MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
SHA3-384 hash: c5713abf283e2a2828f9a9cc913bf1f4f3fff555102b0674d4945b39196812feacc321db04f2ed89dffbc51a707d2f67
SHA1 hash: 2aa5538a31b7367ced7ce55dbf68c93490f7eff9
MD5 hash: 0d34c7cc649e41ed139210cff4f0f6b2
humanhash: earth-kentucky-iowa-rugby
File name:usurpers.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:761'344 bytes
First seen:2022-10-05 22:19:32 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9fc5700f82859d524c68c279be8dc005 (11 x Quakbot)
ssdeep 12288:zxnt9hlMvNICAY0KEkAOl7G79zEXjGOyw3MW:tt9+JFEkAmG0j26M
Threatray 1'473 similar samples on MalwareBazaar
TLSH T164F4AF33A2E14877D1621A7CDD3B636C94267D003B2CE94B7FE41D4D9F3A680366A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll obama209 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317039/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Launching a process
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/633e0317d089a0c15dd561a2/reports/13bb1976-801d-4b5d-bf8f-cb09074ef1b3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3015efab-8647-4162-a49d-329acdbd5d49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 22:20:12 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwoxbpofhxqqgcdn7sibabgpulojh6zf7noeaee3mo5aoeih4qfa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
Quakbot
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135
Quakbot
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
Quakbot
9e51a1d3598dfbd7ad11f96be2947550e64fe2e1c3a31ebf4b3bc79b9e85f86b
Quakbot
ca28afeff6dbf19c01cfda321ebebaaee91861a29202d9a1c15809cb398326ed
Quakbot
cb786f48cda7665e5dd07e80672e0c5facb6b6300335561327b95e58029ea376
Quakbot
e59e68973ee13a5a7525e73e48d6837ab85c9c3b129fb8df9b9519c6b3eba472
Quakbot
ea28be72dc6fda30d9e33a1a805d3dd95b88904804cb806dc39b5129e1bbd3a2
Quakbot
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
Quakbot
+ 1'463 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221005-183btsgahm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
156.36.22.250:12263
73.225.210.175:40922
19.138.81.187:38748
191.101.43.136:10968
145.20.244.169:39814
74.30.254.35:15530
138.94.26.23:49965
218.175.98.133:15428
181.245.40.43:1982
24.10.174.212:30807
253.219.195.173:1546
51.182.7.163:21304
191.68.117.56:28754
246.29.132.217:16625
149.181.112.217:33637
136.20.21.112:41199
80.65.15.199:35765
0.222.227.111:63041
209.240.1.52:53226
66.57.60.202:19263
204.187.37.185:59783
177.172.2.9:36791
98.78.50.99:11939
11.5.197.37:32044
75.234.214.212:7741
49.66.110.196:42474
97.107.137.246:58239
0.141.208.192:39992
185.156.9.78:29812
219.151.188.60:3622
28.86.80.9:6038
138.226.185.49:25801
99.128.65.72:12277
90.175.231.93:54035
198.125.102.127:36652
148.215.17.55:16834
211.255.222.125:38939
198.140.91.23:0
15.114.17.14:1442
56.9.100.20:53368
88.117.146.12:40265
200.215.143.195:52771
134.133.152.217:5132
227.189.195.57:42370
76.219.151.168:17454
17.1.24.235:65225
217.27.142.33:46036
13.16.220.0:0
Unpacked files
SH256 hash:
d7acf348906ff2c99c0aece101ae5a584c976a807c6eb7eee9895211a3342b1e
MD5 hash:
d844605cc0854b06a1e14f41d0ec4f85
SHA1 hash:
ea3c6ddc54d03ab7feddef4e1d3fd198008b0a28
Link:
https://www.unpac.me/results/9e0803b4-3ca5-4303-92c1-4e34c249e5b1/
SH256 hash:
37ee19eaf0a3e1dee88152c3ba0673c6994e14648e381aba725e40e94337da86
MD5 hash:
0237cae59e3d959378452902faa2ccf8
SHA1 hash:
66ef4362f632fa43ac9d00107c5563b073bf9b03
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9e0803b4-3ca5-4303-92c1-4e34c249e5b1/
Parent samples :
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e
SH256 hash:
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
MD5 hash:
0d34c7cc649e41ed139210cff4f0f6b2
SHA1 hash:
2aa5538a31b7367ced7ce55dbf68c93490f7eff9
Link:
https://www.unpac.me/results/9e0803b4-3ca5-4303-92c1-4e34c249e5b1/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d9d70bdc53d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317039/

Comments