MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
SHA3-384 hash: 2ee29a0a40f4f2ce5283fcf3dbdc891b56c6e6b44b89f4ae7ca9872518e060534dc4a6612a3fd8e3d4ea18cb8c45d9fb
SHA1 hash: 19434176868e295ae703d60e61751d9f755831bd
MD5 hash: 7f848e8045da39b62f447cfefcfbc4d0
humanhash: high-don-steak-carpet
File name:disprovable.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:712'192 bytes
First seen:2023-11-28 09:16:19 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 8f9af0fd00f491491f9ecd72ef59a9a6 (8 x Quakbot)
ssdeep 12288:nieL1vc1PdFjpmw5qS6xnGWPE/N285UT+QD1lNMA:i81IFnqnPEl5w9M
Threatray 1'113 similar samples on MalwareBazaar
TLSH T143E49E26B3D08477C272263C9C3B97A8A8357D112F29594B3FE81E4D5F396813A76393
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter martinbayard
Tags:dll qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
BE BE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460913/
Detection(s):
Win.Trojan.Qakbot-9972834-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control greyware hook keylogger lolbin replace
Link:
https://www.filescan.io/uploads/6565b012fb43e835e6b8023a/reports/d1a699e9-bd49-45e0-993b-735089e6d400/overview
Verdict:
Malicious
Labled as:
TrojanS.B21641DD
Link:
https://www.hybrid-analysis.com/sample/799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43f6566a-815d-4a04-b0f6-692ee7d03337
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349164
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349164 Sample: disprovable.dll Startdate: 28/11/2023 Architecture: WINDOWS Score: 100 45 102.38.97.229 ikejaZA South Africa 2->45 47 190.44.40.48 VTRBANDAANCHASACL Chile 2->47 49 74 other IPs or domains 2->49 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 9 other signatures 2->65 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        signatures3 process4 signatures5 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->77 79 Writes to foreign memory regions 9->79 81 Allocates memory in foreign processes 9->81 83 2 other signatures 9->83 14 wermgr.exe 8 13 9->14         started        18 cmd.exe 1 9->18         started        20 conhost.exe 9->20         started        process6 dnsIp7 51 187.150.143.159, 443, 49737, 49762 UninetSAdeCVMX Mexico 14->51 53 72.88.245.71, 443, 49790, 49820 UUNETUS United States 14->53 55 22 other IPs or domains 14->55 39 C:\Users\user\Desktop\disprovable.dll, PE32 14->39 dropped 22 regsvr32.exe 14->22         started        25 regsvr32.exe 14->25         started        27 regsvr32.exe 14->27         started        29 rundll32.exe 18->29         started        file8 process9 signatures10 67 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->67 69 Writes to foreign memory regions 22->69 71 Allocates memory in foreign processes 22->71 31 wermgr.exe 2 22->31         started        73 Maps a DLL or memory area into another process 25->73 35 wermgr.exe 25->35         started        75 Contains functionality to detect sleep reduction / modifications 29->75 37 WerFault.exe 22 16 29->37         started        process11 file12 41 C:\Users\...\sgrpzqkltiqkex.dll.-98556130, PE32 31->41 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->57 43 C:\Users\user\AppData\...\sgrpzqkltiqkex.dll, PE32 35->43 dropped signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 09:17:05 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgnxuaphsqp2roxzbm54jrrzpsrjorbjxa2zjfkawc4icyxu7saq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a
Quakbot
64f351168466c20604dda4c4819012367ddafff36e4c3fd8e3cff844565cebc5
Quakbot
7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0
Quakbot
b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a
Quakbot
ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802
Quakbot
+ 1'103 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama207 campaign:1664363417 banker stealer trojan
Link:
https://tria.ge/reports/231128-k816rsgh9v/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
217.165.146.158:993
41.97.179.58:443
86.132.13.49:2078
197.203.50.195:443
85.245.143.94:443
86.196.181.62:2222
102.190.190.242:995
105.184.133.198:995
179.111.23.186:32101
179.251.119.206:995
84.3.85.30:443
39.44.5.104:995
197.41.235.69:995
193.3.19.137:443
186.81.122.168:443
103.173.121.17:443
41.104.80.233:443
102.189.184.12:995
156.199.90.139:443
14.168.180.223:443
41.140.98.37:995
156.205.3.210:993
139.228.33.176:2222
134.35.12.0:443
49.205.197.13:443
131.100.40.13:995
73.252.27.208:995
82.217.55.20:443
176.177.136.35:443
180.232.159.9:443
41.68.209.102:995
186.90.144.235:2222
191.92.125.254:443
41.96.204.133:443
58.186.75.42:443
85.86.242.245:443
187.193.143.111:443
200.175.173.80:443
197.49.68.15:995
186.50.139.45:995
41.68.155.190:443
186.72.236.88:995
187.150.143.159:443
105.69.189.28:995
160.177.207.113:8443
41.102.97.28:443
193.254.32.156:443
88.168.84.62:443
156.218.169.48:995
41.105.159.42:443
186.53.115.151:995
186.48.206.63:995
151.231.60.200:2083
196.217.32.15:443
102.157.212.143:443
189.189.89.32:443
181.177.156.209:443
85.94.178.73:995
201.209.4.2:443
41.69.236.243:995
74.133.189.36:443
149.126.159.254:443
41.104.132.166:443
188.157.6.170:443
197.160.22.10:443
187.189.68.8:443
109.128.221.164:995
92.98.73.123:443
154.237.235.43:995
212.102.56.47:443
110.238.39.214:443
185.233.79.238:995
154.237.60.254:995
181.206.46.7:443
186.16.163.94:443
75.71.96.226:995
181.105.32.5:443
41.227.228.31:443
197.203.142.42:443
118.174.89.216:443
41.107.112.236:995
105.96.207.25:443
111.125.157.230:443
68.224.229.42:443
190.44.40.48:995
88.232.207.24:443
72.88.245.71:443
119.82.111.158:443
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
197.94.84.128:443
41.96.130.46:80
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
76.169.76.44:2222
68.53.110.74:995
41.69.103.179:995
194.166.205.204:995
89.211.223.138:2222
85.98.206.165:995
177.103.94.155:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
91.116.160.252:443
151.234.63.48:990
99.253.251.74:443
41.40.146.5:995
Unpacked files
SH256 hash:
bcf1ddb027e6146b19d0a9929daa3a6967ab76514d35cac3703bcd895f57ede0
MD5 hash:
21c5947375a9ca056bebb8d8518c396f
SHA1 hash:
288435c8261e1ca20cee3614260eb1eddfe3fd49
Link:
https://www.unpac.me/results/d31e05fa-3a38-4325-b356-ac657665f289/
SH256 hash:
33702c6def37313bad1d94828bfe4c2915269caba72a4661033c5510bde06b81
MD5 hash:
050ce5fb25ffd3e907a5c81a6711fcea
SHA1 hash:
d5e6bb7a9eba0d785d8ffc06607b2557707a3ced
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
MAL_QakBot_ConfigExtraction_Feb23
Create hunting rule
win_qakbot_api_hashing_oct_2022
Create hunting rule
win_qakbot_string_decrypt_nov_2022
Create hunting rule
Link:
https://www.unpac.me/results/d31e05fa-3a38-4325-b356-ac657665f289/
Parent samples :
466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a
7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0
ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802
64f351168466c20604dda4c4819012367ddafff36e4c3fd8e3cff844565cebc5
4ff872d196dbb0d23c4bc96311372f9b0cd9f8b9ea00fa4b5041fa9ea49a1442
799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
SH256 hash:
799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
MD5 hash:
7f848e8045da39b62f447cfefcfbc4d0
SHA1 hash:
19434176868e295ae703d60e61751d9f755831bd
Link:
https://www.unpac.me/results/d31e05fa-3a38-4325-b356-ac657665f289/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/799b7a01e794/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MAL_QakBot_ConfigExtraction_Feb23
Create hunting rule
Author:kevoreilly
Description:QakBot Config Extraction
Reference:https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:qakbot_api_hashing
Create hunting rule
Author:@Embee_Research
Reference:https://twitter.com/embee_research/status/1592067841154756610
Rule name:qakbot_string_decrypt
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:Windows_Trojan_Qbot_1ac22a26
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Qbot_3074a8d4
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Qbot_92c67a6d
Create hunting rule
Author:Elastic Security
Rule name:win_qakbot_api_hashing_oct_2022
Create hunting rule
Author:@Embee_Research
Reference:https://twitter.com/embee_research/status/1592067841154756610
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_string_decrypt_nov_2022
Create hunting rule
Author:Embee_Research @ Huntress

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/460913/

Comments