MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d
SHA3-384 hash: a0658f988bdda0df3e66359d61deab117ed1a429481cd18f15b77370d10108b0a58fc7472e8d1995d9bd8ccc10b22660
SHA1 hash: 4ddce3004bbf7b8dbfc5e0132a9d161c617fa586
MD5 hash: 6e6f2af49ddd39291f7260dd31d26c49
humanhash: oklahoma-mango-blue-lemon
File name:W.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:757'430 bytes
First seen:2022-06-22 09:00:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c7f3e11e6f6fe8a9de8b31827060af69 (8 x Quakbot)
ssdeep 12288:0SHEVZKP1O+hamzhv1fm3R7yhZF0WGNYW:xSi7NvE9EeYW
Threatray 1'266 similar samples on MalwareBazaar
TLSH T16BF49E72B3E04837C1771A7C8D1BB66898297D113E3C988A7BF41D4C5F3A781366A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282252/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win32.Bsymem.gen.15883.2117.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a service
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Modifying an executable file
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay
Link:
https://www.filescan.io/uploads/62b2da981fcdba4e1a488e2a/reports/6558598c-68f8-4080-9515-374d8e688012/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e32a6be-c1a8-4b80-9929-d1f478b9cb23
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017765
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 650261 Sample: W.dll Startdate: 22/06/2022 Architecture: WINDOWS Score: 100 53 Yara detected CryptOne packer 2->53 55 Yara detected Qbot 2->55 57 Sigma detected: Schedule system process 2->57 59 2 other signatures 2->59 9 loaddll32.exe 1 2->9         started        12 powershell.exe 11 2->12         started        14 powershell.exe 8 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 79 3 other signatures 9->79 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        77 Creates files in the system32 config directory 12->77 22 regsvr32.exe 12->22         started        24 conhost.exe 12->24         started        26 regsvr32.exe 14->26         started        28 conhost.exe 14->28         started        process5 file6 49 C:\Users\user\Desktop\W.dll, PE32 16->49 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 16->51 30 schtasks.exe 1 16->30         started        32 svchost.exe 1 16->32         started        34 rundll32.exe 20->34         started        37 regsvr32.exe 22->37         started        39 regsvr32.exe 26->39         started        signatures7 process8 signatures9 41 conhost.exe 30->41         started        61 Contains functionality to detect sleep reduction / modifications 34->61 43 WerFault.exe 23 9 34->43         started        63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->63 65 Injects code into the Windows Explorer (explorer.exe) 37->65 67 Writes to foreign memory regions 37->67 69 2 other signatures 37->69 45 explorer.exe 8 2 37->45         started        process10 process11 47 conhost.exe 45->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 09:01:09 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=om7wfj5oofb3nemifejuncrxlimpxds3o6bqdw2zbzvjdbhjfooq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
Quakbot
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
Quakbot
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
Quakbot
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
Quakbot
7b7c1e7e308228cc4a38adaf8ca66952f12eab0ec27d594d7b59815e0950fa2f
Quakbot
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
Quakbot
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
Quakbot
+ 1'256 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1655814286 banker stealer trojan
Link:
https://tria.ge/reports/220622-kywhjafbc8/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
202.134.152.2:2222
100.38.242.113:995
41.228.22.180:443
45.241.205.91:993
90.120.209.197:2078
210.246.4.69:995
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
120.150.218.241:995
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
2.34.12.8:443
104.34.212.7:32103
88.251.195.142:443
92.137.225.8:2222
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
188.136.218.225:61202
39.52.59.14:995
31.215.70.37:443
83.110.94.105:443
175.145.235.37:443
208.107.221.224:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
173.21.10.71:2222
76.25.142.196:443
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
72.252.157.93:990
72.252.157.93:995
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
102.182.232.3:995
72.252.157.93:993
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
63.143.92.99:995
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
208.101.82.0:443
Unpacked files
SH256 hash:
674b5e1d7f0951639847a498222aab467b3787167658cc018c8be738e6a6b74e
MD5 hash:
c0b9aa389d866497ee135a089617623a
SHA1 hash:
9133145783827c4c46209ef211c2b4ca587b98fe
Link:
https://www.unpac.me/results/3ec75e26-0f44-4dbe-8aae-e286bb99c7c9/
SH256 hash:
717230d2a493174a3282d15d93283642a08fed5bc02eadbf30daea1cac8fa55d
MD5 hash:
467b538d0a7c8a9a3ffa2e03c3681222
SHA1 hash:
c3a8515dcd97fbae4f066f9379724a7ce9c26f34
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3ec75e26-0f44-4dbe-8aae-e286bb99c7c9/
Parent samples :
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d
SH256 hash:
733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d
MD5 hash:
6e6f2af49ddd39291f7260dd31d26c49
SHA1 hash:
4ddce3004bbf7b8dbfc5e0132a9d161c617fa586
Link:
https://www.unpac.me/results/3ec75e26-0f44-4dbe-8aae-e286bb99c7c9/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/733f62a7ae71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/733f62a7ae7143b691882913468a375a18fb8e5b778301db590e6a9184e92b9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282252/

Comments