MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
SHA3-384 hash:	c631ca3f5f392d3842edf6ac715097209f3033f4c98b07805eba898754e62ccb7bfe0a455c0aa7282e7d5a22e19e6c07
SHA1 hash:	09b5faabf2ae92a30658d562c292870f4757567c
MD5 hash:	a0b857e31c99bb56aec8e393304bfd9b
humanhash:	beer-sweet-virginia-sad
File name:	flash.dll
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	761'344 bytes
First seen:	2022-10-06 13:52:04 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	9fc5700f82859d524c68c279be8dc005 (11 x Quakbot)
ssdeep	12288:zxnt9hlMvNICAY0KEkAOl7G79bEXjGOyw3MW:tt9+JFEkAmGYj26M
Threatray	1'480 similar samples on MalwareBazaar
TLSH	T1A0F4AF33A2E14877D1621A7CDD3B636C94267D003B2CE94B7FE41D4D9F3A680366A297
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	Anonymous
Tags:	dll Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317319/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.92637.14343.7164.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

Modifying an executable file

DNS request

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

keylogger qakbot qbot zusy

Link:

https://www.filescan.io/uploads/633eddc00d3d21420ccaae62/reports/45d1c863-1b3f-4734-831d-dd014485cd4b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19f7229c-d629-4325-ae67-aebab7801896

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-06 13:53:11 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qph7pmv6ll6afybuxkf5ivfva6lnc66ksbbfnaqvcfat2pth3rbq._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/221006-q6y7aahee4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

156.36.22.250:12263
73.225.210.175:40922
19.138.81.187:38748
191.101.43.136:10968
145.20.244.169:39814
74.30.254.35:15530
138.94.26.23:49965
218.175.98.133:15428
181.245.40.43:1982
24.10.174.212:30807
253.219.195.173:1546
51.182.7.163:21304
191.68.117.56:28754
246.29.132.217:16625
149.181.112.217:33637
136.20.21.112:41199
80.65.15.199:35765
0.222.227.111:63041
209.240.1.52:53226
66.57.60.202:19263
204.187.37.185:59783
177.172.2.9:36791
98.78.50.99:11939
11.5.197.37:32044
75.234.214.212:7741
49.66.110.196:42474
97.107.137.246:58239
0.141.208.192:39992
185.156.9.78:29812
219.151.188.60:3622
28.86.80.9:6038
138.226.185.49:25801
99.128.65.72:12277
90.175.231.93:54035
198.125.102.127:36652
148.215.17.55:16834
211.255.222.125:38939
198.140.91.23:0
15.114.17.14:1442
56.9.100.20:53368
88.117.146.12:40265
200.215.143.195:52771
134.133.152.217:5132
227.189.195.57:42370
76.219.151.168:17454
17.1.24.235:65225
217.27.142.33:46036
13.16.220.0:0

Unpacked files

SH256 hash:

d7acf348906ff2c99c0aece101ae5a584c976a807c6eb7eee9895211a3342b1e

MD5 hash:

d844605cc0854b06a1e14f41d0ec4f85

SHA1 hash:

ea3c6ddc54d03ab7feddef4e1d3fd198008b0a28

Link:

https://www.unpac.me/results/27b9f458-0065-4133-bd0a-8cf3bb06545e/

SH256 hash:

37ee19eaf0a3e1dee88152c3ba0673c6994e14648e381aba725e40e94337da86

MD5 hash:

0237cae59e3d959378452902faa2ccf8

SHA1 hash:

66ef4362f632fa43ac9d00107c5563b073bf9b03

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/27b9f458-0065-4133-bd0a-8cf3bb06545e/

Parent samples :

efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e

SH256 hash:

83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43

MD5 hash:

a0b857e31c99bb56aec8e393304bfd9b

SHA1 hash:

09b5faabf2ae92a30658d562c292870f4757567c

Link:

https://www.unpac.me/results/27b9f458-0065-4133-bd0a-8cf3bb06545e/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/83cff7b2be5a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Quakbot

DLL dll 83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/317319/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample