MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805
SHA3-384 hash: eb47b3c3955a99e4f45e1f4ff25dcf80f7bc3d41d4e679116f006e87d5b90caa4fa55c7d0e8e592822d8a49b8e2b556b
SHA1 hash: 35f03a5523febaa6999a24fccd4051fefc084681
MD5 hash: 3c0447ddd99de6f16b987819421fc039
humanhash: eighteen-ink-violet-oregon
File name:6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805
Download: download sample
Signature Quakbot
Create hunting rule
File size:833'682 bytes
First seen:2022-05-12 14:54:25 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2a66b42b84311cd61a2b1eea3a6a1d9b (3 x Quakbot)
ssdeep 12288:Za/XnRl4R8v0u5snt7/JTRSrJ3exDKgu63BThvkIdIhOhs6j5sifQu8:MvsR4o9XSNuC63B1DMX6OiJ
Threatray 1'056 similar samples on MalwareBazaar
TLSH T1E7059E22F7F1443BC1B32A7D9D7B63A5882A7D012D78948A7BE40E4C4E356517A383B7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270135/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed update.exe
Link:
https://www.filescan.io/uploads/627d1fc689dc6403e7791e1f/reports/9c304ce3-f51e-4571-b9bf-67ddc12be481/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef3b54d6-11bd-472d-97e1-8d8170865af0
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992888
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625380 Sample: DfhVQuL2bC Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected CryptOne packer 2->70 72 4 other signatures 2->72 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->74 76 Injects code into the Windows Explorer (explorer.exe) 9->76 78 Writes to foreign memory regions 9->78 80 3 other signatures 9->80 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 conhost.exe 9->22         started        24 regsvr32.exe 12->24         started        26 regsvr32.exe 14->26         started        process5 file6 50 C:\Users\user\Desktop\DfhVQuL2bC.dll, PE32 16->50 dropped 54 Uses cmd line tools excessively to alter registry or file data 16->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 16->56 28 schtasks.exe 1 16->28         started        30 rundll32.exe 20->30         started        58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->58 60 Injects code into the Windows Explorer (explorer.exe) 24->60 62 Writes to foreign memory regions 24->62 64 3 other signatures 24->64 33 explorer.exe 8 2 24->33         started        signatures7 process8 signatures9 35 conhost.exe 28->35         started        82 Contains functionality to detect sleep reduction / modifications 30->82 37 WerFault.exe 23 9 30->37         started        40 explorer.exe 30->40         started        84 Uses cmd line tools excessively to alter registry or file data 33->84 42 reg.exe 1 1 33->42         started        44 conhost.exe 33->44         started        46 reg.exe 1 1 33->46         started        process10 dnsIp11 52 192.168.2.1 unknown unknown 37->52 48 conhost.exe 42->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 14:55:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
30 of 41 (73.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n77gzraebvnvpj6uk5smgypwoebfvargdnpwkmrtnb5m2j6bvacq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
Quakbot
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
Quakbot
44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
Quakbot
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
Quakbot
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
Quakbot
+ 1'046 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1652357106 banker stealer trojan
Link:
https://tria.ge/reports/220512-sae5mscabj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
24.55.67.176:443
148.0.57.85:443
39.44.86.21:995
103.139.243.207:990
181.208.248.227:443
172.115.177.204:2222
70.46.220.114:443
37.186.54.254:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
39.44.66.76:995
86.97.8.200:443
86.132.13.91:2078
179.158.105.44:443
174.69.215.101:443
189.26.55.114:443
187.207.131.50:61202
86.98.78.177:993
217.164.119.236:1194
67.209.195.198:443
196.203.37.215:80
41.84.248.225:443
108.60.213.141:443
37.210.156.191:2222
103.107.113.84:443
176.45.216.134:995
120.150.218.241:995
