MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 692aa8adc305de52bc4c784fc272aaf943b4f8128162b712b24444342078c751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 692aa8adc305de52bc4c784fc272aaf943b4f8128162b712b24444342078c751
SHA3-384 hash: 4f148562ad5b00eb311a4e7816067b86eedf09210309a68e5b9d689f6e1335e8f694f34dd234bba51a5236564916aa55
SHA1 hash: e384d4b120d6bc072e5517ecfe30e17cea8b901e
MD5 hash: 136b75b273e9889814978d89a2f304be
humanhash: aspen-ceiling-hawaii-fix
File name:692aa8adc305de52bc4c784fc272aaf943b4f8128162b712b24444342078c751.bin
Download: download sample
Signature Quakbot
Create hunting rule
File size:2'135'808 bytes
First seen:2020-12-10 08:16:48 UTC
Last seen:2020-12-10 10:00:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 12fe7152390442e22f7421c5c63d35c2 (2 x Quakbot)
ssdeep 3072:MU5X9BrbGJ/V37wg4MuYXV8zPYkY35oOp:lzlqPL94MVtv5x
Threatray 1'397 similar samples on MalwareBazaar
TLSH E7A5B12E3C6BB77A6E5281746816A67CC7197F88F97B00A817C7674845E7CE23E1E0C4
Reporter JAMESWT_WT
Tags:Kymijoen Projektipalvelut Oy Qakbot qbot Quakbot signed

