MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c4a299fff7559d71fd5701f86effb2ab630a69659ca6a38121e749b6f571bad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c4a299fff7559d71fd5701f86effb2ab630a69659ca6a38121e749b6f571bad
SHA3-384 hash: 6d5aca8a5bff1031c299d6f245aa43538db0da20f64ad24bab8c23c1186cf89a779ea2322758a9505984e5d250bb0875
SHA1 hash: e42261322a53e22aac98fd6acddddd810023da52
MD5 hash: dfdfd1f1f8031cdfe64cad02a265a470
humanhash: mountain-butter-lemon-july
File name:Invoice.sm
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'228'616 bytes
First seen:2022-12-15 14:51:59 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2f0dd1c2521ecab5a25abd2f0e3ad58e (1 x Quakbot)
ssdeep 12288:6XIA7EqhgWv2KFy9s8E8SzsOA/KhwutLATdcuQ7rpPzXTwnk1cQ47gPtHckpPWU0:6YAdLxJ8y4yhp2cjThkjq6DZGkuDCdUs
Threatray 1'840 similar samples on MalwareBazaar
TLSH T1FB457D26B6808837C576193C9C1FB3E999357A111D7C88863BDC4F4ECE3A6923B35267
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter madjack_red
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346682/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/639b34934aee845f49e50bba/reports/bc90dcef-3008-41e8-9938-b10adb3334e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e3dd6ee-918a-43fd-a463-3c89f2229f52
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1135080
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 767810 Sample: Invoice.sm.dll Startdate: 15/12/2022 Architecture: WINDOWS Score: 96 28 139.5.239.14 VNPL-ASVortexNetsolPrivateLimitedIN India 2->28 30 100.6.8.7 UUNETUS United States 2->30 32 98 other IPs or domains 2->32 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 3 other signatures 2->40 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->44 46 Writes to foreign memory regions 9->46 48 Allocates memory in foreign processes 9->48 50 Maps a DLL or memory area into another process 9->50 12 rundll32.exe 9->12         started        15 cmd.exe 1 9->15         started        17 wermgr.exe 9 1 9->17         started        19 conhost.exe 9->19         started        process6 signatures7 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->52 54 Writes to foreign memory regions 12->54 56 Allocates memory in foreign processes 12->56 58 Maps a DLL or memory area into another process 12->58 21 wermgr.exe 12->21         started        23 rundll32.exe 15->23         started        process8 signatures9 42 Contains functionality to detect sleep reduction / modifications 23->42 26 WerFault.exe 24 9 23->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c4a299fff7559d71fd5701f86effb2ab630a69659ca6a38121e749b6f571bad/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 14:52:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrfcth77ovm5oh6voapyn373fk3dbjuwlhfguoasdz2jw32xdowq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
141d3c8278c2704ca10cbe3570679cc7a016d0bc30e106129adb38938cd47296
Quakbot
1c5f7847fe79eb0848911fc0904b17f8c12d11527fefce2ff6506f8552733d27
Quakbot
329732f00e782c5c2512f83db2d07c4b26364298cde645f4fd7adca2f27c00bd
Quakbot
457482f12d66c77f8d15a55fa52fe75ce54ffb292bd96440dde97a5f769c1eb9
Quakbot
69d829b1dc15636a01b783fe04179165fd7f28bc11393782bbdbdfd77619e785
Quakbot
855e478e4b59dafee6a223500c4a6b5650fab00f05442bd8161375dfe9b51858
Quakbot
a62dcf9b94179a272e52607b21e873f1699ab02b68a371ef12b559bd8fafb59b
Quakbot
b7565343ecaa0338c92523af84078457c89f707de0b32a8769a935ab02b92bc5
Quakbot
c2818a0dde04b70ce0f01342df88b2d01c2ab0fced4e94fdc1254bf505325bf6
Quakbot
ce81b2ab0a243fe8e85a249b0f425007d858d7e9cc7e65af5d2f9e68efb5e5d0
Quakbot
+ 1'830 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:azd campaign:1670585125 banker stealer trojan
