MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d
SHA3-384 hash: 4046d949d9ad9c8eb8b065a2b7f7d25411c9dde8b4598c189499f6d3ff2dff5ac2cb4e46529716d4feccfcb3bf9e0036
SHA1 hash: 4428e538eb667982ee18a8e2674cd4ae6fb3c324
MD5 hash: f80d3fc28af8382d17ca048c8036c8a9
humanhash: nine-sixteen-sink-magazine
File name:47294.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:424'448 bytes
First seen:2022-06-27 15:32:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f141a6deaab9652cc7e298abde5708ad (8 x Quakbot)
ssdeep 6144:iUpGOKUXcSjtM0vss2g2uJ8yBW8RCtswtoMfLYzY8EI4zADpxpKq:uODMSjtlX2VyWkUtoeLYk8EHMjpn
TLSH T18E948ED0E137C0E0DC8D9FBC31283D795B6D262698ACEC7A5AB828545DF2347146CEDA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:dll FLY BETTER s.r.o. obama194 Qakbot Quakbot signed

Code Signing Certificate

Organisation:FLY BETTER s.r.o.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-02-18T00:00:00Z
Valid to:2023-02-18T23:59:59Z
Serial number: 24e4a2b3db6be1007b9ddc91995bc0c8
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 005af6c8e9f06a2258c2df70785a5622c8d10d982fdc7f4dbe2f53af6e860359
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283663/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62b9ce40197c837506c753e7/reports/71d17e4e-f479-4224-a96b-9678732580f8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1364f52-cd6a-4a88-887c-89e0941f542d
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1020587
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653091 Sample: 47294.dat Startdate: 27/06/2022 Architecture: WINDOWS Score: 76 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Qbot 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->44 46 Injects code into the Windows Explorer (explorer.exe) 8->46 48 Writes to foreign memory regions 8->48 50 2 other signatures 8->50 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 3 other processes 8->18 process5 signatures6 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Injects code into the Windows Explorer (explorer.exe) 11->54 56 Writes to foreign memory regions 11->56 20 explorer.exe 8 1 11->20         started        58 Allocates memory in foreign processes 14->58 60 Maps a DLL or memory area into another process 14->60 23 explorer.exe 14->23         started        25 backgroundTaskHost.exe 14->25         started        27 rundll32.exe 16->27         started        30 WerFault.exe 23 9 18->30         started        32 explorer.exe 18->32         started        34 WerFault.exe 18->34         started        process7 file8 38 C:\Users\user\Desktop\47294.dll, PE32 20->38 dropped 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->62 64 Injects code into the Windows Explorer (explorer.exe) 27->64 66 Writes to foreign memory regions 27->66 68 2 other signatures 27->68 36 explorer.exe 27->36         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 15:33:07 UTC
File Type:
PE (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzfdpf3drjrkj3druo6myyi57pqt75j473ioqft5ibs6me72ovoq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama194 campaign:1656313665 banker stealer trojan
Link:
https://tria.ge/reports/220627-sy6mhacbfn/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
70.46.220.114:443
32.221.224.140:995
67.209.195.198:443
186.90.153.162:2222
148.64.96.100:443
67.165.206.193:993
86.200.151.188:2222
80.11.74.81:2222
173.174.216.62:443
45.241.173.232:993
41.228.22.180:443
1.161.81.21:995
24.178.196.158:2222
37.34.253.233:443
93.48.80.198:995
129.208.158.180:995
120.150.218.241:995
38.70.253.226:2222
111.125.245.116:995
47.23.89.60:993
40.134.246.185:995
197.87.144.50:443
217.164.119.69:1194
86.97.10.91:443
39.44.30.209:995
74.14.5.179:2222
182.191.92.203:995
117.248.109.38:21
217.165.97.237:993
84.241.8.23:32103
1.161.81.21:443
24.43.99.75:443
94.59.15.180:2222
121.7.223.45:2222
217.128.122.65:2222
39.41.80.91:995
173.21.10.71:2222
174.69.215.101:443
208.107.221.224:443
45.46.53.140:2222
76.25.142.196:443
81.193.30.90:443
5.32.41.45:443
89.101.97.139:443
109.12.111.14:443
217.164.119.69:2222
69.14.172.24:443
162.252.222.118:443
120.61.2.5:443
90.120.209.197:2078
189.159.2.152:2222
191.112.29.39:443
189.78.107.163:32101
101.50.67.7:995
70.51.132.161:2222
179.158.105.44:443
39.57.60.246:995
184.97.29.26:443
63.143.92.99:995
72.252.157.93:995
190.252.242.69:443
177.45.64.254:32101
24.139.72.117:443
72.252.157.93:993
81.132.186.218:2078
24.55.67.176:443
104.34.212.7:32103
196.203.37.215:80
88.241.122.55:443
39.49.71.64:995
210.246.4.69:995
39.52.114.251:995
193.253.44.249:2222
47.156.129.52:443
72.252.157.93:990
100.38.242.113:995
71.13.93.154:2222
108.60.213.141:443
2.34.12.8:443
187.250.202.2:443
94.36.193.176:2222
89.86.33.217:443
31.215.67.68:2222
188.136.218.225:61202
187.208.115.219:443
191.250.120.152:443
49.128.172.7:2222
91.177.173.10:995
148.0.43.48:443
172.115.177.204:2222
68.204.15.28:443
197.94.94.206:443
87.109.229.215:995
105.247.171.130:995
81.250.191.49:2222
83.110.94.105:443
201.176.6.24:995
175.145.235.37:443
187.172.164.12:443
41.84.249.56:995
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
41.38.167.179:995
98.50.191.202:443
185.56.243.146:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
113.5.8.153:2222
180.129.108.214:995
138.186.28.253:443
89.137.52.44:443
122.118.129.227:995
75.99.168.194:61201
103.91.182.114:2222
Unpacked files
SH256 hash:
d04caa7719610bd0aa0dd1cda75fe73365479b059968b75cf3a9e3fd41ad5ef7
MD5 hash:
4ca7ff9ea5d5518479d8a2d5e06f3b0e
SHA1 hash:
d83d333893962698edb9a5a963312cf40815d406
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/97012040-475e-4034-b446-17e6457a1904/
Parent samples :
3e7dcb69c0778930b9f60816444d1eb03c34655504e8666196b7dbb8b3f2f3e0
5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d
e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a
7d436b6200af103cb2fba472e95972dfb5475feb65d485720d0c547ca00c2547
5fe5acb2467c0b99e0bc07c7c661af29ab23da9388e356b0c6fb64037debe7a4
4dce74faffdd55d04b9efd59e74cac4263da0276ae5a6eeb1bb5eae8162a2099
2d68755335776e3de28fcd1757b7dcc07688b31c37205ce2324d92c2f419c6f0
d04caa7719610bd0aa0dd1cda75fe73365479b059968b75cf3a9e3fd41ad5ef7
SH256 hash:
5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d
MD5 hash:
f80d3fc28af8382d17ca048c8036c8a9
SHA1 hash:
4428e538eb667982ee18a8e2674cd4ae6fb3c324
Link:
https://www.unpac.me/results/97012040-475e-4034-b446-17e6457a1904/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283663/

Comments