MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cc56be36e5dedb44e0441c05607bf8fa4e9fd1aa9b0a7e86418c38c026a7a45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cc56be36e5dedb44e0441c05607bf8fa4e9fd1aa9b0a7e86418c38c026a7a45
SHA3-384 hash: 73e1c9e6da9205e3ace3b3a16cb7a892ec3293398b37b37307f40c44f4b4bd773e320ede43c8b19c912a90b3eba20d0b
SHA1 hash: 2b201886a03c083b6116d10aa975800db7ab2c63
MD5 hash: 1e04017afdbac68a14c9bf83573d7732
humanhash: papa-oxygen-yankee-indigo
File name:saliency.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:561'152 bytes
First seen:2022-10-25 13:02:53 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a207c1d2fbc58a15cbfda19bb6a789f0 (1 x Quakbot)
ssdeep 6144:MNNoyulCPqzAzdZAp0A0YEtPCAOYlUAkr99pY8pC6un/7CXQhd5tuolTvBY+YPFE:WICPFBdAO62kRBY6un/7CXQBxOFELZ
Threatray 1'574 similar samples on MalwareBazaar
TLSH T1ABC4CF16F262C139F5BE0879447C95240A2CB931176489FBF3C85B2E8EE56C1BB32B57
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:1666690935 BB04 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324028/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01a4278a-7be9-4053-b5e3-83209ec4d95d
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1097584
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730238 Sample: saliency.dat.dll Startdate: 25/10/2022 Architecture: WINDOWS Score: 88 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Qbot 2->36 38 Sigma detected: Execute DLL with spoofed extension 2->38 40 2 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 Maps a DLL or memory area into another process 8->56 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->58 60 Writes to foreign memory regions 13->60 62 Allocates memory in foreign processes 13->62 23 wermgr.exe 13->23         started        64 Maps a DLL or memory area into another process 16->64 25 wermgr.exe 16->25         started        27 WerFault.exe 23 9 18->27         started        process7 signatures8 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->42 44 Writes to foreign memory regions 20->44 46 Allocates memory in foreign processes 20->46 48 Maps a DLL or memory area into another process 20->48 29 wermgr.exe 8 1 20->29         started        process9 file10 32 C:\Users\user\Desktop\saliency.dat.dll, PE32 29->32 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cc56be36e5dedb44e0441c05607bf8fa4e9fd1aa9b0a7e86418c38c026a7a45/
Threat name:
Win32.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 13:16:27 UTC
File Type:
PE (Dll)
AV detection:
12 of 42 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtcwxy3olxw3itqeihafmb57r6sot7i2vgykp2deddbyyatkpjcq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
290634e84d2e79107f8abf4b6943c6e900fc7efda85f3a1e83a9ac420d160d75
Quakbot
4df936e24707cbb9332c99488a20f5fa0f9e0ac5cc3a2ea4d509f3539ea79200
Quakbot
581a2c8b97a095950c90872335e30dff1355adc48781d39f5612ed44fb477c99
Quakbot
97bb01022eaa46e69d39cbddd770c5d5312b806d0b94836f96d026db1d54bf03
Quakbot
9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b
Quakbot
+ 1'564 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb04 campaign:1666690935 banker stealer trojan
Link:
https://tria.ge/reports/221025-qaccmscgeq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
181.164.194.228:443
24.116.45.121:443
190.74.248.136:443
24.206.27.39:443
27.110.134.202:995
2.88.206.121:443
71.199.168.185:443
200.233.108.153:995
198.2.51.242:993
172.117.139.142:995
70.115.104.126:443
144.202.15.58:443
190.24.45.24:995
24.9.220.167:443
58.247.115.126:995
193.3.19.137:443
45.230.169.132:995
68.62.199.70:443
43.241.159.238:443
113.162.196.232:443
156.217.60.239:995
197.204.70.167:443
201.68.209.47:32101
190.33.241.216:443
156.197.230.148:995
197.202.196.43:443
175.205.2.54:443
24.130.228.100:443
41.109.228.108:995
64.123.103.123:443