Link:
https://tria.ge/reports/221215-r8rqnafe7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
172.90.139.138:2222
90.116.219.167:2222
173.239.94.212:443
91.169.12.198:32100
74.66.134.24:443
66.191.69.18:995
182.75.189.42:995
78.69.251.252:2222
98.145.23.67:443
103.71.21.107:443
197.94.219.133:443
91.68.227.219:443
12.172.173.82:993
86.176.83.127:2222
64.121.161.102:443
41.98.21.114:443
92.154.17.149:2222
151.65.67.211:443
89.129.109.27:2222
76.11.14.249:443
69.119.123.159:2222
70.66.199.12:443
12.172.173.82:990
183.82.100.110:2222
83.114.60.6:2222
92.189.214.236:2222
70.115.104.126:995
190.18.236.175:443
121.122.99.223:995
72.53.103.56:443
91.165.188.74:50000
12.172.173.82:995
156.220.229.249:993
86.96.75.237:2222
85.152.152.46:443
181.118.183.44:443
76.80.180.154:995
81.248.77.37:2222
90.66.229.185:2222
86.130.9.250:2222
172.117.139.142:995
12.172.173.82:465
75.143.236.149:443
81.229.117.95:2222
81.111.108.123:443
50.68.204.71:995
124.122.55.68:443
139.5.239.14:443
37.56.111.49:995
46.10.198.106:443
85.61.165.153:2222
90.104.22.28:2222
88.126.94.4:50000
90.89.95.158:2222
83.213.201.104:993
73.223.248.31:443
47.41.154.250:443
2.99.47.198:2222
190.199.169.127:993
83.92.85.93:443
184.68.116.146:2222
73.161.176.218:443
150.107.231.59:2222
98.178.242.28:443
213.67.255.57:2222
174.104.184.149:443
108.6.249.139:443
84.35.26.14:995
149.126.159.106:443
184.68.116.146:3389
37.14.229.220:2222
24.206.27.39:443
199.83.165.233:443
84.215.202.22:443
71.247.10.63:995
50.68.204.71:443
86.169.19.140:2222
76.20.42.45:443
70.55.120.16:2222
69.133.162.35:443
12.172.173.82:21
72.200.109.104:443
50.68.204.71:993
2.83.12.243:443
184.176.154.83:995
176.177.136.35:443
92.207.132.174:2222
174.77.209.5:443
142.161.27.232:2222
86.159.48.25:2222
100.6.8.7:443
184.153.132.82:443
27.109.19.90:2078
94.105.123.53:443
198.2.51.242:993
70.120.228.205:443
75.158.15.211:443
181.164.194.223:443
184.68.116.146:61202
184.68.116.146:2078
86.225.214.138:2222
78.213.14.206:443
176.142.207.63:443
73.36.196.11:443
197.26.142.159:443
176.151.15.101:443
87.65.160.87:995
92.24.200.226:995
87.221.197.110:2222
77.86.98.236:443
162.248.14.107:443
84.113.121.103:443
137.186.193.226:3389
92.8.190.211:2222
201.208.139.250:2222
12.172.173.82:22
75.98.154.19:443
24.142.218.202:443
70.77.116.233:443
Unpacked files
SH256 hash:
585e9f9ab71965b5a2d92fcaeadaa61712d80235f7f8e05c792e7440353f2b4c
MD5 hash:
9d2ace7ead5ef86c7af73830ab0f8b61
SHA1 hash:
8256d336d7567ab27f6ed7454dc1378a592c191d
Link:
https://www.unpac.me/results/2f63abd8-6798-4ec5-8522-1fc3a2902799/
SH256 hash:
bc72cff19873902cd96082feb4828d4f6e3dd1fd3d243067db3b7bad774462b7
MD5 hash:
8c58b99f34f579ee710b88d4318e572a
SHA1 hash:
2174ef54afed45660fc1808ae77bc8cfa1d02f6f
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f63abd8-6798-4ec5-8522-1fc3a2902799/
Parent samples :
c2818a0dde04b70ce0f01342df88b2d01c2ab0fced4e94fdc1254bf505325bf6
6c4a299fff7559d71fd5701f86effb2ab630a69659ca6a38121e749b6f571bad
SH256 hash:
6c4a299fff7559d71fd5701f86effb2ab630a69659ca6a38121e749b6f571bad
MD5 hash:
dfdfd1f1f8031cdfe64cad02a265a470
SHA1 hash:
e42261322a53e22aac98fd6acddddd810023da52
Link:
https://www.unpac.me/results/2f63abd8-6798-4ec5-8522-1fc3a2902799/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c4a299fff75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6c4a299fff7559d71fd5701f86effb2ab630a69659ca6a38121e749b6f571bad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:qakbot_api_hashing
Create hunting rule
Author:@Embee_Research
Reference:https://twitter.com/embee_research/status/1592067841154756610
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/346682/

Comments