MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172
SHA3-384 hash: 1b4a9888c7e986b6c6de5e9773f9e052d516cf9b27c48dd327dea24198c5df90de8daad5caf759cb3bda19809d43ca8e
SHA1 hash: e291ce3f2496a72851270c05ffb43017827453c3
MD5 hash: d2b373df1eb012c206269049e636d26f
humanhash: hotel-edward-colorado-don
File name:pots.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'465'856 bytes
First seen:2022-10-10 12:56:38 UTC
Last seen:2022-10-11 10:48:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 785da9c54c1d786e59e79db4a3337c6b (2 x Quakbot)
ssdeep 12288:YYKepSeIUqeXPwyITtxGvvVeHTe7ezGNTTYmRs867u0iROkDQSpu8ahK+UfxEeEK:BLo2ftMzeaKYKu7u0i9wofxEaz32w
Threatray 1'507 similar samples on MalwareBazaar
TLSH T1DA656C22BE9E8872C57B1A38AC3B6258543A7D203F34585B6BF50D0CCF36B817D5529B
TrID 62.7% (.EXE) InstallShield setup (43053/19/16)
14.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
6.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
3.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
6
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318408/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.31349.13882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/634416a1b321c2e8ff63d2e9/reports/a589faac-ccf5-41cf-9556-5c66d30e1b91/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bfec0e6-8c6e-4d97-a326-76b437f436c3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1086907
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719474 Sample: mattering.dat Startdate: 10/10/2022 Architecture: WINDOWS Score: 72 25 Multi AV Scanner detection for submitted file 2->25 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->27 8 loaddll32.exe 1 2->8         started        process3 signatures4 31 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->31 33 Writes to foreign memory regions 8->33 35 Allocates memory in foreign processes 8->35 37 Maps a DLL or memory area into another process 8->37 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        23 C:\Users\user\Desktop\mattering.dll, PE32 13->23 dropped process7 signatures8 29 Contains functionality to detect sleep reduction / modifications 18->29 21 WerFault.exe 23 9 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 12:57:15 UTC
File Type:
PE (Dll)
Extracted files:
140
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbkwauvak2cmud4hfhayfkr2jcv3aqh6ly2yw33hqm5vfw6ryfza._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a
Quakbot
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
Quakbot
95f6e67cb136c2e2b798835a017b80d0979cb526121bfb89d89977d2d69fee0a
Quakbot
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
Quakbot
fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8
Quakbot
+ 1'497 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221010-p6xg1sbgh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
4bcbd9adb18fa1c775009fca9fb04ecb79dda76e2a2463ecc661717d8c613662
MD5 hash:
ce2de6bcb6741470ef434ca139df30e2
SHA1 hash:
d5c9828c793e6066919b8c88161bb9d80ecc5024
Link:
https://www.unpac.me/results/7052b468-455e-4ba9-91af-7c23d1c3f8a5/
SH256 hash:
0744dd3a470b3e8db9857517a58cdde40915a88b132a25cecc3642575f6c6471
MD5 hash:
ebf242b9e6021d2df4799311fb1b5f52
SHA1 hash:
658f746a33bd5ae75b139e57b0a84002dbaad6d3
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7052b468-455e-4ba9-91af-7c23d1c3f8a5/
SH256 hash:
80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172
MD5 hash:
d2b373df1eb012c206269049e636d26f
SHA1 hash:
e291ce3f2496a72851270c05ffb43017827453c3
Link:
https://www.unpac.me/results/7052b468-455e-4ba9-91af-7c23d1c3f8a5/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80556052a056/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318408/

Comments