MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8
SHA3-384 hash: a988ba6d53839a7325cdb6ac06ce750de18f4a4ceff9d77092a209acf052c6277c09553ebd62acddc5bdde162a9b3c15
SHA1 hash: a9fae6689e38f490263f645c67b764ebda72f617
MD5 hash: 84f13b550a808dfe7ee533e627e644bf
humanhash: harry-november-bulldog-eight
File name:bucketfuls.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:430'080 bytes
First seen:2022-10-26 20:07:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 6c76a35d4f5abc25bb5aaed6aabd6340 (2 x Quakbot)
ssdeep 6144:eaoqvfUuG0D12UVh4whFLpxBiQdrwL4UsjewMJlEXk0DGKVjL3OehGubH+bhBrM+:eaTUuJV6YFbBiQdpeJnehGoidM6fr
Threatray 2'494 similar samples on MalwareBazaar
TLSH T1D694BE0FF8D2EF56D97E0436C6EA8052192F9A062F41CE2B232D133675136B46BB571E
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1666776460 BB04 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324550/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.29835.28705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
DNS request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/968cb2ff-9ec5-4d39-8a50-df7148d28c9a
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1098765
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731416 Sample: bucketfuls.dat.dll Startdate: 26/10/2022 Architecture: WINDOWS Score: 84 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Qbot 2->34 36 Sigma detected: Execute DLL with spoofed extension 2->36 38 Machine Learning detection for sample 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Maps a DLL or memory area into another process 8->50 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 regsvr32.exe 8->16         started        18 2 other processes 8->18 process5 file6 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Writes to foreign memory regions 11->54 56 Allocates memory in foreign processes 11->56 21 wermgr.exe 11->21         started        23 rundll32.exe 14->23         started        58 Maps a DLL or memory area into another process 16->58 26 wermgr.exe 16->26         started        30 C:\Users\user\Desktop\bucketfuls.dat.dll, PE32 18->30 dropped signatures7 process8 signatures9 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->40 42 Maps a DLL or memory area into another process 23->42 28 wermgr.exe 23->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 20:08:11 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4vjmhucm5c47vjq5hkatjqd5p7p2tggq42uq2eeptn6pbnjdpea._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
317698c755fd1abbff417ba0a6fc256477d92bd0fdff5660140a2b89cf40e70c
Quakbot
51e133bd180f565f1d599a03570832b342d85544416216872e7d4f89afb1707b
Quakbot
581a2c8b97a095950c90872335e30dff1355adc48781d39f5612ed44fb477c99
Quakbot
8cc56be36e5dedb44e0441c05607bf8fa4e9fd1aa9b0a7e86418c38c026a7a45
Quakbot
91bd47bc55fc258b74303067c506b578ecb57d0c709aea354d83c83391e3925d
Quakbot
9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b
Quakbot
d6b12d0f6faa99633e194fa7594f631610b563f84b8afdb371ab218e2a70b3ee
Quakbot
d9b4a518eede4f5b24c1356a6458f5207d3f94393ff317dd3195b2ff6c7f2660
Quakbot
+ 2'484 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb04 campaign:1666776460 banker stealer trojan
Link:
https://tria.ge/reports/221026-ywjmvaghf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
197.204.53.242:443
83.244.63.21:443
27.110.134.202:995
173.49.74.62:443
181.164.194.228:443
24.116.45.121:443
41.47.249.185:443
24.206.27.39:443
113.183.223.8:443
186.188.80.134:443
64.207.237.118:443
156.216.134.70:995
58.247.115.126:995
180.151.116.67:443
41.140.63.187:443
144.202.15.58:443
190.199.97.108:993
172.117.139.142:995
45.230.169.132:995
24.9.220.167:443
190.24.45.24:995
193.3.19.137:443
201.68.209.47:32101
68.62.199.70:443
167.58.254.85:443
156.197.230.148:995
175.205.2.54:443
200.233.108.153:995
105.106.60.149:443
102.159.110.79:995
2.88.206.121:443
190.193.180.228:443
216.131.22.236:995
190.37.174.11:2222
206.1.203.0:443
186.188.96.197:443
190.74.248.136:443
206.1.128.203:443
201.249.100.208:995
190.33.241.216:443
190.75.151.66:2222
198.2.51.242:993
90.165.109.4:2222
71.199.168.185:443
181.56.171.3:995
41.103.1.16:443
24.207.97.117:443
105.157.86.118:443
201.223.169.238:32100
47.14.229.4:443
70.60.142.214:2222
142.181.183.42:2222
41.62.165.152:443
41.97.205.96:443
41.97.14.60:443
151.213.183.141:995
75.84.234.68:443
186.18.210.16:443
41.96.204.196:443
64.123.103.123:443
186.48.174.77:995
152.170.17.136:443
160.176.151.70:995
78.179.135.247:443
191.33.187.192:2222
98.207.190.55:443
196.65.217.253:995
78.50.124.220:443
91.171.72.214:32100
186.154.189.162:995
101.109.44.197:995
97.92.4.205:8443
41.36.159.36:993
70.115.104.126:443
181.44.34.172:443
88.240.75.201:443
24.130.228.100:443
41.109.228.108:995
24.177.111.153:443
60.54.65.27:443
189.129.38.158:2222
190.203.51.133:2222
96.46.230.10:443
222.117.141.133:443
190.207.137.189:2222
208.78.220.120:443
105.108.223.181:443
41.104.155.245:443
65.140.11.170:443
184.159.76.47:443
105.98.223.169:443
197.0.225.39:443
41.101.193.38:443
105.155.151.29:995
196.207.146.151:443
190.37.112.223:2222
14.54.83.15:443
93.156.96.171:443
58.186.75.42:443
189.110.3.60:2222
186.18.77.99:443
41.107.78.169:443
149.126.159.224:443
156.196.169.222:443
190.100.149.122:995
1.0.215.176:443
202.5.53.143:443
206.1.199.156:2087
102.156.162.83:443
220.134.54.185:2222
88.132.109.147:443
190.29.228.61:443
41.101.183.90:443
94.36.5.31:443
102.184.30.42:443
102.187.63.127:995
190.33.87.140:443
187.198.16.39:443
62.46.231.64:443
Unpacked files
SH256 hash:
8daf6b12eeaa7b0fb5ce0c9f601e54785948a11b70d990dc7ee8a75c93647a3e
MD5 hash:
3bf534e7271e76a98bb23b33563f0826
SHA1 hash:
442d97ddb750c8e50d14ab17a1c78c8317db48c2
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8fc776f5-4b3b-48c2-ae49-ae00439e1712/
SH256 hash:
972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8
MD5 hash:
84f13b550a808dfe7ee533e627e644bf
SHA1 hash:
a9fae6689e38f490263f645c67b764ebda72f617
Link:
https://www.unpac.me/results/8fc776f5-4b3b-48c2-ae49-ae00439e1712/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324550/

Comments