MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef
SHA3-384 hash: 12731a0815a14cb643362b011717d888db9465b3cc0bad4acb76dcaad48629a0018f4c3e4fdd436339fe7de5134944af
SHA1 hash: b6d851a98e49eb61e5f5d255f7e4d68e9e313fd2
MD5 hash: da07ac5bb78b36d97132c73fdc1e2c20
humanhash: snake-sad-video-lake
File name:msoffice32.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:608'248 bytes
First seen:2022-11-14 18:25:25 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 446cda0346af9f8bf8adda69091d2673 (3 x Quakbot)
ssdeep 12288:anbfdUgz1clr4FgZMsAZ68cUMwvLVh5VPnb7D:abfdUggAs8vMsL5dvD
Threatray 1'760 similar samples on MalwareBazaar
TLSH T173D46C06EDC9BF6BD86594BE89478062986BCC151B40CB13A30CD67334677780BDB7AE
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter malwarelabnet
Tags:dll obama221 Qakbot Quakbot signed

Code Signing Certificate

Organisation:Everything Not Saved Will Be Lost Oy
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-11T00:00:00Z
Valid to:2022-11-11T23:59:59Z
Serial number: e9250edfb5d6e66baa968898fe58d3d1
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7931064741c00a59d78c92ed7bac30d8d84910a0c9e59d0969976e72d9423a90
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/333867/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25347.18467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6372883b07c3f5e84a011eb7/reports/53f7432e-0037-4910-8483-2aa42c3bf9e3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/793e0b71-5237-4ec9-b3a7-7206b0a28271
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 18:26:07 UTC
File Type:
PE (Dll)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nubv2gk43yjhcjqqhdscze5iin5ub27riib4sr34c5dj6d2pndxq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
Quakbot
512fddd922a0e305f67933c950018d0d58ea557b8ae8b301852673a4943f6253
Quakbot
592dc94d71effe762414d7d1ab10df18bf999340dd5851f0c132509d3f525dc2
Quakbot
abe2930c83d646ca388b1bf050de6c84228069fd77e0f15de06f14b25f213427
Quakbot
c0fc5b84ba671a26027bddbd7a987eacc5917bdd1359cc1e72b754ba3517e805
Quakbot
+ 1'750 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama221 campaign:1667915095 banker stealer trojan
Link:
https://tria.ge/reports/221114-w26nfscg86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
199.83.165.233:443
24.142.218.202:443
79.166.120.168:995
92.24.200.226:995
151.32.168.124:443
72.88.245.71:443
46.229.194.17:443
142.119.40.220:2222
177.205.114.49:2222
174.104.184.149:443
86.167.26.227:2222
94.15.58.251:443
82.155.111.187:443
2.84.98.228:2222
69.133.162.35:443
92.189.214.236:2222
190.74.23.139:443
47.34.30.133:443
80.103.77.44:2222
82.34.170.37:443
200.233.108.153:995
2.83.62.105:443
93.164.248.234:443
92.191.49.255:2222
88.152.182.39:443
74.33.84.227:443
190.11.198.68:443
64.207.237.118:443
95.94.33.189:2222
24.64.114.59:2222
85.241.180.94:443
72.53.103.56:443
58.162.223.233:443
94.60.141.48:995
184.153.132.82:443
108.44.207.232:443
80.13.179.151:2222
46.190.93.247:50000
92.27.86.48:2222
78.253.154.211:50000
70.95.236.129:443
92.106.70.62:2222
109.11.175.42:2222
91.180.68.95:2222
86.129.13.178:2222
76.68.34.167:2222
201.192.179.221:443
45.49.137.80:443
144.202.15.58:443
105.184.161.175:443
94.63.65.146:443
64.121.161.102:443
105.103.33.225:993
86.225.214.138:2222
2.98.146.106:995
80.233.87.78:995
66.180.227.170:2222
95.214.107.21:443
85.241.105.6:443
90.78.85.59:2222
92.207.132.174:2222
73.36.196.11:443
50.68.204.71:443
87.223.83.164:443
188.127.169.210:443
190.24.45.24:995
62.31.130.138:465
109.218.233.44:2222
142.161.27.232:2222
105.103.33.225:995
109.149.147.221:2222
82.121.237.106:2222
174.77.209.5:443
98.145.23.67:443
88.126.94.4:50000
200.84.201.101:993
41.99.249.38:443
139.216.164.122:443
73.230.28.7:443
105.103.33.225:32103
50.68.204.71:995
75.156.125.215:995
24.206.27.39:443
193.3.19.137:443
212.251.122.147:995
92.137.74.174:2222
50.68.204.71:993
86.45.66.141:2222
176.142.207.63:443
46.177.99.230:995
87.202.101.164:50000
37.128.17.176:2222
176.137.187.206:995
61.92.123.169:443
213.67.255.57:2222
75.99.125.238:2222
24.49.232.96:443
157.231.42.190:443
73.165.119.20:443
79.37.204.67:443
190.36.189.154:2222
178.169.196.115:443
125.27.3.221:995
77.126.81.208:443
174.58.146.57:443
79.169.119.144:2222
74.92.243.113:995
60.48.250.151:2222
178.147.24.70:995
92.149.205.238:2222
174.45.15.123:443
89.216.114.163:443
80.189.213.49:2222
86.158.3.195:443
90.104.22.28:2222
72.133.240.122:2083
105.103.33.225:990
84.35.26.14:995
200.44.208.217:2222
50.37.154.115:443
Unpacked files
SH256 hash:
54208f7086ef2c05d913f8c29dca2172db70d36dab0f3b9889c417a6134ce809
MD5 hash:
828ea0c9e1b288142d1020be7d72e99e
SHA1 hash:
b59b961aedbdaad2c3f26fed87b165486dddd10b
Link:
https://www.unpac.me/results/2392273b-c5be-4ab9-bbc6-02a2e78851d9/
SH256 hash:
5e0c092683f3830dc594f978184f12100666edad36635e7334587a3059602502
MD5 hash:
444c4421416ca4620090e6b93780b287
SHA1 hash:
a8203c9f21b15514b8d898a01c4765062650a58a
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2392273b-c5be-4ab9-bbc6-02a2e78851d9/
SH256 hash:
6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef
MD5 hash:
da07ac5bb78b36d97132c73fdc1e2c20
SHA1 hash:
b6d851a98e49eb61e5f5d255f7e4d68e9e313fd2
Link:
https://www.unpac.me/results/2392273b-c5be-4ab9-bbc6-02a2e78851d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6d035d195cde1271261038e42c93a8437b40ebf14203c9477c17469f0f4f68ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333867/

Comments