190.193.180.228:443
24.177.111.153:443
60.54.65.27:443
189.129.38.158:2222
206.1.164.250:443
190.36.189.34:993
173.49.74.62:443
41.99.110.44:443
190.203.51.133:2222
174.29.45.113:443
222.117.141.133:443
190.207.137.189:2222
208.78.220.120:443
105.111.81.57:443
105.158.78.171:443
24.207.97.117:443
88.240.75.201:443
105.154.214.130:995
41.104.155.245:443
41.98.242.254:443
196.70.146.120:443
90.165.109.4:2222
75.84.234.68:443
65.140.11.170:443
186.154.189.162:995
191.96.67.93:995
151.213.183.141:995
184.159.76.47:443
105.98.223.169:443
190.201.145.155:443
197.0.225.39:443
78.179.135.247:443
197.2.193.4:995
152.170.17.136:443
191.33.187.192:2222
41.101.193.38:443
105.156.0.235:995
98.207.190.55:443
41.47.249.185:443
186.18.210.16:443
196.207.146.151:443
118.174.207.134:995
47.14.229.4:443
41.234.116.241:993
190.37.112.223:2222
14.54.83.15:443
93.156.96.171:443
58.186.75.42:443
189.110.3.60:2222
167.58.254.85:443
186.18.77.99:443
41.107.78.169:443
102.159.194.141:443
149.126.159.224:443
201.208.58.92:2222
156.196.169.222:443
190.100.149.122:995
1.0.215.176:443
202.5.53.143:443
206.1.222.56:2087
102.156.162.83:443
220.134.54.185:2222
190.37.174.11:2222
176.241.48.177:443
190.29.228.61:443
41.101.183.90:443
94.36.5.31:443
102.184.30.42:443
102.187.63.127:995
190.33.87.140:443
187.198.16.39:443
62.46.231.64:443
42.116.54.220:443
197.244.204.128:443
190.203.106.109:2222
200.155.61.245:995
200.155.61.245:443
105.105.46.239:443
200.233.108.153:993
41.143.109.111:61202
91.171.72.214:32100
136.232.184.134:995
186.52.96.202:995
163.182.177.80:443
167.56.53.143:995
181.141.3.126:443
189.216.29.135:443
191.84.65.116:443
186.14.70.229:443
Unpacked files
SH256 hash:
ce7b529f9d23a7aae8a5e8d00a51be2f5ddf04341f11afa0d150eb392272414e
MD5 hash:
c35226f9bd4f4f658333749ba2f8fdd4
SHA1 hash:
8d0408a00a714ddfdd79e69384605b85184ea9a7
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
4dccdfe9ef2481ad01e02274336a7989d311b021af7115c6987cf6d911eed053
MD5 hash:
fd9b5527b6baffe16eb4c41746fdaa60
SHA1 hash:
3adf8847dbad925015ceaa0d16cbc20a6a44d199
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
acc7507de4452969e3cf4c299c3084bb1cd70f4a109940c3e33e27b64f0e6b1d
MD5 hash:
bd16a3fbdef3dcd8fb954f7afa106d1b
SHA1 hash:
38568e345fbafb10d8c52f6ad2dfd6fb49fa5529
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
2873f6f3b88de4b53a8e29d502d3d9d5f3062f049a8661090bc5695865c6ebef
MD5 hash:
37f364b06e3e87df5dce9822d293a0cb
SHA1 hash:
349f1e32b7e48d5dee3b4612c1a05802b925343f
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
15783893f5738f540a640aa2ee0a5b7fa1c05598cd6735addc4505a634c61e01
MD5 hash:
73522ae7e5b6fe21296d27ac62aad760
SHA1 hash:
0bf536705918c79461d1b7e4f823ef342087202b
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
a8a5f80b6482fd6b5bfc7609539b53f96f08ebb3e307d1273737fb6c3587b6e8
MD5 hash:
97fbe36cee2e2bdeaf65f67daa5aaaf6
SHA1 hash:
a314e4fa6dd36186727262d94ca25d0c1b2cac20
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
0ee89f3fd8d460878f5b3e0b943a8ddfa6622da256b1140470f16b21c2efa572
MD5 hash:
67623442dd3868f26a9ac1d2a5609763
SHA1 hash:
f693b716d655ca7015f7b7f800f4d62d0171b79e
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
1bf5cf76245560fa33c23d0ab48d06552ca42f50a553a0f9fb21a77a12d7d81f
MD5 hash:
baf76d27c03294c495ea3ea289b6ef6e
SHA1 hash:
a103b7648482421c2bfb7ae3cf2c72040e3c6e4e
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
SH256 hash:
8cc56be36e5dedb44e0441c05607bf8fa4e9fd1aa9b0a7e86418c38c026a7a45
MD5 hash:
1e04017afdbac68a14c9bf83573d7732
SHA1 hash:
2b201886a03c083b6116d10aa975800db7ab2c63
Link:
https://www.unpac.me/results/b2ac52bd-4b68-400a-97e5-c975e51b8845/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cc56be36e5dedb44e0441c05607bf8fa4e9fd1aa9b0a7e86418c38c026a7a45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324028/

Comments