182.191.92.203:995
86.195.158.178:2222
93.48.80.198:995
74.14.7.71:2222
82.152.39.39:443
47.23.89.60:993
92.132.172.197:2222
197.162.117.38:995
38.70.253.226:2222
185.249.85.200:443
102.65.16.245:443
37.34.253.233:443
32.221.224.140:995
45.241.145.155:993
41.228.22.180:443
75.99.168.194:443
86.190.159.132:443
148.64.96.100:443
202.134.152.2:2222
2.50.4.57:443
140.82.49.12:443
217.128.122.65:2222
80.11.74.81:2222
89.101.97.139:443
79.129.121.68:995
41.84.247.0:995
46.103.186.43:995
39.52.77.241:995
172.114.160.81:995
186.90.153.162:2222
90.120.65.153:2078
102.182.232.3:995
89.86.33.217:443
2.34.12.8:443
46.107.48.202:443
86.98.208.214:2222
72.76.94.99:443
76.70.9.169:2222
124.40.244.118:2222
203.122.46.130:443
183.82.103.213:443
201.1.202.82:32101
45.76.167.26:995
140.82.63.183:443
144.202.3.39:995
45.76.167.26:443
45.63.1.12:443
149.28.238.199:443
140.82.63.183:995
144.202.3.39:443
144.202.2.175:995
149.28.238.199:995
144.202.2.175:443
75.99.168.194:61201
45.63.1.12:995
85.107.161.25:443
173.22.32.101:443
103.246.242.202:443
197.89.20.113:443
83.110.93.158:443
1.161.66.82:443
118.172.251.136:443
175.145.235.37:443
217.164.119.236:2222
37.208.145.168:6883
201.42.3.27:32101
39.49.48.82:995
121.74.167.191:995
208.107.221.224:443
120.61.3.164:443
73.151.236.31:443
173.21.10.71:2222
45.46.53.140:2222
187.172.191.97:443
193.136.1.58:443
191.99.191.28:443
190.252.242.69:443
201.142.133.198:443
187.208.122.239:443
189.146.87.77:443
70.51.137.64:2222
47.156.191.217:443
201.172.23.68:2222
76.25.142.196:443
187.251.132.144:22
40.134.246.185:995
24.139.72.117:443
69.14.172.24:443
100.1.108.246:443
72.252.157.172:995
187.102.135.141:2222
72.252.157.172:990
94.36.195.102:2222
31.215.102.193:2078
186.105.98.35:443
109.12.111.14:443
82.41.63.217:443
191.251.134.129:443
173.174.216.62:443
84.241.8.23:32103
41.38.167.179:995
201.210.162.138:2222
118.161.15.217:995
182.182.255.93:995
5.32.41.45:443
63.143.92.99:995
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
128.106.123.187:443
103.157.122.130:21
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.165.129:995
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
Unpacked files
SH256 hash:
196ef6483ca1b1dcaa7602c0c1d13da90480eef3f3f54bb80b5227a58519027f
MD5 hash:
b935ccb1ea50ef7fb276471158cd0065
SHA1 hash:
2fddd061e9cfa43655abec2749e72312e457b97b
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
SH256 hash:
b0e2c4d0601f6e2f6ab13777d1ea9ab8ee5be71e579116c086f7df4f5fd8fb67
MD5 hash:
7be691f53d28443afa0ffc2ce378358b
SHA1 hash:
567ed2629c501ede8b69d0a463c007e90d8d8dcc
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
SH256 hash:
6f357576bd8c1fc60e3061395cfa42849f658c78b6dc0bd770f4203a6a24e549
MD5 hash:
f11ee8b593f0bb639dd0c7a246156605
SHA1 hash:
c1790fbb4a046950be8bcdd86e82c1dc5fc552fc
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
Parent samples :
6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805
f9f66753da2318852f55d387769b340ab5694eb0d2872b44e7c6f7e0c807dd07
SH256 hash:
f2bebbfeb45ba40cfa0f10e2c23247f770f148147594dd04d8c79a9be2a2e7f0
MD5 hash:
bfa49d0374ddb3c72e62e591f50459bd
SHA1 hash:
c75bcf44ab88200ed7b0f59f72faecde64a1b58e
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
SH256 hash:
ccd7385bc51821d659ca085161167fe083f03f0ece44517156b6a889d0199c5e
MD5 hash:
604c7efeb0df01554bf8f5c6edb43193
SHA1 hash:
4b223d4ebabf66df72c23544142f4abd4e926e4f
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
SH256 hash:
034d0c683a77ed733a6094a7adfa800c08fb6c50fc1ae6f1ec8735a931c6b206
MD5 hash:
10f30bb41589bdda68d982fac5ffa209
SHA1 hash:
d6c6e5f079eccb25c07d602fc4486880829f283a
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
SH256 hash:
6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805
MD5 hash:
3c0447ddd99de6f16b987819421fc039
SHA1 hash:
35f03a5523febaa6999a24fccd4051fefc084681
Link:
https://www.unpac.me/results/83ee7f61-9521-47dc-b02c-f1803e2a2b63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ffe6cc4040d5b57a7d45764c361f671025a82261b5f653233687acd27c1a805

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270135/

Comments