MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
SHA3-384 hash:	3bf07a264f79a6d5359498b29e85f05447ad6cd50c6440fdd9ff3d5df9756cda240709c9bcb4c218da7e389ca93e9917
SHA1 hash:	92fe338c650338d91546eff91ec5b272a9ac2565
MD5 hash:	4f65cf53d8d47db9b7af0b66ec131052
humanhash:	sierra-zebra-pasta-south
File name:	outstaying.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	431'616 bytes
First seen:	2022-10-31 17:17:21 UTC
Last seen:	2022-10-31 19:20:33 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	349aa9703287f50b7f5c5557524d68d5 (1 x Quakbot)
ssdeep	6144:MkbHJhzU/Gr+acU2gqnEIzGOEBPepzn6WX1LB5QpK1K0we5itwWUTDAO7V:dheLacnx5dFBOpawe5iFw1V
Threatray	1'626 similar samples on MalwareBazaar
TLSH	T15794CF00B191E036E4BF053649FD8A695A6CAD60075D98FBB3C87D7F5EB06D0B630A27
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	BB05 dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

431

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/326507/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.31042.14516.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

DNS request

Searching for synchronization primitives

Modifying an executable file

Creating a window

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug greyware hacktool keylogger

Link:

https://www.filescan.io/uploads/6360034bce1f43143c2a3631/reports/7c59828c-3493-4876-92c1-5a595afe954d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e3dd9c27-2d07-4a97-b2c1-086e9e3a6758

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-31 17:18:09 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbex7zgzyjodr2kbtrgwc6tc73n34jzo6jrdy3lb2z4u7mchgofa._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

540033fa84f80fb1e31c73139d2a043790a980191c5c5e4416bcfa51d4394a4f

Quakbot

62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76

Quakbot

9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06

Quakbot

aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4

Quakbot

e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

Quakbot

e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2

Quakbot

+ 1'616 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb05 campaign:1667208499 banker stealer trojan

Link:

https://tria.ge/reports/221031-vt9vgacddl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Qakbot/Qbot

Malware Config

C2 Extraction:

174.77.209.5:443
187.0.1.74:23795
24.206.27.39:443
1.156.220.169:30723
156.216.39.119:995
58.186.75.42:443
1.156.197.160:30467
187.1.1.190:4844
186.18.210.16:443
1.181.56.171:771
90.165.109.4:2222
187.0.1.186:39742
87.57.13.215:443
187.0.1.207:52344
227.26.3.227:1
98.207.190.55:443
187.0.1.197:7017
188.49.56.189:443
102.156.160.115:443
187.0.1.24:17751
70.51.139.148:2222
187.0.1.109:34115
14.164.18.210:443
187.0.1.97:30597
205.161.22.189:443
187.0.1.151:54711
196.217.63.248:443
187.0.1.160:45243
66.37.239.222:443
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993

Unpacked files

SH256 hash:

51578348348c2ccfbd4e0bf1b1ef6176385e115d1e7c1cdb2dde89ed7c987fc1

MD5 hash:

e186167977962f61b5fa5394b318f458

SHA1 hash:

711e7459454c0929bddaad2748e8357e1e757b52

Link:

https://www.unpac.me/results/e77d808c-fad2-47c9-bf65-469e6ed5964f/

SH256 hash:

7fe3748859c1d1e26fdefa94348a1b0384371956d37dcb443cc41fe089ac0980

MD5 hash:

4422b69dfee21253d9a0d3ae931b2498

SHA1 hash:

d5849a933708338e68d64aa25e6ec03501db2737

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/e77d808c-fad2-47c9-bf65-469e6ed5964f/

Parent samples :

68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270
bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27
ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d

SH256 hash:

68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a

MD5 hash:

4f65cf53d8d47db9b7af0b66ec131052

SHA1 hash:

92fe338c650338d91546eff91ec5b272a9ac2565

Link:

https://www.unpac.me/results/e77d808c-fad2-47c9-bf65-469e6ed5964f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/68497fe4d9c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326507/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample