MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d
SHA3-384 hash: fd850a22c2bac0fc723ca6e072d11fb6f2610d0558fd500483df0cfb7c154b06d722bbf4e0a075081a71d6c1772f6c29
SHA1 hash: 3932f118a543cd9a13866fd8d74fdc5259bb105d
MD5 hash: 66007b94dbd35006090b61f6f9fe291a
humanhash: delaware-music-don-social
File name:6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'118'104 bytes
First seen:2022-06-23 12:58:31 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1e26e30a2a18779b13b95a18534c6e18 (9 x Quakbot, 1 x Gozi)
ssdeep 24576:5vf3ZKnZDyYxr6AVIY7wOM058KJWljhx:NQFnXz+jh
Threatray 1'276 similar samples on MalwareBazaar
TLSH T1A4358D32B2D1D837D4721A7C9D5BB2E998747E105E2CE44E7ED44F4C1E3AA813A352A3
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282648/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger overlay packed qakbot
Link:
https://www.filescan.io/uploads/62b4639a1fcdba4e1a4db9df/reports/1f3dd2a3-b5d2-4047-8b40-3a0a06b606eb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36f9770f-7653-498c-963f-89237d25b621
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018650
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651146 Sample: yVOTuAlq9R Startdate: 23/06/2022 Architecture: WINDOWS Score: 100 64 Yara detected CryptOne packer 2->64 66 Yara detected Qbot 2->66 68 Sigma detected: Schedule system process 2->68 70 3 other signatures 2->70 9 loaddll32.exe 1 2->9         started        12 powershell.exe 11 2->12         started        14 powershell.exe 8 2->14         started        process3 signatures4 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->72 74 Injects code into the Windows Explorer (explorer.exe) 9->74 76 Writes to foreign memory regions 9->76 80 3 other signatures 9->80 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        78 Creates files in the system32 config directory 12->78 22 regsvr32.exe 12->22         started        24 conhost.exe 12->24         started        26 regsvr32.exe 14->26         started        28 conhost.exe 14->28         started        process5 file6 48 C:\Users\user\Desktop\yVOTuAlq9R.dll, PE32 16->48 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 16->62 30 schtasks.exe 1 16->30         started        32 rundll32.exe 20->32         started        35 regsvr32.exe 22->35         started        37 regsvr32.exe 26->37         started        signatures7 process8 signatures9 39 conhost.exe 30->39         started        52 Contains functionality to detect sleep reduction / modifications 32->52 41 WerFault.exe 20 9 32->41         started        54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->54 56 Injects code into the Windows Explorer (explorer.exe) 35->56 58 Writes to foreign memory regions 35->58 60 2 other signatures 35->60 44 explorer.exe 8 2 35->44         started        process10 dnsIp11 50 192.168.2.1 unknown unknown 41->50 46 conhost.exe 44->46         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 12:59:09 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlj6q4guweqvjb6akzef3turzuf4ndkctiak6a5kdme3wu3swnoq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
Quakbot
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
Quakbot
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
Quakbot
733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d
Quakbot
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
Quakbot
b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff
Quakbot
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
Quakbot
efaed060bf01cebf44bb659f76f5c8bf067c97c1f450b2f1281e8ee850cd89d4
Quakbot
+ 1'266 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1655971687 banker stealer trojan
Link:
https://tria.ge/reports/220623-p724wsfgf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
38.70.253.226:2222
47.23.89.60:993
120.150.218.241:995
117.248.109.38:21
37.34.253.233:443
86.132.14.70:2078
111.125.245.116:995
217.165.85.191:993
176.45.232.204:995
5.32.41.45:443
93.48.80.198:995
100.38.242.113:995
94.59.252.166:2222
74.14.5.179:2222
71.13.93.154:2222
193.253.44.249:2222
108.60.213.141:443
45.241.231.78:993
217.128.122.65:2222
40.134.246.185:995
1.161.124.241:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
80.11.74.81:2222
31.215.184.140:2222
39.49.85.29:995
67.209.195.198:443
186.90.153.162:2222
148.64.96.100:443
67.165.206.193:993
210.246.4.69:995
208.107.221.224:443
89.101.97.139:443
88.234.116.71:443
121.7.223.45:2222
104.34.212.7:32103
69.14.172.24:443
41.228.22.180:443
197.87.182.60:443
24.178.196.158:2222
1.161.124.241:995
189.78.107.163:32101
39.52.74.55:995
2.34.12.8:443
182.191.92.203:995
173.21.10.71:2222
39.41.2.45:995
90.114.10.16:2222
184.97.29.26:443
76.25.142.196:443
47.156.129.52:443
24.55.67.176:443
190.252.242.69:443
70.51.132.161:2222
72.252.157.93:995
90.120.209.197:2078
72.252.157.93:993
72.252.157.93:990
177.45.64.254:32101
24.139.72.117:443
187.250.202.2:443
94.36.193.176:2222
109.12.111.14:443
89.86.33.217:443
179.158.105.44:443
63.143.92.99:995
45.46.53.140:2222
31.215.67.68:2222
188.136.218.225:61202
187.208.115.219:443
31.215.184.140:1194
39.57.60.246:995
24.122.142.181:443
84.241.8.23:32103
191.250.120.152:443
202.134.152.2:2222
91.177.173.10:995
148.0.43.48:443
172.115.177.204:2222
81.193.30.90:443
68.204.15.28:443
197.94.94.206:443
87.109.229.215:995
102.182.232.3:995
196.203.37.215:80
81.250.191.49:2222
83.110.94.105:443
201.176.6.24:995
173.174.216.62:443
31.215.70.37:443
175.145.235.37:443
174.69.215.101:443
187.172.164.12:443
201.172.23.68:2222
41.84.249.56:995
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
41.38.167.179:995
98.50.191.202:443
185.56.243.146:443
191.112.28.64:443
39.44.30.209:995
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
42.103.132.91:2222
180.129.108.214:995
138.186.28.253:443
89.137.52.44:443
120.61.2.218:443
122.118.129.227:995
124.109.35.171:995
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
187.207.131.50:61202
76.70.9.169:2222
187.211.80.39:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
Unpacked files
SH256 hash:
015131ccc2c290fc919b4c60dc88fde93c64f4a44d612c3be3129b749c4476ae
MD5 hash:
9e4e11ef19facc2ad6ea9ceefeb20831
SHA1 hash:
c7e074c6a63a0b21a48f773acd274c950b4ae19d
Link:
https://www.unpac.me/results/999174f3-fe32-4e02-8231-459a45ea11cc/
SH256 hash:
d55b8130b9aa6bc9184d678ff7a576d4fc93f5394534a6241b94dbe970a81f9b
MD5 hash:
0d4e57b378b5c45c4d27149fe95ceee5
SHA1 hash:
48e01796a8c8931e61d68b2321de62fc67f2bcc0
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/999174f3-fe32-4e02-8231-459a45ea11cc/
Parent samples :
efaed060bf01cebf44bb659f76f5c8bf067c97c1f450b2f1281e8ee850cd89d4
6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d
617c94a15fdfb071cfb9566bafa49d054f13e208a444719ab8ea64ed2140f06b
500f85201bcfc0ae49204bd31ed4f055cac1b0b7f8e74339907f5c14b8e711a8
f9ee4ae49d05d8ab9bf8374849a2d6dee7e3e376002f0db570580a08b4a2814b
5f93ae74628d8b5606a67aa9a07713b4cf248f0847dc1a290b93de522d52f064
75ec6322d3d4b67d672cb50f57ab7f879f1190b1dbb4f31e71d771a67c2e1186
e4d91ae2a7ac4f18830f212f9308fb2be1d5fd6a388df1707a9ebe6a0e89ca23
78bc13074087f93fcc8f11ae013995f9a366b6943330c3d02f0b50c4ae96c8a7
SH256 hash:
6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d
MD5 hash:
66007b94dbd35006090b61f6f9fe291a
SHA1 hash:
3932f118a543cd9a13866fd8d74fdc5259bb105d
Link:
https://www.unpac.me/results/999174f3-fe32-4e02-8231-459a45ea11cc/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ad3e870d4b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ad3e870d4b1215487c056485dce91cd0bc68d429a00af03aa1b09bb5372b35d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282648/

Comments