MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876
SHA3-384 hash:	6264685f5ccb0d12c185ade2db065e3a3552e2ab220bba5d23cdffe3010232703d9318a93fbda6105170cf59430ae6e2
SHA1 hash:	7da9c4a62c742ff5a854ef4fbbaa11e3447e0c97
MD5 hash:	21fde02f02280fdad7cd446c8bf600c7
humanhash:	mobile-tennessee-black-dakota
File name:	73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	612'680 bytes
First seen:	2022-09-08 13:40:06 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	0d971731f29ea2e5723c4a2414a00dce (2 x Quakbot)
ssdeep	12288:czF6eBVYHBQ3DvlYuZ+wNTYyujPt5ABJXT+gb:Oo1HBuKuja1D4XTv
Threatray	1'348 similar samples on MalwareBazaar
TLSH	T12FD49E23E2E04837D377167C9D1B67ACA8367E512A38A8562BF41D486F3D2C0357A397
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	dll Qakbot Quakbot snow01

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/308787/

Detection(s):

SecuriteInfo.com.Variant.Zusy.436841.5149.30451.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/6319f0c0d06d9bc4c7ac39fb/reports/f9988140-a18c-4cd9-a685-36abf497baf2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07fe77bc-0ccc-4019-ab07-9e4a44ec8750

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1067155

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-09-07 02:35:54 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=opu4a63eel5rgxyg4btawjfarpt5lp7fw56sxhyas34naoxvfb3a._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

4f13d35180b85261aa49bd280ae52c6ff501fcc224ecd8ff729697337e14ce14

Quakbot

5fe5acb2467c0b99e0bc07c7c661af29ab23da9388e356b0c6fb64037debe7a4

Quakbot

7d436b6200af103cb2fba472e95972dfb5475feb65d485720d0c547ca00c2547

Quakbot

a5a163e436995c01536396d65e775a72250b63e4c16ea59283e04fb609d248b1

Quakbot

c0ba083bff21c52e20f97ffb1d20ada082e328d6a4f5561c10f4944f9187d375

Quakbot

dcd14c38adfeaf976dbf3aacce00d5e664e007fd3ad4b3d4f6d603be8ae4d92d

Quakbot

e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64

Quakbot

+ 1'338 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:snow01 campaign:1662453469 banker stealer trojan

Link:

https://tria.ge/reports/220908-qykc6aefg3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

200.161.62.126:32101
217.165.68.122:993
99.232.140.205:2222
81.131.161.131:2078
89.211.179.14:2222
186.64.87.202:443
197.94.210.133:443
193.3.19.37:443
37.210.148.30:995
200.100.55.252:32101
70.51.153.182:2222
120.150.218.241:995
173.189.167.21:995
24.139.72.117:443
104.34.212.7:32103
47.23.89.61:995
24.55.67.176:443
172.115.177.204:2222
217.165.77.134:995
24.178.196.158:2222
67.209.195.198:443
111.125.245.116:995
39.49.67.4:995
78.101.202.75:50010
37.34.253.233:443
217.165.77.134:443
46.107.48.202:443
70.46.220.114:443
63.143.92.99:995
93.48.80.198:995
179.158.103.236:443
47.180.172.159:443
47.23.89.61:993
72.252.157.93:995
182.191.92.203:995
187.172.230.151:443
72.252.157.93:990
24.158.23.166:995
32.221.224.140:995
41.84.238.19:443
41.228.22.180:443
197.167.27.20:993
45.46.53.140:2222
47.156.129.52:443
148.64.96.100:443
63.143.92.99:443
173.21.10.71:2222
66.230.104.103:443
76.25.142.196:443
100.38.242.113:995
208.107.221.224:443
197.89.12.179:443
39.44.34.119:995
196.203.37.215:80
39.57.40.50:995
117.248.109.38:21
121.7.223.38:2222
85.104.122.231:443
118.172.249.102:443
1.161.70.129:443
39.52.28.146:995
188.136.218.20:61202
212.70.96.76:995
1.161.70.129:995
174.69.215.101:443
69.14.172.24:443
86.213.191.206:2078
176.45.233.14:995
82.41.63.217:443
67.69.166.79:2222
217.164.237.54:2222
217.164.121.130:1194
39.41.114.133:995
100.38.242.113:443
120.61.3.17:443
101.50.120.124:995
217.128.122.65:2222
217.128.122.65:443
88.227.46.238:443
223.229.136.61:443
72.252.157.93:993
76.185.151.214:443
2.34.12.8:443
157.51.47.233:50001

Unpacked files

SH256 hash:

363e8aeeef77851e1be86bdcc8af516314675528749f7f61d59e8f236a796347

MD5 hash:

5da12a670df36a42fc92eb6419c5493f

SHA1 hash:

cf80430d75a5a9694e542a6dae106869c720de06

Link:

https://www.unpac.me/results/e873648c-a862-46a2-aec5-8ac6c3b1fc15/

SH256 hash:

23d77f1405b6abc69458d6953c8376650ffeca26f7f95ef32db9a58271fd2bd3

MD5 hash:

3e86ac10b4e7d818e0f410130bb7f237

SHA1 hash:

8977a9178b40819a53df36bc37be64f1b1ae1105

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/e873648c-a862-46a2-aec5-8ac6c3b1fc15/

Parent samples :

4f13d35180b85261aa49bd280ae52c6ff501fcc224ecd8ff729697337e14ce14
73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876
e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e

SH256 hash:

73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876

MD5 hash:

21fde02f02280fdad7cd446c8bf600c7

SHA1 hash:

7da9c4a62c742ff5a854ef4fbbaa11e3447e0c97

Link:

https://www.unpac.me/results/e873648c-a862-46a2-aec5-8ac6c3b1fc15/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/73e9c07b6422/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308787/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample