MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d5fb11ff3bf85e88bcfc54d8018b8433e4d84d4480b650696b2e16fce9866e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	8d5fb11ff3bf85e88bcfc54d8018b8433e4d84d4480b650696b2e16fce9866e0
SHA3-384 hash:	3f3f5c456c313f5efdbaf1bf590a89842652f4b375901863ff354fb5cf1d4fae2b7fc3bb1c1bf6c6d1358281c88ab316
SHA1 hash:	a55e58a81bf891b9bd1a38d2e52af9bdf3a80203
MD5 hash:	eb2070f0b08257402c6672a2ec59f011
humanhash:	high-pip-alaska-lion
File name:	bkxcwdhqvnjhyxojudrjmfxqg.exe
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	588'304 bytes
First seen:	2020-07-28 06:57:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ea5e67a7a61f9956e4601b8f30e3621c (3 x Quakbot)
ssdeep	6144:OG5acc4UubGLev55w9A/tN52IMI2CrCQEy+23Pq/OaIU+BHoa8mSpPah8iTKp3hp:O2lXJvzUAnUIMIvsM/6OID9SM6FDac5+
Threatray	419 similar samples on MalwareBazaar
TLSH	44C49B20E5A439FEE4A5893F006C822DC7BBAE43E2E396C23742B54C543F155A9F5E71
Reporter	TrappmanRhett
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/33234/

Detection(s):

SecuriteInfo.com.Mal.EncPk-APV.7622.21500.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Unauthorized injection to a system process

Enabling autorun with Startup directory

Result

Threat name:

Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/399390

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: QBot Process Creation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

qakbot

Link:

https://mwdb.cert.pl/sample/8d5fb11ff3bf85e88bcfc54d8018b8433e4d84d4480b650696b2e16fce9866e0/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-07-28 06:59:05 UTC

AV detection:

29 of 29 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rvp3ch7tx6c6rc6pyvgyagfyim7e3bgujafwkbuwwlqw7tuym3qa._file

Verdict:

malicious

Result

Malware family:

qakbot

Score:

10/10

Tags:

trojan banker stealer family:qakbot evasion

Link:

https://tria.ge/reports/200728-cvv95jaa1x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Loads dropped DLL

Windows security modification

Executes dropped EXE

Turns off Windows Defender SpyNet reporting

Windows security bypass

Qakbot/Qbot

Malware Config

C2 Extraction:

108.227.161.27:995
173.187.103.35:443
117.216.185.86:443
24.43.22.220:443
72.190.101.70:443
207.255.161.8:2087
189.160.217.221:443
207.255.161.8:32102
24.226.137.154:443
66.222.88.126:995
108.58.9.238:995
1.40.42.4:443
47.152.210.233:443
72.45.14.185:443
82.127.193.151:2222
101.108.113.6:443
175.111.128.234:995
175.111.128.234:443
47.39.76.74:443
5.12.214.109:2222
24.218.181.15:443
216.201.162.158:995
108.21.107.203:443
107.2.148.99:443
189.236.218.181:443
120.57.74.208:443
75.110.250.89:443
211.24.72.253:443
207.255.161.8:443
50.104.186.71:443
100.38.123.22:443
96.18.240.158:443
173.187.170.190:443
100.40.48.96:443
71.80.66.107:443
67.197.97.144:443
69.28.222.54:443
95.77.223.148:443
47.136.224.60:443
47.202.98.230:443
184.180.157.203:2222
104.221.4.11:2222
70.173.46.139:443
213.67.45.195:2222
46.214.62.199:443
67.131.59.17:443
154.56.69.172:443
72.16.212.108:465
98.121.187.78:443
217.162.149.212:443
74.33.70.245:443
89.47.223.207:443
188.26.243.186:443
72.177.157.217:443
72.29.181.77:2078
203.106.195.139:443
98.114.185.3:443
71.187.170.235:443
71.185.60.227:443
68.204.164.222:443
76.170.77.99:443
37.41.53.184:443
140.82.21.191:443
68.46.142.48:443
98.16.204.189:995
50.244.112.10:443
27.212.0.173:995
62.121.123.57:443
103.76.160.110:443
117.199.4.78:443
63.230.11.201:2083
95.76.6.106:995
67.182.16.216:32103
186.144.174.237:443
47.41.3.40:443
74.75.216.202:443
188.212.133.31:443
31.5.21.66:443
84.117.176.32:443
178.222.29.131:995
81.133.234.36:2222
71.220.172.127:2222
50.29.166.232:995
24.55.152.50:995
75.183.171.155:3389
78.188.109.130:443
58.233.220.182:443
78.97.119.189:443
71.77.231.251:443
73.226.220.56:443
68.174.15.223:443
70.183.127.6:995
59.26.204.210:443
5.107.213.220:2222
173.79.220.156:443
70.174.3.241:443
203.33.139.134:443
71.79.144.56:443
76.187.8.160:443
187.155.66.12:443
117.216.224.103:443
96.56.237.174:32103
79.116.68.99:2222
98.243.187.85:443
75.142.59.167:443
80.14.209.42:2222
120.29.124.86:443
73.121.132.5:443
73.94.229.115:443
108.51.73.186:443
50.247.230.33:995
96.56.237.174:993
50.78.93.74:443
50.244.112.106:443
45.77.215.141:443
66.68.22.151:443
144.202.48.107:443
207.246.71.122:443
201.211.6.211:2078
96.35.170.82:2222
67.170.137.8:443
108.185.113.12:443
98.32.60.217:443
207.255.161.8:2078
86.126.97.183:2222
108.27.217.44:443
207.255.161.8:32103
49.191.130.142:443
137.99.224.198:443
80.184.91.6:443
47.232.26.181:443
72.36.59.46:2222
96.56.237.174:990
207.255.161.8:995
24.43.22.220:993
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8d5fb11ff3bf85e88bcfc54d8018b8433e4d84d4480b650696b2e16fce9866e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/33234/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample