MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b
SHA3-384 hash:	125605cac8692d286012a70d30d557f94557705c9a201247bbc9a8c6e980b99e652bc38218f95c3eb1833a1919bc8aa2
SHA1 hash:	89380bf0e099cc92b6aed5d0a31cb61a4e3686db
MD5 hash:	9666ad1d28537fc070d6fe0ea5c4f2ac
humanhash:	jersey-table-rugby-carolina
File name:	A.png
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'088'611 bytes
First seen:	2022-06-23 13:02:57 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	1e26e30a2a18779b13b95a18534c6e18 (9 x Quakbot, 1 x Gozi)
ssdeep	24576:5vf3ZKnZDyYxr6AVIY7wOM058KJWljhx:NQFnXz+jh
Threatray	1'278 similar samples on MalwareBazaar
TLSH	T1A4358D32B2D1D837D4721A7C9D5BB2E998747E105E2CE44E7ED44F4C1E3AA813A352A3
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	AA dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/282652/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a file

Searching for synchronization primitives

Sending a custom TCP request

Moving a recently created file

Launching a service

DNS request

Launching a process

Creating a file in the system32 subdirectories

Modifying an executable file

Creating a process with a hidden window

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/62b4648e924ee6692339233c/reports/3b0ca2d8-11d4-4038-9d90-9e7294b18ccd/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/febd38a0-3e0b-4447-a8bc-fa87abecddfe

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1018652

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Creates files in the system32 config directory

Encrypted powershell cmdline option found

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Schedule system process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-06-23 13:03:10 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mf6jjik736yhdt5zkzv27je5avhrhyqiurchdgvy5jso2ika6bvq._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:aa campaign:1655971687 banker stealer trojan

Link:

https://tria.ge/reports/220623-qaccmsdaep/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in System32 directory

Loads dropped DLL

Qakbot/Qbot

Malware Config

C2 Extraction:

38.70.253.226:2222
47.23.89.60:993
120.150.218.241:995
117.248.109.38:21
37.34.253.233:443
86.132.14.70:2078
111.125.245.116:995
217.165.85.191:993
176.45.232.204:995
5.32.41.45:443
93.48.80.198:995
100.38.242.113:995
94.59.252.166:2222
74.14.5.179:2222
71.13.93.154:2222
193.253.44.249:2222
108.60.213.141:443
45.241.231.78:993
217.128.122.65:2222
40.134.246.185:995
1.161.124.241:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
80.11.74.81:2222
31.215.184.140:2222
39.49.85.29:995
67.209.195.198:443
186.90.153.162:2222
148.64.96.100:443
67.165.206.193:993
210.246.4.69:995
208.107.221.224:443
89.101.97.139:443
88.234.116.71:443
121.7.223.45:2222
104.34.212.7:32103
69.14.172.24:443
41.228.22.180:443
197.87.182.60:443
24.178.196.158:2222
1.161.124.241:995
189.78.107.163:32101
39.52.74.55:995
2.34.12.8:443
182.191.92.203:995
173.21.10.71:2222
39.41.2.45:995
90.114.10.16:2222
184.97.29.26:443
76.25.142.196:443
47.156.129.52:443
24.55.67.176:443
190.252.242.69:443
70.51.132.161:2222
72.252.157.93:995
90.120.209.197:2078
72.252.157.93:993
72.252.157.93:990
177.45.64.254:32101
24.139.72.117:443
187.250.202.2:443
94.36.193.176:2222
109.12.111.14:443
89.86.33.217:443
179.158.105.44:443
63.143.92.99:995
45.46.53.140:2222
31.215.67.68:2222
188.136.218.225:61202
187.208.115.219:443
31.215.184.140:1194
39.57.60.246:995
24.122.142.181:443
84.241.8.23:32103
191.250.120.152:443
202.134.152.2:2222
91.177.173.10:995
148.0.43.48:443
172.115.177.204:2222
81.193.30.90:443
68.204.15.28:443
197.94.94.206:443
87.109.229.215:995
102.182.232.3:995
196.203.37.215:80
81.250.191.49:2222
83.110.94.105:443
201.176.6.24:995
173.174.216.62:443
31.215.70.37:443
175.145.235.37:443
174.69.215.101:443
187.172.164.12:443
201.172.23.68:2222
41.84.249.56:995
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
41.38.167.179:995
98.50.191.202:443
185.56.243.146:443
191.112.28.64:443
39.44.30.209:995
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
42.103.132.91:2222
180.129.108.214:995
138.186.28.253:443
89.137.52.44:443
120.61.2.218:443
122.118.129.227:995
124.109.35.171:995
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
187.207.131.50:61202
76.70.9.169:2222
187.211.80.39:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222

Unpacked files

SH256 hash:

015131ccc2c290fc919b4c60dc88fde93c64f4a44d612c3be3129b749c4476ae

MD5 hash:

9e4e11ef19facc2ad6ea9ceefeb20831

SHA1 hash:

c7e074c6a63a0b21a48f773acd274c950b4ae19d

Link:

https://www.unpac.me/results/49e03d43-a0f5-47cc-a397-0ffee7f9d6ab/

SH256 hash:

d55b8130b9aa6bc9184d678ff7a576d4fc93f5394534a6241b94dbe970a81f9b

MD5 hash:

0d4e57b378b5c45c4d27149fe95ceee5

SHA1 hash:

48e01796a8c8931e61d68b2321de62fc67f2bcc0

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/49e03d43-a0f5-47cc-a397-0ffee7f9d6ab/

Parent samples :

efaed060bf01cebf44bb659f76f5c8bf067c97c1f450b2f1281e8ee850cd89d4
6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d
617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b
500f85201bcfc0ae49204bd31ed4f055cac1b0b7f8e74339907f5c14b8e711a8
f9ee4ae49d05d8ab9bf8374849a2d6dee7e3e376002f0db570580a08b4a2814b
5f93ae74628d8b5606a67aa9a07713b4cf248f0847dc1a290b93de522d52f064
75ec6322d3d4b67d672cb50f57ab7f879f1190b1dbb4f31e71d771a67c2e1186
e4d91ae2a7ac4f18830f212f9308fb2be1d5fd6a388df1707a9ebe6a0e89ca23
78bc13074087f93fcc8f11ae013995f9a366b6943330c3d02f0b50c4ae96c8a7

SH256 hash:

617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b

MD5 hash:

9666ad1d28537fc070d6fe0ea5c4f2ac

SHA1 hash:

89380bf0e099cc92b6aed5d0a31cb61a4e3686db

Link:

https://www.unpac.me/results/49e03d43-a0f5-47cc-a397-0ffee7f9d6ab/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/617c94a15fdf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/282652/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample