MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cd4938ce7dfd35e7ca1942c5ffd650b50a1abf955e8817a9c5d810811c5d182. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 3

Intelligence 3 IOCs YARA 8 File information Comments

SHA256 hash:	8cd4938ce7dfd35e7ca1942c5ffd650b50a1abf955e8817a9c5d810811c5d182
SHA3-384 hash:	6afa36f2953c123c80197c894f1b44b6fb6c2aa3a4b16c34990cd98d601d1977979cbb7ac09453832b09866d053b07ff
SHA1 hash:	111447a21ec564a71463a406e509fc683ada6911
MD5 hash:	92b4aed4b0319b14861728a2d3e96ba3
humanhash:	west-oven-uncle-south
File name:	k2.zip
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	472'930 bytes
First seen:	2022-11-04 11:50:39 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: BV1
ssdeep	12288:PR5RItjECZZsDCpXP6KCPpbYhpE/sjsWPt+YEusR:zm9ZsDWCPpbYhpjjl+Y1O
TLSH	T147A42336B2E609F4A3C70010B63A524E6CE995E96E7E7DC2E685134679CF7EDD903203
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	proxylife
Tags:	1667543522 BB05 BV1 Quakbot zip

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

File Archive Information

This file is a password protected archive. The password is: BV1

This file archive contains 7 file(s), sorted by their relevance:

File name:	hiring.png
File size:	55'589 bytes
SHA256 hash:	7e5e2b8a016f1443545b9d89b30796d2a578d7d695d3603e258cb1c4e44cc534
MD5 hash:	e4ab96ae6ac97c26bb333f367c72f7b5
MIME type:	image/png
Signature	Quakbot

File name:	sulkily.txt
File size:	61'360 bytes
SHA256 hash:	a163e0775bbf202641494187f3e7c253ea74a19dd7e7ab9f221d379a2b5dfe6d
MD5 hash:	bc6e0b6700b8e6f4015d2f2da5ebb0c0
MIME type:	text/plain
Signature	Quakbot

File name:	outright.dat
File size:	722'248 bytes
SHA256 hash:	907b3cc7168067b2e2c4db2318cc9fa2ebc58963571c92665b447c447b6cc3a1
MD5 hash:	e7eb785bdb9b7ebfe4c17caeb04fbb43
MIME type:	application/x-dosexec
Signature	Quakbot

File name:	wariness.txt
File size:	55'139 bytes
SHA256 hash:	7e4e456cb67e6073c4f84a7fa470d46c9b34371f4145e4fb35786f9cf7c7e912
MD5 hash:	dd0007562194e97e063a42e5b1b1fb58
MIME type:	text/plain
Signature	Quakbot

File name:	CB.lnk
File size:	1'237 bytes
SHA256 hash:	33a196d9b7f9ca87f251ed14c9daad367b4f2e34d80208ce32e0bcd5d53c8ed7
MD5 hash:	798f022ccb8780531956e2c40ec69b5c
MIME type:	application/octet-stream
Signature	Quakbot

File name:	injudicial.cmd
File size:	258 bytes
SHA256 hash:	6bd0c6d56d0d7032b5a3c4dbedeed93a4d384ebb2b3323ba5dda825b35337d04
MD5 hash:	c61100b92470ee7aa5f4116b4dcb47df
MIME type:	text/plain
Signature	Quakbot

File name:	eocene.bat
File size:	209 bytes
SHA256 hash:	db4ddfaf7812b4cd40a673250c60ca7d6ddffc62e128d351641479d162639529
MD5 hash:	0faaf789927f0498e1327b09625bc64a
MIME type:	text/plain
Signature	Quakbot

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.PKillPWZipISOAllTheSmallThings.20221024.UNOFFICIAL

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8cd4938ce7dfd35e7ca1942c5ffd650b50a1abf955e8817a9c5d810811c5d182/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rtkjhdhh37jv47fbsqwf77lfbnikdk7zkxuic6u4lwaqqeof2gba._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb05 campaign:1667543522 banker stealer trojan

Link:

https://tria.ge/reports/221104-qed22ahdgr/

Behaviour

Enumerates physical storage devices

Malware Config

C2 Extraction:

190.199.161.250:993
92.25.139.40:443
157.231.42.190:995
186.73.140.43:443
70.66.199.12:443
216.82.134.218:443
174.77.209.5:443
139.216.164.122:443
91.169.12.198:32100
139.5.239.14:443
50.37.149.215:443
74.92.243.113:995
74.92.243.113:50000
49.175.72.56:443
24.142.218.202:443
136.232.184.134:995
181.118.183.103:443
174.101.111.4:443
47.34.30.133:443
41.44.11.227:995
89.216.114.179:443
80.0.74.165:443
92.239.222.177:443
94.60.141.48:995
64.207.237.118:443
72.53.103.56:443
174.104.184.149:443
203.217.65.6:443
86.225.214.138:2222
45.49.137.80:443
76.68.34.167:2222
92.24.200.226:995
144.202.15.58:443
74.33.84.227:443
201.102.237.203:443
41.96.68.5:443
73.29.92.128:443
84.209.52.11:443
50.68.204.71:443
58.247.115.126:995
201.192.179.221:443
105.184.161.175:443
212.251.122.147:995
2.103.22.24:443
41.230.166.34:995
65.25.116.200:443
99.254.117.30:443
184.153.132.82:443
154.247.15.173:995
154.247.15.173:32103
154.247.15.173:993
193.3.19.137:443
142.115.159.36:2222
190.18.236.175:443
91.138.17.202:443
67.10.175.47:2222
84.113.121.103:443
157.231.42.190:443
73.165.119.20:443
190.24.45.24:995
187.199.171.252:32103
73.36.196.11:443
75.156.125.215:995
50.68.204.71:993
36.152.128.7:2078
24.69.87.61:443
58.162.223.233:443
94.63.65.146:443
75.99.125.238:2222
190.36.189.154:2222
50.68.204.71:995
24.4.239.157:443
174.0.224.214:443
24.206.27.39:443
136.244.25.165:443
24.64.114.59:2222
90.104.22.28:2222
84.35.26.14:995
197.204.243.188:443
175.205.2.54:443
184.162.156.115:2222
190.79.133.56:2222
24.64.114.59:3389
75.98.154.19:443
85.61.165.153:2222
200.233.108.153:995
70.181.149.227:443
85.59.61.52:2222
70.64.77.115:443
151.237.76.117:443
72.80.249.39:995
190.29.228.61:443
151.30.53.233:443
46.229.194.17:443
73.60.227.230:443
75.141.227.169:443
173.238.202.233:443
50.86.217.209:443
98.145.23.67:443
173.32.181.236:443
87.220.68.51:2222
187.135.153.221:2222
190.204.83.110:2222
58.186.75.42:443
206.1.199.69:2087
190.27.77.14:995
46.190.93.247:50000
91.165.188.74:50000
94.49.5.116:443
110.23.76.9:2222
174.58.146.57:443
190.74.248.136:443
73.88.173.113:443
190.203.11.218:443
24.232.88.41:443
27.33.237.105:443
173.209.185.159:443
86.157.12.148:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8cd4938ce7dfd35e7ca1942c5ffd650b50a1abf955e8817a9c5d810811c5d182

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PassProtected_ZIP_ISO_file Create hunting rule
Author:	_jc
Description:	Detects container formats commonly smuggled through password-protected zips

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

zip 8cd4938ce7dfd35e7ca1942c5ffd650b50a1abf955e8817a9c5d810811c5d182

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2394725/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample