MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55
SHA3-384 hash: 24025b25a6e004f32bd31a9d543dec631c2c910f5a671b04af631c75cb683f6202d2a99284161e14482e48258dede627
SHA1 hash: 0237b4a69d4fb58d7fc72cb78c7d94f1bb24beb9
MD5 hash: b955fcc1a2e23294929419e07c68d729
humanhash: alaska-east-enemy-carbon
File name:b955fcc1_by_Libranalysis
Download: download sample
Signature Quakbot
Create hunting rule
File size:479'266 bytes
First seen:2021-04-29 13:19:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d4b10803acf444b49f2549bbf867a9f9 (7 x Quakbot)
ssdeep 6144:U0LcdcjuQ/9zoaV3EeVHq/Ca6VbrdRNXh:njuS9zoadEYHq/CjtNR
Threatray 1'350 similar samples on MalwareBazaar
TLSH D8A4BF7CFF668973E1142FF1A3C35F940A53A9D175A0610E42B11F6E3DA93D5383AA88
Reporter Libranalysis
Tags:Quakbot


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/146715/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/702318
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Sigma detected: Schedule REGSVR windows binary
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 400075 Sample: b955fcc1_by_Libranalysis Startdate: 29/04/2021 Architecture: WINDOWS Score: 96 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Schedule REGSVR windows binary 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->51 53 Injects code into the Windows Explorer (explorer.exe) 8->53 55 Maps a DLL or memory area into another process 8->55 15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 explorer.exe 8 1 8->19         started        22 regsvr32.exe 11->22         started        24 regsvr32.exe 13->24         started        process5 file6 26 rundll32.exe 15->26         started        29 explorer.exe 17->29         started        41 C:\Users\...\b955fcc1_by_Libranalysis.dll, PE32 19->41 dropped 31 schtasks.exe 1 19->31         started        33 WerFault.exe 20 9 22->33         started        35 WerFault.exe 9 24->35         started        process7 signatures8 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->57 59 Injects code into the Windows Explorer (explorer.exe) 26->59 61 Writes to foreign memory regions 26->61 65 2 other signatures 26->65 37 explorer.exe 26->37         started        63 Uses schtasks.exe or at.exe to add and modify task schedules 29->63 39 conhost.exe 31->39         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55/
Threat name:
Win32.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 13:20:29 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7zts7c4zdegnvwb6sjmz7ui6ontxfuhk6r3hskabwc7rsqkxjkq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
21b5c156bc1945d334b283fe0c926e3b39c39e15bdff9cc3cf31a60a7c0e1183
Quakbot
3a50ed28be3ab77b92f1bce16b8328baeff0eec46aed4c45e53de9d64fd66b4a
Quakbot
5cb0cbdd22a0b0ec98d2e50ead97ee81dc579c963efe124a24cd2584440c93b6
Quakbot
78b8df6b5b360e6237b84a915c210d40c10ac7959f7181db8b3c84da0c745682
Quakbot
98a062850c6a8381bfc18fc967506bf71721ae6c4301a1a2894dddbf49bfc01c
Quakbot
a3658ba64eb500732cdfa46722ec26afda720f75d12b3425bc3c164ec0e8ec5e
Quakbot
a7ea628bdfde1435a4b8a1562e43cd960fcd9a98e65dfd6a81cbd1603ba9be1e
Quakbot
d0fb60a27104386f56e8062cbe2bc245057122ec27c383c187429351a32f4a18
Quakbot
e0b62cc5d8460d9854b733f65a76ec9325aeebadb50e68ef1755b2cbe7ec9fe4
Quakbot
f552c46500aa9786ae47cfbe93ab789d28e4db26bc33cd7678fa2d2cfc6cc144
Quakbot
+ 1'340 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1618935072 banker stealer trojan
Link:
https://tria.ge/reports/210429-93kdjrb9cs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
140.82.49.12:443
190.85.91.154:443
96.37.113.36:993
71.41.184.10:3389
186.31.46.121:443
73.25.124.140:2222
109.12.111.14:443
24.229.150.54:995
45.32.211.207:443
45.77.117.108:443
45.77.117.108:8443
149.28.98.196:443
149.28.98.196:2222
144.202.38.185:443
144.202.38.185:995
45.32.211.207:995
207.246.116.237:995
149.28.99.97:995
45.63.107.192:2222
149.28.101.90:995
45.77.115.208:2222
45.32.211.207:8443
45.32.211.207:2222
45.77.115.208:443
207.246.116.237:443
45.77.117.108:2222
149.28.98.196:995
45.63.107.192:443
149.28.101.90:8443
24.152.219.253:995
149.28.101.90:443
149.28.101.90:2222
45.77.115.208:995
45.77.115.208:8443
207.246.77.75:8443
207.246.77.75:2222
207.246.116.237:2222
45.77.117.108:995
149.28.99.97:443
144.202.38.185:2222
207.246.77.75:995
207.246.77.75:443
207.246.116.237:8443
24.55.112.61:443
47.22.148.6:443
216.201.162.158:443
197.45.110.165:995
24.117.107.120:443
71.163.222.243:443
189.210.115.207:443
149.28.99.97:2222
45.63.107.192:995
151.205.102.42:443
75.118.1.141:443
105.198.236.101:443
72.252.201.69:443
67.8.103.21:443
136.232.34.70:443
75.67.192.125:443
72.240.200.181:2222
75.137.47.174:443
78.63.226.32:443
95.77.223.148:443
81.97.154.100:443
105.198.236.99:443
83.110.109.164:2222
50.29.166.232:995
115.133.243.6:443
27.223.92.142:995
45.46.53.140:2222
173.21.10.71:2222
71.74.12.34:443
98.252.118.134:443
76.25.142.196:443
24.226.156.153:443
47.196.192.184:443
67.165.206.193:993
73.151.236.31:443
98.192.185.86:443
24.139.72.117:443
94.59.106.186:2078
188.26.91.212:443
184.185.103.157:443
172.78.47.100:443
195.6.1.154:2222
86.190.41.156:443
108.14.4.202:443
24.43.22.219:993
86.220.62.251:2222
97.69.160.4:2222
90.65.236.181:2222
71.187.170.235:443
50.244.112.106:443
96.61.23.88:995
64.121.114.87:443
144.139.47.206:443
222.153.174.162:995
77.27.207.217:995
24.95.61.62:443
77.211.30.202:995
92.59.35.196:2222
125.62.192.220:443
195.12.154.8:443
68.186.192.69:443
75.136.40.155:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
83.196.56.65:2222
81.214.126.173:2222
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Unpacked files
SH256 hash:
a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56
MD5 hash:
618fc58d489e69f8301ac45ff32b3c08
SHA1 hash:
abb211a554367a3a097c89eb9bc590ef7c3f7099
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d89b3cde-0241-4899-814e-d12608e0f0e3/
Parent samples :
53bd776c525c7f8998d2504fdd2454819267d9f4eb5c1ca53b9388ce5dfcdcff
8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55
27a6ed6707d1f8ef9666b759c6af8aab9bea90f1d3eb7b1cad9e7ebeadb2998d
4920b2f647aa16bd4e806c88a1af679fbfec0c6790372ceb878efa787a5e55bb
5e317f119a35d4b03733b6bbe4976b0bfaa8d0aa9fd3e8469d18ce1b7c0a45ce
4a14a8b28709afd3003beb39044bbbfde5bdffdd1f9b24f836dbaa1d73ab617f
b8027c886bcb6e314a7b45492887a108bc894429d6765bd9de3d448066e1287d
023c1c23b7560d03076bec4c717a1cc690e3538541228de0adc40421493d974d
8cbf33bfda27eae17d2290c775ab58469dbbd8fd86748088cf4760ca6ef13f5c
6a58d842dd9202b1dbb4636a80c030fd73afdbe14a9187acd6cbff4b61c8302f
a19dbb7fd21b7e2cd51d0942874d33a9cbb1ec70acba3265a6147652c8f5518d
2f7d29be2d877a68803d29ca5ca64d84d5f0e49705c1ff84f0bd5dfc91fbced9
c8d67b97aa1aa6681877091479081aa89186e3e4bab25dc3adabebf58ecc40f8
SH256 hash:
8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55
MD5 hash:
b955fcc1a2e23294929419e07c68d729
SHA1 hash:
0237b4a69d4fb58d7fc72cb78c7d94f1bb24beb9
Link:
https://www.unpac.me/results/d89b3cde-0241-4899-814e-d12608e0f0e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/146715/

Comments