MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274
SHA3-384 hash: b32a51964bbad94e99a7ad9370f0b5538481c1bffd80b03636d459ed4b62f7bdbad0e1142e1127dfd3c1362b95b64508
SHA1 hash: de1fba1f84b4853aee34748f3f81bfc5edbb5b01
MD5 hash: e72ceac9cf33723774963b1b3c2a59e5
humanhash: finch-bakerloo-sink-social
File name:tittle.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:666'112 bytes
First seen:2022-10-03 22:18:01 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c55a71db2a0604f1aa6e10d072ecdaf3 (6 x Quakbot)
ssdeep 12288:e04qh9jnmGxBGex5ikJdspJRtsdi21LcVUK:ayjn5PyVWdR1L/K
Threatray 1'453 similar samples on MalwareBazaar
TLSH T115E44B05B657C030DA6851B32869BBB592BCBC35D6780FDB77D04F26DA111EB3828F29
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:dll obama208 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316248/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/633b5f9d5c60ccc9fcff24b2/reports/c5a2e388-c2f0-49b1-b701-b66a4d3a55d1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c3fa96a-f3fe-43b0-b9b4-d91de0964c15
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1082842
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715399 Sample: tittle.dat.dll Startdate: 04/10/2022 Architecture: WINDOWS Score: 96 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 3 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 Maps a DLL or memory area into another process 8->56 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 regsvr32.exe 8->16         started        18 4 other processes 8->18 process5 signatures6 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->58 60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 20 wermgr.exe 8 1 11->20         started        23 rundll32.exe 14->23         started        64 Maps a DLL or memory area into another process 16->64 26 wermgr.exe 16->26         started        28 WerFault.exe 23 9 18->28         started        process7 file8 32 C:\Users\user\Desktop\tittle.dat.dll, PE32 20->32 dropped 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->42 44 Writes to foreign memory regions 23->44 46 Allocates memory in foreign processes 23->46 48 Maps a DLL or memory area into another process 23->48 30 wermgr.exe 23->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 22:18:56 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qm3p3b6y64zjpzwpiifndu6lxgamburyweharwqh5w224q2ykj2a._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Quakbot
1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
Quakbot
27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a
Quakbot
5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959
Quakbot
e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Quakbot
e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff
Quakbot
ee334c9cc092acc0ba59caa04044b54ffe56bbdae54c74a561f837584cc08b1c
Quakbot
+ 1'443 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221003-17xpyshhc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
70.238.223.142:65113
108.212.133.125:43749
91.204.181.165:28980
227.138.255.213:57594
252.124.102.160:59802
84.56.235.30:702
40.12.38.164:4225
163.55.16.87:6230
235.167.221.218:44172
113.34.86.36:44766
3.198.145.208:34010
194.217.45.198:36220
198.194.188.181:22851
149.133.92.184:61270
135.120.183.211:3151
45.206.222.245:43045
246.179.112.12:64397
88.106.24.76:30867
140.20.244.190:8098
218.91.78.249:2943
110.89.234.27:52593
233.62.189.160:62061
93.214.137.155:32352
92.78.239.242:55631
19.141.217.252:49599
215.33.231.196:64020
102.27.14.119:35457
234.211.168.138:25561
247.37.222.37:38694
156.214.152.71:3158
253.253.176.112:1886
190.202.24.117:42564
26.158.22.4:63550
22.123.250.159:36265
121.252.196.62:49429
220.79.21.161:11114
76.149.82.36:432
170.22.170.33:0
78.116.204.249:27334
32.26.157.231:2190
18.196.211.168:48835
20.143.207.39:26614
129.117.41.161:7982
209.203.201.219:44632
174.59.186.115:33072
88.239.235.151:45186
130.10.116.149:14433
232.176.128.0:0
Unpacked files
SH256 hash:
e9e75c4c91a428c9cb60a7b0e643c6b3f94fe4323f2f7c891fc4313231c6eb85
MD5 hash:
1b1637b5fb51bc1749e7f29eb21df647
SHA1 hash:
66da543a11af21582612a9cbfc8198d346c5ab4b
Link:
https://www.unpac.me/results/0e204546-0bee-46af-a36d-f7dcae39969f/
SH256 hash:
397e13eb715eb52f54c25907dc843ba4815af82d58b359e641b1e0c42dfcaf94
MD5 hash:
ac2aa567c9e4d6b77cbc06bdb0c7f167
SHA1 hash:
539c21d58295b9b1bc89e96815b670e6fa8decda
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/0e204546-0bee-46af-a36d-f7dcae39969f/
Parent samples :
8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274
ca28afeff6dbf19c01cfda321ebebaaee91861a29202d9a1c15809cb398326ed
cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079
SH256 hash:
2192eb51335f7c80293170d2e36262746361e7280f898faa20a46688db8d3037
MD5 hash:
7b9ae74a9438e8b592da317f61deb879
SHA1 hash:
78fbc9a739e8f2760aef800fe7ff61fb22af8d0e
Link:
https://www.unpac.me/results/0e204546-0bee-46af-a36d-f7dcae39969f/
SH256 hash:
8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274
MD5 hash:
e72ceac9cf33723774963b1b3c2a59e5
SHA1 hash:
de1fba1f84b4853aee34748f3f81bfc5edbb5b01
Link:
https://www.unpac.me/results/0e204546-0bee-46af-a36d-f7dcae39969f/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8336fd87d8f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316248/

Comments