MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
SHA3-384 hash: 43be5da45227dc51fe0ac17730c5fdfa8e9221df22fb95a19500426d860d3e5db0a40c0559f886ca2b85c1ad5d793f97
SHA1 hash: 4979c852b6792a0cbbfdfc766864b5eafdd5716c
MD5 hash: 0e4a77bf82911bc17023408cca2edbda
humanhash: missouri-batman-jig-oklahoma
File name:revolution.tmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:707'584 bytes
First seen:2022-11-17 16:06:07 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 8b0d4d20617bb1b305b5da35596be37f (2 x Quakbot)
ssdeep 12288:sjGfBlJYUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9:sjk7W8wWpD9u/VLM9Xq4n
TLSH T115E42806DD40F27EE9F80571461D08338E2A1CEF22678CA76675395679BF2A09CFE427
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f0ececc8f071b2 (3 x Quakbot, 1 x SystemBC, 1 x LummaStealer)
Reporter JAMESWT_WT
Tags:dll pw-SK16 Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335444/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Krypt.9687.30535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a custom TCP request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63765c276fda73cab64e3a19/reports/837ea5b4-81c1-4165-871c-ad07308dedc1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/853a6690-2077-4eca-8f2c-a53708a882ce
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1115906
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Run temp file via regsvr32
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 748615 Sample: revolution.tmp.dll Startdate: 17/11/2022 Architecture: WINDOWS Score: 92 37 89.115.196.99 VODAFONE-PTVodafonePortugalPT Portugal 2->37 39 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->39 41 98 other IPs or domains 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Qbot 2->45 47 Sigma detected: Run temp file via regsvr32 2->47 49 3 other signatures 2->49 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->59 61 Maps a DLL or memory area into another process 9->61 12 cmd.exe 1 9->12         started        14 regsvr32.exe 9->14         started        17 rundll32.exe 9->17         started        19 4 other processes 9->19 process6 file7 22 rundll32.exe 12->22         started        63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->63 65 Writes to foreign memory regions 14->65 67 Allocates memory in foreign processes 14->67 25 wermgr.exe 14->25         started        69 Maps a DLL or memory area into another process 17->69 27 wermgr.exe 17->27         started        35 C:\Users\user\Desktop\revolution.tmp.dll, PE32 19->35 dropped 29 WerFault.exe 23 9 19->29         started        31 WerFault.exe 19->31         started        signatures8 process9 signatures10 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->51 53 Writes to foreign memory regions 22->53 55 Allocates memory in foreign processes 22->55 57 Maps a DLL or memory area into another process 22->57 33 wermgr.exe 22->33         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65/
Threat name:
Win32.Trojan.KBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-17 16:07:07 UTC
File Type:
PE (Dll)
Extracted files:
35
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rluhr3745mnhnoqqgvijoczhmyvagkgabpipxc4npz4hkdaphnsq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668683197 banker stealer trojan
Link:
https://tria.ge/reports/221117-tkmg5seh37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
23.240.47.58:995
12.172.173.82:465
91.169.12.198:32100
94.63.65.146:443
80.13.179.151:2222
64.207.237.118:443
24.206.27.39:443
83.114.60.6:2222
86.171.75.63:443
86.195.32.149:2222
170.253.25.35:443
92.185.204.18:2078
157.231.42.190:995
170.249.59.153:443
174.101.111.4:443
116.74.163.152:443
76.80.180.154:995
180.151.104.143:443
86.130.9.167:2222
86.99.15.243:2222
90.104.22.28:2222
172.117.139.142:995
103.141.50.117:995
176.142.207.63:443
71.183.236.133:443
131.106.168.223:443
190.75.110.239:443
70.66.199.12:443
183.87.31.34:443
83.110.223.247:443
47.34.30.133:443
71.247.10.63:995
92.207.132.174:2222
89.129.109.27:2222
12.172.173.82:21
87.202.101.164:50000
2.99.47.198:2222
154.247.95.119:2078
197.148.17.17:2078
37.14.229.220:2222
78.247.21.20:443
112.141.184.246:995
142.161.27.232:2222
71.247.10.63:50003
108.6.249.139:443
92.239.81.124:443
184.176.154.83:995
184.153.132.82:443
74.66.134.24:443
24.64.114.59:3389
105.184.161.242:443
73.36.196.11:443
82.31.37.241:443
24.116.45.121:443
213.67.255.57:2222
200.93.14.206:2222
91.254.215.167:443
87.220.205.14:2222
92.27.86.48:2222
73.230.28.7:443
176.151.15.101:443
24.64.114.59:2222
86.165.15.180:2222
66.191.69.18:995
175.205.2.54:443
64.121.161.102:443
87.99.116.47:443
180.156.240.239:995
12.172.173.82:22
50.68.204.71:995
213.91.235.146:443
174.77.209.5:443
76.127.192.23:443
50.68.204.71:443
109.11.175.42:2222
199.83.165.233:443
91.68.227.219:443
45.248.169.101:443
85.59.61.52:2222
85.139.176.42:2222
82.34.170.37:443
157.231.42.190:443
76.20.42.45:443
27.110.134.202:995
89.115.196.99:443
83.11.84.105:2222
12.172.173.82:2087
12.172.173.82:443
181.118.183.116:443
174.45.15.123:443
77.126.81.208:443
92.106.70.62:2222
82.121.73.56:2222
173.239.94.212:443
187.199.224.16:32103
183.82.100.110:2222
186.188.2.193:443
41.62.227.225:443
75.99.125.238:2222
2.84.98.228:2222
82.121.237.106:2222
100.6.8.7:443
85.241.180.94:443
79.37.204.67:443
217.128.91.196:2222
58.247.115.126:995
12.172.173.82:993
98.147.155.235:443
102.157.69.217:995
212.251.122.147:995
92.137.74.174:2222
24.228.132.224:2222
69.119.123.159:2222
89.79.229.50:443
47.176.30.75:443
174.104.184.149:443
173.32.181.236:443
74.92.243.113:50000
12.172.173.82:995
58.186.75.42:443
Unpacked files
SH256 hash:
5e6ac6ac43c0e01704a152cf0e1a711057a9c4992ec61e80e6975b5baf9d4332
MD5 hash:
4dced709ea2d2602ec420ac391650fba
SHA1 hash:
8029bf4189ad06a7a22b36143db276ddc47623c4
Link:
https://www.unpac.me/results/45d77b6d-2d3e-4a81-ad56-efdfadc73897/
SH256 hash:
95c2cc28837a8e8c9717d9e68bd2441201197632b814915a1adf8f82183860b1
MD5 hash:
25b127c2c99e79180ba596fb23de442a
SHA1 hash:
e728b8971bf9a623274d4f1013c8c8687b61f97f
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/45d77b6d-2d3e-4a81-ad56-efdfadc73897/
Parent samples :
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
SH256 hash:
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
MD5 hash:
0e4a77bf82911bc17023408cca2edbda
SHA1 hash:
4979c852b6792a0cbbfdfc766864b5eafdd5716c
Link:
https://www.unpac.me/results/45d77b6d-2d3e-4a81-ad56-efdfadc73897/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ae878effceb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/335444/

Comments