MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cc8f32b2f44e84325e5153ec4fd60c31a35884220e7c36b753550356d6a25c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cc8f32b2f44e84325e5153ec4fd60c31a35884220e7c36b753550356d6a25c8
SHA3-384 hash: c1e4ab9baf5bcdfdadfba82e5b9694bc4fbaa6efb6faa17274d2e39aec821a255de4e6299e2934626bb4deaf5aa34b01
SHA1 hash: e0d8a3ae6c0b8c12850b0f0bad35b776da2d2805
MD5 hash: 487fd75dc8715a0b3ffeb88cc504f730
humanhash: helium-kilo-mike-south
File name:X399.msi
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'059'328 bytes
First seen:2022-05-03 10:23:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:DnArxiyIXH33af9cZ4RfvGM431sAGaqqeNDi1TNParL2zp:DnArxir33afeCR3GM4lX9qqeN2ar6
Threatray 563 similar samples on MalwareBazaar
TLSH T1E1351219BE9B0B33D9034132409B97505F7A8C189B960B13E3A2734C3D76B7517EBADA
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter pr0xylife
Tags:AA GAIN AI LTD msi Qakbot Quakbot signed

Code Signing Certificate

Organisation:GAIN AI LTD
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-04-14T00:00:00Z
Valid to:2023-04-14T23:59:59Z
Serial number: 623eae6a66d3a6ee80df9ccebe51181e
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 21c4e9af43068d041e6aec84341ae89cabb9917792c4bc372eced059555bb845
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268344/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19994.9213.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6271028b62b1ae4451d0f11b/reports/d802e22a-79de-4cbd-8b4f-863c5d52b9f5/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/8cc8f32b2f44e84325e5153ec4fd60c31a35884220e7c36b753550356d6a25c8
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/986990
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 619486 Sample: X399.msi Startdate: 03/05/2022 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 3 other signatures 2->38 9 msiexec.exe 81 24 2->9         started        12 taskeng.exe 1 2->12         started        14 msiexec.exe 3 2->14         started        process3 file4 30 C:\Users\user\AppData\Local\SetupTest\5.dll, PE32 9->30 dropped 16 msiexec.exe 1 1 9->16         started        18 regsvr32.exe 12->18         started        process5 process6 20 regsvr32.exe 16->20         started        23 regsvr32.exe 18->23         started        signatures7 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->40 42 Injects code into the Windows Explorer (explorer.exe) 20->42 44 Writes to foreign memory regions 20->44 46 2 other signatures 20->46 25 explorer.exe 8 1 20->25         started        process8 signatures9 48 Uses schtasks.exe or at.exe to add and modify task schedules 25->48 28 schtasks.exe 25->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cc8f32b2f44e84325e5153ec4fd60c31a35884220e7c36b753550356d6a25c8/
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1cdad75e7830e4ae946bb26c15be354676820710c2471d9ea6d24926fc0df86f
Quakbot
73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af
Quakbot
80d48eb263fe58d5a0afaa20679c5824c9f5fdce8a6707e5c9ef3c8817011938
Quakbot
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
Quakbot
df8d431b3d7193b0d0d6667b269ef1b2431086343bf86a41c3a2a2488d9f1567
Quakbot
f2f87129d1786fd86f0ec659457aae0e186c023a19f63d207c17b28dc63ae2e9
Quakbot
f6e7187a8e0aa202fe89008b5a5cc5e99dc5c3aaede7213283cae41dc7cb3ebc
Quakbot
f9bbfe101624f224998b0ad845512014efa6a42265ebe45e8e13a28a775d39b2
Quakbot
+ 553 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1651213569 banker evasion stealer trojan
Link:
https://tria.ge/reports/220503-mesnmsdbb5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
74.14.7.71:2222
1.161.104.149:443
1.161.104.149:995
24.152.219.253:995
180.129.20.164:995
46.107.48.202:443
118.172.250.162:443
102.65.38.74:443
76.25.142.196:443
93.48.80.198:995
47.23.89.62:995
2.34.12.8:443
38.70.253.226:2222
47.23.89.62:993
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
108.60.213.141:443
172.114.160.81:443
140.82.49.12:443
2.50.4.57:443
46.176.222.34:995
103.246.242.202:443
72.76.94.99:443
187.207.47.198:61202
197.89.108.36:443
39.44.144.64:995
69.14.172.24:443
175.145.235.37:443
39.57.111.109:995
67.209.195.198:443
121.7.223.59:2222
149.135.101.20:443
75.99.168.194:61201
39.52.12.84:993
202.134.152.2:2222
103.116.178.85:995
83.110.218.155:993
185.249.85.175:443
208.107.221.224:443
117.248.109.38:21
113.89.5.252:995
203.122.46.130:443
103.87.95.133:2222
70.46.220.114:443
45.9.20.200:443
173.174.216.62:443
187.58.79.229:993
144.202.2.175:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
140.82.63.183:443
45.76.167.26:995
149.28.238.199:995
144.202.2.175:995
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
182.191.92.203:995
120.150.218.241:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
31.35.28.29:443
24.139.72.117:443
217.128.122.65:2222
148.0.57.85:443
37.210.160.58:2222
86.98.208.214:2222
186.64.67.8:443
92.132.172.197:2222
172.114.160.81:995
63.143.92.99:995
121.74.167.191:995
37.186.54.254:995
104.34.212.7:32103
172.115.177.204:2222
103.107.113.120:443
39.52.12.84:995
173.21.10.71:2222
191.99.191.28:443
174.69.215.101:443
73.67.152.98:2222
67.165.206.193:993
47.156.191.217:443
45.46.53.140:2222
187.208.137.144:443
187.172.170.129:443
5.32.41.45:443
72.252.157.172:995
70.51.153.227:2222
190.252.242.69:443
73.151.236.31:443
72.252.157.172:990
201.172.23.68:2222
100.1.108.246:443
72.12.115.71:22
37.34.253.233:443
187.250.114.15:443
39.33.191.123:995
179.99.49.37:32101
40.134.246.185:995
187.102.135.142:2222
190.74.239.37:2222
89.101.97.139:443
156.219.10.43:995
24.55.67.176:443
217.164.117.87:1194
103.139.243.207:990
71.13.93.154:2222
179.158.105.44:443
89.86.33.217:443
86.195.158.178:2222
81.155.87.247:2078
109.12.111.14:443
217.164.210.192:443
41.84.243.152:995
82.152.39.39:443
191.112.14.1:443
39.49.7.245:995
80.11.74.81:2222
78.180.88.120:443
105.99.166.175:443
32.221.224.140:995
45.241.145.100:995
196.203.37.215:80
103.88.226.30:443
197.161.54.85:993
31.215.98.103:443
191.250.245.193:443
217.164.117.87:2222
83.110.94.89:443
180.183.102.114:2222
102.182.232.3:995
187.189.173.181:443
174.95.174.163:2222
94.36.195.250:2222
120.61.3.142:443
84.241.8.23:32103
85.246.82.244:443
39.41.155.156:995
98.22.246.169:443
189.243.13.151:443
167.86.165.74:443
82.41.63.217:443
188.211.190.128:61202
176.205.194.145:2078
79.129.121.68:995
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8cc8f32b2f44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/8cc8f32b2f44e84325e5153ec4fd60c31a35884220e7c36b753550356d6a25c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268344/

Comments