MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48
SHA3-384 hash: 1158d0c2ab0aaa1b9c6890b32d7969826290d53c40cefc5891b56b243bce5c46cb8d5f2c1ed268cbeda4fe6a3ad4378a
SHA1 hash: f10b31c75c19b363e4dd4d3817283c41104cce1f
MD5 hash: 91105a07dc5a3720f818fb1785b3796e
humanhash: finch-lactose-asparagus-fruit
File name:arenosityAphelinus.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:2'838'016 bytes
First seen:2022-12-22 15:15:53 UTC
Last seen:2022-12-22 16:39:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a9fb0b0e99013d422ebae64ca681fb39 (1 x Quakbot)
ssdeep 49152:BXBZurne7bL6zFE1cxkvYZz9YcJkyDcCSVZl:ljh6zFxxEgz/kygCS
TLSH T191D5231E75749135E9AD0C3F59B8C8B4462A7A704F1849CBB7C87F4F0E981E1A872E1B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:1671561386 BB11 dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349081/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.2517.31848.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63a474b5ee317220a547452d/reports/74c2e2fd-4baf-49b6-a24a-a83c73899590/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3616662b-ee09-440e-8d10-d53e02fdff16
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1139441
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs a network lookup / discovery via net view
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 772171 Sample: arenosityAphelinus.dll Startdate: 22/12/2022 Architecture: WINDOWS Score: 80 46 71.31.101.183 WINDSTREAMUS United States 2->46 48 216.36.153.248 WCG-ASCA Canada 2->48 50 96 other IPs or domains 2->50 56 Yara detected Qbot 2->56 58 C2 URLs / IPs found in malware configuration 2->58 60 Machine Learning detection for sample 2->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->62 10 loaddll32.exe 1 2->10         started        signatures3 process4 process5 12 rundll32.exe 10->12         started        15 cmd.exe 1 10->15         started        17 rundll32.exe 10->17         started        19 7 other processes 10->19 signatures6 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->74 76 Writes to foreign memory regions 12->76 78 Allocates memory in foreign processes 12->78 21 wermgr.exe 8 15 12->21         started        26 rundll32.exe 15->26         started        80 Maps a DLL or memory area into another process 17->80 28 wermgr.exe 17->28         started        30 WerFault.exe 24 9 19->30         started        32 WerFault.exe 9 19->32         started        34 WerFault.exe 2 9 19->34         started        36 WerFault.exe 19->36         started        process7 dnsIp8 52 76.68.151.148, 2222, 49712 BACOMCA Canada 21->52 44 C:\Users\user\...\arenosityAphelinus.dll, PE32 21->44 dropped 64 Performs a network lookup / discovery via net view 21->64 38 net.exe 21->38         started        66 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->66 68 Writes to foreign memory regions 26->68 70 Allocates memory in foreign processes 26->70 72 Maps a DLL or memory area into another process 26->72 40 wermgr.exe 26->40         started        54 192.168.2.1 unknown unknown 30->54 file9 signatures10 process11 process12 42 conhost.exe 38->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 15:16:09 UTC
File Type:
PE (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdzmvd2wy5wyncpmc44keo7ljsrq6q5d33zuolpegd4jlac6pzea._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb11 campaign:1671561386 banker stealer trojan
Link:
https://tria.ge/reports/221222-snfy4ahg9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
