MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 934cb585f33fe11bcd0e99f4df40de07eec50aae0c6d036527fc03fe6d7d0fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 934cb585f33fe11bcd0e99f4df40de07eec50aae0c6d036527fc03fe6d7d0fc8
SHA3-384 hash: 9996068f2492379e2ee2aa13f1ae1a2b6b5b31c961ebe946d9c95c4f134b56205a3750232e27048b624d77be22f01c5f
SHA1 hash: 99cd6d47275cf9ad6253ad467f8a6de991463cfc
MD5 hash: c6cd8c7383f3777a7a469585d93a9c1f
humanhash: tango-uranus-mexico-washington
File name:44651,6679619213.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'320'960 bytes
First seen:2022-04-04 14:11:16 UTC
Last seen:2022-04-04 15:00:03 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6ad62ab4906f738172064a3cd9c7d297 (2 x Quakbot)
ssdeep 24576:tUkL9eBzf0i6kU8J7j5fsOEhdp3Bb/aO2O2jIrRr3xLZcaDBftyYkfB5Nkr2nW7I:t/
Threatray 398 similar samples on MalwareBazaar
TLSH T19055BFB876047CD6E66F027BDE96ACDD13B626728AC7A5CD8065B7C30563372FE02805
Reporter pr0xylife
Tags:biden57 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260622/
Detection(s):
Win.Malware.Qbot-9942821-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/624afcb340ce5db9f403a2fc/reports/66521c73-1c3b-4e7d-b8e8-49f63d779699/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8fa9db2c-df99-4154-b4a5-9795c68a7b89
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/970118
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602603 Sample: 44651,6679619213.dat Startdate: 04/04/2022 Architecture: WINDOWS Score: 92 26 Found malware configuration 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Qbot 2->30 32 2 other signatures 2->32 8 loaddll32.exe 1 2->8         started        process3 signatures4 34 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->34 36 Injects code into the Windows Explorer (explorer.exe) 8->36 38 Writes to foreign memory regions 8->38 40 2 other signatures 8->40 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 explorer.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->42 44 Injects code into the Windows Explorer (explorer.exe) 11->44 46 Writes to foreign memory regions 11->46 48 2 other signatures 11->48 20 explorer.exe 8 1 11->20         started        22 rundll32.exe 14->22         started        process7 process8 24 WerFault.exe 23 9 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/934cb585f33fe11bcd0e99f4df40de07eec50aae0c6d036527fc03fe6d7d0fc8/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 14:12:08 UTC
File Type:
PE (Dll)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3
Quakbot
10fef78aae388d689a89def6829a43bb262b889f8a19e311ab9a264884b49e47
Quakbot
35ee73317411bafbf39ffd556524a369c5e5311113c05acd30116c3252e34601
Quakbot
446352954cb68160dec6f871334286d749f9581df27673a0d30dc0f5d786161c
Quakbot
644f00812319bdb00411294b2ddb4e9f86bf0797f825543ea0fe16db1e1aea4e
Quakbot
740ddb58bbbcbaee867adb4448694b4ef4da6c319d587f8b3269326c558097dc
Quakbot
7432507857291e71388dd79097cfd5b68425e894dd56db0818b6893cfb36b7e8
Quakbot
7a227df10f82dc2e11822716aa04e91797e9a3011976a4e5884deb704bf0134a
Quakbot
8535a5a3595009a9270abff1eeacfb7fa530d692f4ef91d6be25612e3f6b4211
Quakbot
8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f
Quakbot
+ 388 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:biden57 campaign:1649058178 banker stealer trojan
Link:
