MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697
SHA3-384 hash:	79dbf032d0d0754c0d92ea612890d6565a8a1bd55ea00a6c011c6c600bf9c836fa40b0477377c64c6fe506ed520bec9c
SHA1 hash:	2396ccb7957476085eacb7bb6e3e5b99a7a873af
MD5 hash:	d77ce1693c7809bb5a38a6d2235545ae
humanhash:	bravo-utah-lion-echo
File name:	2d90000.dll
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	172'032 bytes
First seen:	2022-12-20 09:59:34 UTC
Last seen:	2022-12-20 11:32:27 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	bb8f7c7fc8b521232817f0f359bdf0f2 (1 x Quakbot)
ssdeep	3072:BLsrdIkOMe0R0+68PxBG4AnJbhzr7TBfZ9ByO/yanCFJ:2Ij0y+6wxYdnJdzr7TBR9BN/Py
Threatray	1'862 similar samples on MalwareBazaar
TLSH	T1ECF38E11D42383B2CA750038D1B95E2ACABEB31307A774D7BB585B6149149F3DA3A2F7
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	lasq88
Tags:	dll Qakbot qbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/348311/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.159354.23557.10731.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23cb889e-a472-4b84-9583-454170260879

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697/

Threat name:

Win32.Trojan.QBot

Status:

Malicious

First seen:

2022-12-20 10:00:07 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=luir5tboucizwza3jctobwihizsvp27mdjxvg2o2spcevpvrm2lq._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

329732f00e782c5c2512f83db2d07c4b26364298cde645f4fd7adca2f27c00bd

Quakbot

3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c

Quakbot

457482f12d66c77f8d15a55fa52fe75ce54ffb292bd96440dde97a5f769c1eb9

Quakbot

69d829b1dc15636a01b783fe04179165fd7f28bc11393782bbdbdfd77619e785

Quakbot

855e478e4b59dafee6a223500c4a6b5650fab00f05442bd8161375dfe9b51858

Quakbot

a62dcf9b94179a272e52607b21e873f1699ab02b68a371ef12b559bd8fafb59b

Quakbot

ce81b2ab0a243fe8e85a249b0f425007d858d7e9cc7e65af5d2f9e68efb5e5d0

Quakbot

db333be4247b3cef1efefe762327112ca465de58a15a260033d03a7aaaf5cbb2

Quakbot

+ 1'852 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama230 campaign:1671447345 banker stealer trojan

Link:

https://tria.ge/reports/221220-l1pcnshb99/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

108.162.6.34:443
45.152.16.14:443
87.65.160.87:995
109.220.196.24:2222
86.176.144.240:2222
73.36.196.11:443
70.66.199.12:443
2.99.47.198:2222
171.97.42.82:443
71.31.101.183:443
74.33.196.114:443
75.158.15.211:443
12.172.173.82:32101
45.248.169.101:443
174.104.184.149:443
90.66.229.185:2222
98.145.23.67:443
152.170.17.136:443
86.160.253.56:443
89.152.120.181:443
91.68.227.219:443
173.18.126.3:443
162.248.14.107:443
12.172.173.82:21
181.4.227.82:443
184.68.116.146:61202
184.176.154.83:995
92.207.132.174:2222
75.98.154.19:443
81.248.77.37:2222
142.161.27.232:2222
46.10.198.106:443
198.2.51.242:993
50.68.204.71:993
91.231.172.236:995
79.77.142.22:2222
24.142.218.202:443
80.44.148.126:2222
78.101.91.215:2222
69.133.162.35:443
197.0.243.240:443
184.68.116.146:2078
12.172.173.82:22
144.64.226.144:443
86.225.214.138:2222
93.156.97.50:443
90.104.22.28:2222
71.112.212.166:443
84.113.121.103:443
90.4.190.217:2222
174.58.146.57:443
81.111.108.123:443
90.27.44.76:2222
176.79.48.60:443
83.213.201.104:993
2.14.96.234:2222
24.71.120.191:443
121.121.100.148:995
172.90.139.138:2222
70.55.120.16:2222
75.99.125.234:2222
172.248.42.122:443
37.14.229.220:2222
83.7.52.202:443
85.241.180.94:443
90.206.194.248:443
31.53.29.141:2222
72.80.7.6:50003
74.92.243.113:50000
90.48.151.17:2222
176.142.207.63:443
178.153.5.54:443
74.66.134.24:443
46.162.109.183:443
12.172.173.82:993
64.237.240.3:443
65.20.175.208:443
69.119.123.159:2222
94.105.123.53:443
99.229.164.42:443
91.169.12.198:32100
184.153.132.82:443
81.229.117.95:2222
82.34.170.37:443
86.96.75.237:2222
27.109.19.90:2078
109.219.126.249:2222
91.165.188.74:50000
175.139.130.191:2222
76.20.42.45:443
12.172.173.82:50001
91.96.249.3:443
150.107.231.59:2222
12.172.173.82:995
128.127.21.57:443
184.68.116.146:2222
87.220.205.65:2222
184.68.116.146:3389
87.223.95.66:443
92.189.214.236:2222
73.29.92.128:443
86.183.251.169:2222
82.6.99.234:443
92.27.86.48:2222
174.112.22.106:2078
187.199.184.14:32103
199.83.165.233:443
37.15.128.31:2222
90.79.129.166:2222
136.244.25.165:443
93.147.134.85:443
202.187.239.67:995
75.143.236.149:443
67.235.138.14:443
84.35.26.14:995
147.148.234.231:2222
108.6.249.139:443
86.98.23.199:443
60.254.51.168:443

Unpacked files

SH256 hash:

5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697

MD5 hash:

d77ce1693c7809bb5a38a6d2235545ae

SHA1 hash:

2396ccb7957476085eacb7bb6e3e5b99a7a873af

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/be15514c-b3ef-474c-a16a-68c6f9d5f08d/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5d111ecc2ea0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	qakbot_api_hashing Create hunting rule
Author:	@Embee_Research
Reference:	https://twitter.com/embee_research/status/1592067841154756610

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Quakbot

DLL dll 9c99d4c2d10e852395f892378225247f4e6eb2b5d9b9718e39127634e3acae3b

Quakbot

DLL dll 5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697

(this sample)

Dropped by

SHA256 9c99d4c2d10e852395f892378225247f4e6eb2b5d9b9718e39127634e3acae3b

Cape

https://www.capesandbox.com/analysis/348311/

Dropped by

MD5 bb3e166f8b0717e2c6c1047707a088ea

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample