MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f
SHA3-384 hash: dd8a63384a994e3b82b6c32db06e4b3026b7e4042dbb1dfb43c7c63826afc979b2183fc137621b03b78c6aa5702f11de
SHA1 hash: b2a47678e95ca49c1cb01d73468aae7366b19a66
MD5 hash: 7070bc1d67d097b988caaa7fd5b9aa5b
humanhash: minnesota-tennessee-paris-pennsylvania
File name:test.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:643'400 bytes
First seen:2022-10-28 12:43:20 UTC
Last seen:2022-10-28 14:21:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 34d094cea0fc040405cd0327eba81d57 (7 x Quakbot)
ssdeep 12288:8x8IFmbH8yS5XXUrIVcxxE/5IOT2LY/O9bBoY//x:R6y8bRZAyhI/LoO9bBoY/5
Threatray 1'621 similar samples on MalwareBazaar
TLSH T1D0D49E22B2E8C037D13256F99C3B46A85C7BFD0139299C096FD51F4D4E39A413B6A3A7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter Anonymous
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325524/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Qakbot.GP.MTB.6407.10593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
apt greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/635bce93736e9d884f0d7430/reports/9ededf02-6698-4f69-9773-3154ec992d8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e25fb3ee-892f-4ad8-96a8-6d55931f95e5
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1100365
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733026 Sample: test.dll Startdate: 28/10/2022 Architecture: WINDOWS Score: 72 25 Yara detected Qbot 2->25 27 Machine Learning detection for sample 2->27 8 loaddll32.exe 1 2->8         started        process3 signatures4 31 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->31 33 Writes to foreign memory regions 8->33 35 Allocates memory in foreign processes 8->35 37 2 other signatures 8->37 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        23 C:\Users\user\Desktop\test.dll, PE32 13->23 dropped process7 signatures8 29 Contains functionality to detect sleep reduction / modifications 18->29 21 WerFault.exe 23 9 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-28 13:14:04 UTC
File Type:
PE (Dll)
Extracted files:
40
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lun56zxm4ndtyfudkulntaagklgobmjk2wjornfjug7w5p74bm7q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
08a3ee112e83691b3fe016b8c35450901f188a789c0203e5fe453c1172109c03
Quakbot
540033fa84f80fb1e31c73139d2a043790a980191c5c5e4416bcfa51d4394a4f
Quakbot
62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76
Quakbot
9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06
Quakbot
aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4
Quakbot
dae5768e9a2f692512613af462d3ea8d96ce9f38eee1c06ddc52cde8dec2e0a2
Quakbot
e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
Quakbot
+ 1'611 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221028-pygftsgagn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
ddf67c9f64ba9af9adbff29a69431bd3601ff8eb89dfbe23de2cafe7b2ca87dc
MD5 hash:
bd006fa935296e7e0d046a802d29b1cb
SHA1 hash:
27f1a9d1bd1c9b14fbc3c4d74a52495e8cc10059
Link:
https://www.unpac.me/results/41aa175c-4114-40d0-a770-d378efcef60a/
SH256 hash:
0dcd86692d92c058625ab343e472eef571514cc62d676288044ad26caa263fad
MD5 hash:
4fbebc9879ec1f95e759cb8b5d9fb89d
SHA1 hash:
3bef00c57f1e00b2e182f2f9955003568b6455dc
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/41aa175c-4114-40d0-a770-d378efcef60a/
Parent samples :
9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06
5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f
49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f
SH256 hash:
5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f
MD5 hash:
7070bc1d67d097b988caaa7fd5b9aa5b
SHA1 hash:
b2a47678e95ca49c1cb01d73468aae7366b19a66
Link:
https://www.unpac.me/results/41aa175c-4114-40d0-a770-d378efcef60a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5d1bdf66ece3473c16835516d9800652cce0b12ad592e8b4a9a1bf6ebffc0b3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325524/

Comments