https://tria.ge/reports/220404-rhtsbsfec3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
45.9.20.200:443
173.174.216.62:443
187.207.7.231:61202
207.170.238.231:443
47.180.172.159:50010
70.57.207.83:443
83.110.75.97:2222
58.105.167.36:50000
47.23.89.62:993
72.76.94.99:443
83.110.157.57:2222
45.241.145.252:995
82.84.66.211:2222
75.99.168.194:61201
144.202.3.39:443
45.63.1.12:995
149.28.238.199:995
140.82.63.183:443
45.63.1.12:443
144.202.3.39:995
144.202.2.175:443
140.82.63.183:995
144.202.2.175:995
45.76.167.26:995
45.76.167.26:443
149.28.238.199:443
31.35.28.29:443
32.221.224.140:995
71.13.93.154:2222
102.65.38.90:443
83.110.85.209:995
70.46.220.114:443
91.177.173.10:995
81.60.218.17:995
197.162.118.178:993
24.178.196.158:2222
37.152.80.105:443
172.114.160.81:995
103.107.113.120:443
176.88.238.122:995
67.209.195.198:443
86.220.98.71:2222
80.11.74.81:2222
92.96.182.192:2222
5.95.58.211:2087
24.152.219.253:995
217.128.122.65:2222
78.100.227.177:2222
39.41.173.204:995
92.96.182.192:1194
174.69.215.101:443
93.48.80.198:995
103.87.95.133:2222
113.11.89.170:995
120.150.218.241:995
2.50.137.197:443
88.235.143.36:443
78.188.76.167:443
76.70.9.169:2222
75.113.214.234:2222
86.98.208.214:2222
173.21.10.71:2222
190.73.3.148:2222
76.69.155.202:2222
103.88.226.30:443
37.186.54.166:995
92.177.45.46:2078
180.183.128.80:2222
39.49.84.44:995
39.44.144.159:995
74.15.2.252:2222
5.32.41.45:443
108.60.213.141:443
75.99.168.194:443
202.134.152.2:2222
176.205.119.81:2078
2.50.22.45:443
31.215.69.127:443
96.21.251.127:2222
96.29.208.97:443
117.248.109.38:21
140.82.49.12:443
176.67.56.94:443
78.101.150.251:61202
203.122.46.130:443
148.64.96.100:443
47.180.172.159:443
47.23.89.62:995
66.98.42.102:443
83.110.85.209:443
76.169.147.192:32103
46.107.48.202:443
24.43.99.75:443
121.74.182.236:995
86.98.157.14:993
39.52.48.91:995
41.228.22.180:443
84.241.8.23:32103
71.74.12.34:443
103.230.180.119:443
102.140.70.17:443
182.191.92.203:995
101.255.82.166:443
45.46.53.140:2222
208.107.221.224:443
73.151.236.31:443
143.0.34.185:443
41.38.167.179:995
109.12.111.14:443
144.136.35.102:2222
37.34.253.233:443
70.51.134.168:2222
187.250.114.15:443
41.84.246.143:995
105.99.164.122:443
102.182.232.3:995
120.61.1.252:443
196.203.37.215:80
42.235.149.83:2222
90.120.65.153:2078
209.197.176.40:995
140.0.161.213:2222
172.115.177.204:2222
96.37.113.36:993
72.12.115.90:22
85.246.82.244:443
201.172.31.135:2222
181.62.0.59:443
179.158.105.44:443
191.112.12.240:443
191.251.191.31:443
109.228.220.196:443
161.142.56.8:443
201.211.64.196:2222
106.51.48.170:50001
39.57.119.44:995
102.156.205.117:443
89.137.52.44:443
114.79.148.170:443
105.226.83.196:995
75.188.35.168:443
112.199.148.55:995
201.145.189.252:443
187.213.21.78:22
187.102.135.142:2222
40.134.246.185:995
46.103.169.248:995
100.1.108.246:443
63.143.92.99:995
72.252.201.34:995
Unpacked files
SH256 hash:
934cb585f33fe11bcd0e99f4df40de07eec50aae0c6d036527fc03fe6d7d0fc8
MD5 hash:
c6cd8c7383f3777a7a469585d93a9c1f
SHA1 hash:
99cd6d47275cf9ad6253ad467f8a6de991463cfc
Link:
https://www.unpac.me/results/376a63ea-8eeb-4f5e-ae02-399c83636218/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/934cb585f33f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/934cb585f33fe11bcd0e99f4df40de07eec50aae0c6d036527fc03fe6d7d0fc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260622/

Comments