313'344 bytes
First seen:2022-06-22 18:32:49 UTC
Last seen:2022-06-22 19:48:07 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dd7b75a6f94279e63a335cf4cb78aa0d (6 x Quakbot)
ssdeep 6144:4C4+nvHZPFfggkC6RSGp0S7bnyPXtfa7znSisQevavClPs2Oj665rK4YbiIAp:4R+vHZNZkC6RSS7bGfa7zSEap8j6WrRh
Threatray 1'271 similar samples on MalwareBazaar
TLSH T17364BF8F9653B1E3E013CEF2D3972A7B250E1261091416DEF6E46BA06746B3F5E2609C
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:dll Obama191 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282405/
Detection(s):
SecuriteInfo.com.Win32.Injector.ERVB.30665.8546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62b360a31fcdba4e1a4a20c6/reports/2f8be203-5edd-408a-8691-f606a801ab96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14874c7c-8b64-4282-a2e4-dd8abb932bf7
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1018185
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 650681 Sample: anything191.dat Startdate: 22/06/2022 Architecture: WINDOWS Score: 72 38 Yara detected Qbot 2->38 40 Machine Learning detection for sample 2->40 8 loaddll32.exe 1 2->8         started        process3 signatures4 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->42 44 Injects code into the Windows Explorer (explorer.exe) 8->44 46 Writes to foreign memory regions 8->46 48 2 other signatures 8->48 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 file6 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->58 60 Injects code into the Windows Explorer (explorer.exe) 11->60 62 Writes to foreign memory regions 11->62 21 explorer.exe 11->21         started        23 svchost.exe 1 11->23         started        25 rundll32.exe 14->25         started        64 Allocates memory in foreign processes 16->64 66 Maps a DLL or memory area into another process 16->66 28 explorer.exe 16->28         started        36 C:\Users\user\Desktop\anything191.dll, PE32 18->36 dropped 30 explorer.exe 18->30         started        32 explorer.exe 18->32         started        signatures7 process8 signatures9 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->50 52 Injects code into the Windows Explorer (explorer.exe) 25->52 54 Writes to foreign memory regions 25->54 56 2 other signatures 25->56 34 explorer.exe 25->34         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a/
Threat name:
Win32.Infostealer.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 18:33:06 UTC
File Type:
PE (Dll)
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnjo7jksohehjf3g3yskhoeraxuatjcdri273res5hbwj3bhjj5a._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
Quakbot
24c073082ab88e2f95a7b60cc74f5b65f002c6960f5db61601de7ef7eee6980d
Quakbot
380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b
Quakbot
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
Quakbot
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
Quakbot
733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d
Quakbot
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
Quakbot
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
Quakbot
+ 1'261 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama191 campaign:1655884897 banker stealer trojan
Link:
https://tria.ge/reports/220622-w66h9aabbp/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
189.78.107.163:32101
182.191.92.203:995
117.248.109.38:21
84.241.8.23:32103
74.14.5.179:2222
71.13.93.154:2222
193.253.44.249:2222
108.60.213.141:443
217.128.122.65:2222
39.41.89.221:995
70.51.132.161:2222
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
67.209.195.198:443
40.134.246.185:995
67.165.206.193:993
1.161.124.241:443
45.241.205.91:993
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
100.38.242.113:995
80.11.74.81:2222
202.134.152.2:2222
210.246.4.69:995
41.228.22.180:443
104.34.212.7:32103
24.178.196.158:2222
78.176.146.141:443
39.49.9.134:995
38.70.253.226:2222
47.23.89.60:993
120.150.218.241:995
197.89.128.138:443
208.107.221.224:443
92.137.225.8:2222
1.161.124.241:995
2.34.12.8:443
176.205.21.139:2222
176.45.232.204:995
176.205.21.139:1194
5.32.41.45:443
94.59.252.166:2222
86.98.157.42:993
91.177.173.10:995
173.21.10.71:2222
69.14.172.24:443
45.46.53.140:2222
148.0.43.48:443
121.7.223.45:2222
172.115.177.204:2222
81.193.30.90:443
187.208.115.219:443
187.250.202.2:443
47.156.131.10:443
72.252.157.93:995
72.252.157.93:990
72.252.157.93:993
76.25.142.196:443
177.45.64.254:32101
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
68.204.15.28:443
179.158.105.44:443
197.94.94.206:443
90.120.209.197:2078
188.136.218.225:61202
87.109.229.215:995
63.143.92.99:995
102.182.232.3:995
86.132.14.70:2078
196.203.37.215:80
81.250.191.49:2222
111.125.245.116:995
37.34.253.233:443
191.250.120.152:443
83.110.94.105:443
201.176.6.24:995
173.174.216.62:443
39.52.59.14:995
31.215.70.37:443
175.145.235.37:443
174.69.215.101:443
187.172.164.12:443
201.172.23.68:2222
41.84.249.56:995
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.44.30.209:995
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
37.208.128.172:6883
Unpacked files
SH256 hash:
f9a356c6f43db78e043ab533a9001d4cb1964ebf4b9f99bed1b53853f9c808ea
MD5 hash:
4ce5b8b2f5b3373d817445da60255a62
SHA1 hash:
df89096ff404430c3e55da9acdea17eb4cf9fb78
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/efcde4ef-03be-4f53-942e-c2db67a80942/
Parent samples :
0d0529680e00980cb7df589e9dd9c1529aa80302958525b29833ee58b0054cf2
5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a
38a12269557615ff1a79f306e3d2de1aefc320522ff97de42d2020d0dbda95ae
SH256 hash:
5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a
MD5 hash:
5c61fb20950f28d07ef3ad35c08dce85
SHA1 hash:
a4136e907c3b9c23c273d97ae04c85c6dc6c86c4
Link:
https://www.unpac.me/results/efcde4ef-03be-4f53-942e-c2db67a80942/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b52efa55271/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282405/

Comments