Code Signing Certificate

Organisation:Kymijoen Projektipalvelut Oy
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Dec 3 00:00:00 2020 GMT
Valid to:Dec 3 23:59:59 2021 GMT
Serial number: 121FCA3CFA4BD011669F5CC4E053AA3F
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 5B5B1808ED49AEED9D846A045EB32DBFE7307DF28EC8D1012B505A9A8DB9084D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
document-1431349499.xls
Verdict:
Suspicious activity
Analysis date:
2020-12-09 14:27:40 UTC
Tags:
macros
Link:
https://app.any.run/tasks/1cf3a804-903e-43a8-a021-548ebbd59b7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107606/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the Windows subdirectories
Launching a process
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/559856
Signature
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 329024 Sample: 830MP9mKCM.bin Startdate: 10/12/2020 Architecture: WINDOWS Score: 76 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Qbot 2->34 36 Machine Learning detection for sample 2->36 38 Uses schtasks.exe or at.exe to add and modify task schedules 2->38 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->40 42 Injects code into the Windows Explorer (explorer.exe) 8->42 44 Maps a DLL or memory area into another process 8->44 15 explorer.exe 8 1 8->15         started        18 regsvr32.exe 11->18         started        20 regsvr32.exe 13->20         started        process5 file6 30 C:\Users\user\Desktop\830MP9mKCM.dll, PE32 15->30 dropped 22 schtasks.exe 1 15->22         started        24 WerFault.exe 20 9 18->24         started        26 WerFault.exe 9 20->26         started        process7 process8 28 conhost.exe 22->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/692aa8adc305de52bc4c784fc272aaf943b4f8128162b712b24444342078c751/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 02:38:48 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nevkrlodaxpffpcmpbh4e4vk7fb3j6asqfrloevsircdiidyy5iq._file
Verdict:
malicious
Similar samples:
438e6eab1b6903d1c167775ae0d425af400fa98968a586da3f8eadb98d1536a4
Quakbot
5272c1d5ca4244a07aa21b16723d8df6107b54da293ea7748bc1a20805368171
Quakbot
5f1b0b4cb01e68d6edce2d92e0935363bfb2a8f5601a53c40a4d51c028e6599c
Quakbot
679f9013eedb140beadc91e4983d4cef7adbc6b5fdfdb77ad74ad82dd67d2e4e
Quakbot
7d500d9fa68237d99c3425736176ef3213440af4c8d59522af42a8b1e9e7d908
Quakbot
9f89bf8a97ead5ce07e6742581ca11339b9e0b09a7cee68d7e51f8cb85041671
Quakbot
ba30680b04158de98aef7f09b10c17236f368d76b212531581dcaa3b3e40d381
Quakbot
c2482679c665dbec35164aba7554000817139035dc12efc9e936790ca49e7854
Quakbot
c8e551f07e7ca1dded4e6c354749235f7a06b7a5b566280e82a1a90089d29f9e
Quakbot
fe0830807c83b25fd47739571af05bffc3c5cae508952a5d465883cd083ce546
Quakbot
+ 1'387 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr02 campaign:1607427512 banker stealer trojan
Link:
https://tria.ge/reports/201210-4266mhr6dx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
73.32.115.251:443
161.199.180.159:443
185.163.221.77:2222
197.161.154.132:443
105.198.236.99:443
83.196.50.197:2222
96.225.88.23:443
156.222.27.207:995
81.214.126.173:2222
83.110.13.182:2222
85.121.42.12:443
67.82.244.199:2222
172.87.157.235:3389
86.176.133.145:2222
72.186.1.237:443
80.11.5.65:2222
94.59.236.155:995
81.150.181.168:2222
184.98.97.227:995
149.28.101.90:443
86.125.205.97:443
110.142.205.182:443
83.110.250.71:995
41.228.242.14:443
37.106.7.7:443
164.155.230.98:443
2.88.246.223:443
193.83.25.177:995
109.154.193.21:2222
67.141.11.98:443
37.116.152.122:2078
96.40.175.33:443
2.90.124.155:995
162.157.19.33:2222
117.197.217.107:443
24.179.13.119:443
120.150.218.241:443
83.114.243.80:2222
2.50.56.81:443
47.21.192.182:2222
90.53.103.229:2222
77.211.30.202:995
93.146.133.102:2222
96.21.251.127:2222
58.179.21.147:995
98.124.76.187:443
72.36.59.46:2222
86.99.134.235:2222
174.87.65.179:443
193.248.154.174:2222
47.146.34.236:443
63.155.29.193:995
24.95.61.62:443
108.46.145.30:443
32.212.117.188:443
73.166.10.38:50003
105.101.182.178:443
87.218.53.206:2222
71.163.223.144:443
5.193.106.230:2078
184.97.145.239:443
106.51.85.162:443
188.50.187.45:995
45.63.107.192:2222
144.202.38.185:995
151.33.226.156:443
144.202.38.185:443
78.101.158.1:61201
45.32.155.12:443
45.32.162.253:443
173.18.126.193:2222
65.131.41.96:995
149.28.98.196:995
149.28.98.196:443
207.246.75.201:443
178.87.18.221:443
99.244.210.10:443
149.28.101.90:995
149.28.98.196:2222
149.28.99.97:2222
149.28.99.97:443
200.44.237.189:2222
45.63.107.192:995
199.247.16.80:443
144.202.38.185:2222
202.141.244.118:993
85.132.36.111:2222
45.250.69.150:443
111.95.212.237:2222
2.89.122.180:995
79.166.96.86:2222
109.93.245.93:995
78.181.19.134:443
83.202.68.220:2222
217.39.74.146:2222
156.213.147.56:443
72.182.209.97:2222
86.162.13.35:2222
37.21.231.245:995
2.132.32.23:995
187.202.166.21:443
78.187.125.116:2222
80.14.22.234:2222
89.137.211.239:443
81.97.154.100:443
86.121.43.200:443
31.5.21.66:995
80.227.5.70:443
91.104.235.91:995
188.161.207.196:443
109.205.204.229:2222
24.218.181.15:443
72.28.255.159:995
118.40.124.211:443
141.237.135.194:443
149.28.101.90:2222
78.162.70.119:443
39.36.225.15:995
47.22.148.6:995
209.210.187.52:443
85.105.29.218:443
197.86.204.201:443
86.245.87.251:2078
37.106.117.51:443
176.58.133.136:2222
59.103.76.230:443
195.97.101.40:443
2.89.122.180:993
110.159.80.243:443
95.77.223.148:443
79.129.252.62:2222
182.161.6.57:3389
5.193.177.247:2078
41.39.134.183:443
95.76.27.6:443
74.124.191.6:443
184.21.136.237:995
185.105.131.233:443
2.50.2.216:443
24.206.4.203:2222
5.70.178.62:443
2.7.202.106:2222
92.154.83.96:2078
93.113.177.152:443
151.27.88.197:443
160.3.184.253:443
89.136.226.44:995
78.97.110.47:443
92.154.83.96:2087
78.63.226.32:443
Unpacked files
SH256 hash:
29ee02530faeb4ff54f233ee9b43fb5c891a636341c84b45112c80cd7a252d41
MD5 hash:
264025c852853bc3875d51f8fc7dbd19
SHA1 hash:
3f634aea875dc90953159a482c5683a9d1e928f8
Link:
https://www.unpac.me/results/5fea417f-de8a-4915-a208-98b518fb3a5f/
SH256 hash:
692aa8adc305de52bc4c784fc272aaf943b4f8128162b712b24444342078c751
MD5 hash:
136b75b273e9889814978d89a2f304be
SHA1 hash:
e384d4b120d6bc072e5517ecfe30e17cea8b901e
Link:
https://www.unpac.me/results/5fea417f-de8a-4915-a208-98b518fb3a5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/692aa8adc305de52bc4c784fc272aaf943b4f8128162b712b24444342078c751

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/107606/

Comments