184.68.116.146:3389
92.189.214.236:2222
73.29.92.128:443
92.239.81.124:443
47.203.227.114:443
199.83.165.233:443
12.172.173.82:995
12.172.173.82:50001
136.244.25.165:443
37.15.128.31:2222
91.96.249.3:443
92.27.86.48:2222
75.156.125.215:995
93.147.134.85:443
86.176.246.195:2222
89.129.109.27:2222
70.55.120.16:2222
50.67.17.92:443
78.92.133.215:443
190.100.149.122:995
86.183.251.169:2222
184.68.116.146:2222
217.43.16.149:443
208.180.17.32:2222
75.143.236.149:443
70.64.77.115:443
76.184.95.190:993
73.161.176.218:443
84.35.26.14:995
67.235.138.14:443
206.166.209.170:2222
108.6.249.139:443
70.51.136.204:2222
67.253.226.137:995
201.137.206.40:443
176.44.121.220:995
31.48.67.240:443
80.103.77.44:2222
86.160.253.56:443
184.68.116.146:2078
76.80.180.154:995
181.118.183.50:443
173.178.151.233:443
72.80.7.6:995
109.220.196.24:2222
47.34.30.133:443
76.170.252.153:995
12.172.173.82:21
216.36.153.248:443
70.77.116.233:443
47.41.154.250:443
108.162.6.34:443
50.68.204.71:443
24.69.84.237:443
87.65.160.87:995
73.36.196.11:443
76.68.151.148:2222
89.203.252.238:443
81.131.210.167:443
96.255.66.51:995
12.172.173.82:465
95.23.15.84:2222
67.61.71.201:443
66.191.69.18:995
51.211.219.211:443
79.13.202.140:443
77.86.98.236:443
70.115.104.126:995
152.170.17.136:443
70.120.228.205:443
178.153.5.54:443
12.172.173.82:20
91.254.132.23:443
72.88.245.71:443
45.230.169.132:995
142.118.49.193:2222
65.95.85.172:2222
136.35.241.159:443
69.159.156.133:2222
92.8.187.85:2222
69.133.162.35:443
184.68.116.146:50010
86.130.9.250:2222
149.74.159.67:2222
176.133.4.230:995
46.10.198.106:443
2.14.96.234:2222
78.101.91.215:2222
92.154.45.81:2222
79.77.142.22:2222
12.172.173.82:22
12.172.173.82:32101
90.66.229.185:2222
86.225.214.138:2222
173.18.126.3:443
174.104.184.149:443
90.89.95.158:2222
162.248.14.107:443
190.249.241.149:443
78.18.42.55:443
184.68.116.146:61202
64.123.103.123:443
12.172.173.82:990
38.166.221.92:2087
184.176.154.83:995
92.207.132.174:2222
75.98.154.19:443
142.161.27.232:2222
84.113.121.103:443
90.104.22.28:2222
75.84.234.68:443
198.2.51.242:993
86.139.213.115:443
50.68.204.71:993
201.210.114.115:993
71.31.101.183:443
74.33.196.114:443
87.252.106.197:995
Unpacked files
SH256 hash:
f960fb70486e10932e28797b44f9f6f4dbae3334718c5ff5c01b70b8840194c5
MD5 hash:
bc0ff2f8934f7353b543ef558f80f726
SHA1 hash:
03251d75a48b73dd7c4b9a5de411ebf02dae63bc
Link:
https://www.unpac.me/results/a2c53ab5-f6f2-4b9e-8640-83cd816629f6/
SH256 hash:
68d12f4a1b7a28eec2dc849cc82b08a5e45bc6fff0195413ce90403a106739d2
MD5 hash:
cfb44886b2dad562d827e4aeac5700c9
SHA1 hash:
5e4914c62bb7efe8bd5e07ca422223f2503edca6
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2c53ab5-f6f2-4b9e-8640-83cd816629f6/
Parent samples :
22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079
88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48
36398a8aa94465823750bf32568fa77ff9ffbc15b07ad6460d6d913b1b5bae78
012747575632a83c77d73b90450612446664d78c5a6a1af082c5da1485f6e9e1
SH256 hash:
88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48
MD5 hash:
91105a07dc5a3720f818fb1785b3796e
SHA1 hash:
f10b31c75c19b363e4dd4d3817283c41104cce1f
Link:
https://www.unpac.me/results/a2c53ab5-f6f2-4b9e-8640-83cd816629f6/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88f2ca8f56c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:qakbot_api_hashing
Create hunting rule
Author:@Embee_Research
Reference:https://twitter.com/embee_research/status/1592067841154756610
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349081/

Comments