MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 765238af5901e400e41bd70e0f67e772f77ef290caf6bdf448bda970ebe62dfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 6

Intelligence 6 IOCs YARA 10 File information Comments

SHA256 hash:	765238af5901e400e41bd70e0f67e772f77ef290caf6bdf448bda970ebe62dfd
SHA3-384 hash:	04ba142815eb07ebb7c0b6389b483d583a597746faac53f9514fd133578a49eb6a3aa1c933a5f35f52a789a59462f476
SHA1 hash:	d26d342727c05253ff74d772bb742e9884f953ad
MD5 hash:	f9552781ddf9912e504dea3924d95c29
humanhash:	avocado-tennessee-north-washington
File name:	Postcard#2542.iso
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	931'840 bytes
First seen:	2022-09-30 10:37:37 UTC
Last seen:	Never
File type:	iso
MIME type:	application/x-iso9660-image
ssdeep	12288:+gzbVZi2QWig2MHuNyRncmIETn8cxvOBOYHHbwBOcIOrDgHHH:hzggrz6mJTnR+HHbwhDgHHH
TLSH	T1F415C007B2404172F465023026DDA691F76AAC34272059EB7BDD3B6D2F336D58B37AB8
TrID	99.4% (.NULL) null bytes (2048000/1) 0.2% (.ISO) ISO 9660 CD image (5100/59/2) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter	pr0xylife
Tags:	1664437404 BB iso Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

n/a

File Archive Information

This file archive contains 11 file(s), sorted by their relevance:

File name:	croaks.db
File size:	608'256 bytes
SHA256 hash:	af1692ced38f5fda305b35be66774822900a0b9617102db4b3da5f7c97f70e3e
MD5 hash:	3dc3f269b9a89b2d7ea8249d4644a900
MIME type:	application/x-dosexec
Signature	Quakbot

File name:	107.bmp
File size:	200'110 bytes
SHA256 hash:	3ddfcc3e4bf4adb7a10e09b6dcf61f4b563bf97597e393c26de839bb309f81e5
MD5 hash:	62a1c3dbe11b7d91da9c1a27ffef2e5b
MIME type:	image/bmp
Signature	Quakbot

File name:	jesuits.png
File size:	63'202 bytes
SHA256 hash:	cc8a702f716896a266e0829b4b5859aba836503f993feea80f21412bcd5916ad
MD5 hash:	515ace72481bb19f78ec302f093ad298
MIME type:	image/png
Signature	Quakbot

File name:	reserved.txt
File size:	107'334 bytes
SHA256 hash:	1d25bfa712a5fc2f0ce29104a23737deec83df9fe77b9bc68872e4151389b4d5
MD5 hash:	5d1dec1c0a66a2b311d7acae810d1bed
MIME type:	text/plain
Signature	Quakbot

File name:	2
File size:	381 bytes
SHA256 hash:	4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
MD5 hash:	1e4a89b11eae0fcf8bb5fdd5ec3b6f61
MIME type:	text/xml
Signature	Quakbot

File name:	106.bmp
File size:	54'654 bytes
SHA256 hash:	580ad649a048c18c6c418017b781aadca58bccd7c2a2d7db60b688df05ecff42
MD5 hash:	5312601767cf1abdb277492fd0e2f0c2
MIME type:	image/bmp
Signature	Quakbot

File name:	disbarredJudgeship.js
File size:	229 bytes
SHA256 hash:	15587d750be6981b98f00df933f19a7b02e221c0f5d38d8fcc75f9d83e15c22b
MD5 hash:	0c5fffec1e8aa036ac664972ee2a5e19
MIME type:	text/plain
Signature	Quakbot

File name:	firs.jpg
File size:	75'407 bytes
SHA256 hash:	bd4aeb32896976c25d35bbc49df4b0d195c8066bfaf88f5384cbba491b254583
MD5 hash:	c1702ce948a4c05f06c896648a1893a0
MIME type:	image/jpeg
Signature	Quakbot

File name:	flounderingCores.cmd
File size:	111 bytes
SHA256 hash:	8b95f14a04e8337f3c0d9c8b84b5cbab66e8ed71b3bb24277b72bec64fd8cf66
MD5 hash:	e284b60daf806c0709445f11c49f294e
MIME type:	text/x-msdos-batch
Signature	Quakbot

File name:	dishonors.gif
File size:	8'291 bytes
SHA256 hash:	c8ecc9e67deeefef6948cdc8ca81a23a1fbb903a2390cb3bfa0978b7e4927867
MD5 hash:	651f5ee1504abf413f6fe060b7de425b
MIME type:	image/gif
Signature	Quakbot

File name:	Postcards.lnk
File size:	1'269 bytes
SHA256 hash:	ec64aa131d20e762fdc61055121c872e96fd163aa40c6f477255f01a256f9b20
MD5 hash:	1d4df8edae1edefb8c15e76fca459b70
MIME type:	application/octet-stream
Signature	Quakbot

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6336c70d99fe0d0e18e809b4/reports/6febfc04-174e-476f-8f54-fda71ac1dc50/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/765238af5901e400e41bd70e0f67e772f77ef290caf6bdf448bda970ebe62dfd/

Threat name:

Win32.Infostealer.QBot

Status:

Malicious

First seen:

2022-09-30 10:38:24 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

6 of 41 (14.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ozjdrl2zahsabza324ha6z7hol3x54uqzl3l35cixwuxb27gfx6q._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb campaign:1664437404 banker stealer trojan

Link:

https://tria.ge/reports/220930-mpdmgadcf9/

Behaviour

Enumerates physical storage devices

Malware Config

C2 Extraction:

113.180.55.111:443
58.186.75.42:443
105.184.56.118:995
196.206.133.114:995
80.253.189.55:443
193.3.19.137:443
41.104.80.233:443
49.205.197.13:443
186.81.122.168:443
216.238.83.82:443
216.238.83.82:995
39.44.5.104:995
196.207.146.151:443
216.238.108.61:995
139.84.167.18:995
139.84.167.18:443
216.238.108.61:443
149.28.38.16:995
134.35.12.30:443
131.100.40.13:995
102.189.184.12:995
103.173.121.17:443
102.190.190.242:995
85.86.242.245:443
73.252.27.208:995
41.99.57.148:443
197.120.66.183:995
186.90.144.235:2222
197.49.45.244:995
186.50.137.148:995
181.177.156.209:443
177.45.78.52:993
86.196.181.62:2222
197.203.50.195:443
89.187.169.77:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/765238af5901e400e41bd70e0f67e772f77ef290caf6bdf448bda970ebe62dfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	EXE_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies executable artefacts in shortcut (LNK) files.

Rule name:	iso_lnk Create hunting rule
Author:	tdawg

Rule name:	Long_RelativePath_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	Script_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies scripting artefacts in shortcut (LNK) files.

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample