MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b
SHA3-384 hash: 5d938342af0011dabae7d5f1a8b1a12d10f0af9948de69f94211b51ac8d9da184d8e36efaf532261d9d04b97ee40ffb6
SHA1 hash: 5f3774bf2d9de080b8687c73607a26bd83e5324f
MD5 hash: b8fbd8b16ad9ff30ceb83a845ef9c413
humanhash: kitten-nitrogen-hamper-burger
File name:grazed.ssd
Download: download sample
Signature Quakbot
Create hunting rule
File size:650'752 bytes
First seen:2022-10-20 16:05:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 455a025f83c14aacc1587c0423a2e12e (2 x Quakbot)
ssdeep 12288:Z5zUU6VCu0L4yCLtaNExGapWYKv38Wy9XRHPh3M4B90U6Zt:fQhVCPnCoApOv3Z2hxM4BKZ
Threatray 1'556 similar samples on MalwareBazaar
TLSH T1A5D49F32F3A14837D072AAFE9D1F52AC582A7D162D38A44677D41E8C5F37291362B387
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:BB04 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322074/
Detection(s):
SecuriteInfo.com.Variant.Midie.117263.6626.11589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/635171eeb5f60e72b8c7a84d/reports/d562abb8-5ad5-4289-813d-a73117c9024b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1c1631c-c36e-4295-82b0-cedc83dd937c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 17:12:50 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t76xqloa75qruzyxavdcq4qt477zb6pp6mx2uvzuspalduultafq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
544add0097f7617d68253baf2f59e75ab52013f329c5e3b9613785b7c7353c87
Quakbot
6aff6f1dabb7e1211a1c1726fb2ba8c0d67f580c4c4008a2082154246665f031
Quakbot
80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172
Quakbot
82af67585343100b3f745739e09896f6b2068759ac2ce30a908d4b7bab7eb2aa
Quakbot
bcf7164f6f8a9b8c547be09d6c50782bd622876a392cc30235d952e77b9ed638
Quakbot
+ 1'546 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb04 campaign:1666265103 banker stealer trojan
Link:
https://tria.ge/reports/221020-tj3gzacge3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
102.156.82.38:995
152.170.17.136:443
216.131.22.236:995
70.173.248.13:443
14.246.151.175:443
160.179.32.101:995
118.175.242.26:995
186.188.80.202:443
41.69.181.145:443
156.220.14.160:993
201.68.209.47:32101
206.1.172.1:443
156.217.185.90:995
190.74.4.20:443
217.78.49.161:443
154.181.199.80:995
200.233.108.153:993
175.205.2.54:443
198.2.51.242:993
181.164.194.228:443
197.204.180.90:443
201.210.121.49:2222
144.202.15.58:443
41.228.249.243:995
200.155.61.245:995
45.230.169.132:995
197.206.119.7:443
193.3.19.137:443
41.105.5.123:443
103.156.237.170:443
73.96.24.39:443
201.210.119.28:993
136.232.184.134:995
105.105.0.165:443
190.193.180.228:443
190.204.101.210:2222
190.33.87.140:443
200.93.11.28:2222
181.56.171.3:995
181.168.145.94:443
94.36.5.31:443
5.163.177.234:443
167.58.254.85:443
191.84.67.34:443
41.99.101.231:443
206.1.233.138:443
58.186.75.42:443
206.1.181.103:443
181.141.3.126:443
187.143.131.190:2222
82.12.196.197:443
200.44.222.59:2222
105.99.146.94:443
187.198.16.39:443
197.2.227.65:443
201.171.199.216:443
105.108.252.186:443
186.213.214.13:2222
85.242.200.96:443
41.97.228.210:443
105.158.71.149:443
41.62.218.170:443
105.103.39.73:443
206.1.233.162:2087
190.203.116.63:2222
152.171.41.171:443
78.179.135.247:443
41.141.216.137:995
200.155.61.245:443
167.58.86.35:995
105.96.250.243:443
189.110.3.60:2222
41.100.121.175:443
41.143.221.72:443
41.111.121.4:995
160.177.88.185:443
41.100.94.61:443
72.88.245.71:443
41.101.153.206:443
41.103.68.151:443
177.152.65.142:443
42.116.54.220:443
181.197.41.173:443
160.177.145.229:443
179.105.126.196:995
2.152.181.194:995
125.26.173.239:443
31.166.182.166:443
196.65.219.83:443
220.134.54.185:2222
202.5.53.143:443
74.141.38.107:443
78.184.31.100:443
41.104.28.115:995
68.35.151.16:443
149.126.159.254:443
109.49.47.10:80
134.35.1.15:443
220.123.29.76:443
201.223.175.208:32100
190.33.241.216:443
201.205.130.251:995
216.131.22.236:443
75.157.229.63:443
163.182.177.80:443
201.212.173.78:443
186.93.143.86:2222
106.243.197.122:443
186.188.96.197:443
181.55.106.237:443
45.184.179.188:2222
88.229.17.133:443
104.237.6.167:443
102.185.146.113:995
186.144.129.196:443
186.48.244.74:443
190.24.54.187:995
186.177.93.18:2222
Unpacked files
SH256 hash:
f10306b8b7ba8c928241dfbf9edebe9dbe5ffbc632b5f88e34a190665eb50963
MD5 hash:
5af78e3222d76a987a0844475d919a00
SHA1 hash:
b0fe9767a4adad339f92979ae12e31c04b752d5b
Link:
https://www.unpac.me/results/9a659f25-83ad-49d0-8ee1-5d45f02d4a65/
SH256 hash:
412ae1a99dee245fd65653bf4df2814505151a7eed501bd7cbc8e3e6010fc45e
MD5 hash:
31f4a85d35411729cc18911146db8ea0
SHA1 hash:
5fd2583e01d839abf25e05404697e667b1d5cadd
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a659f25-83ad-49d0-8ee1-5d45f02d4a65/
Parent samples :
9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b
581a2c8b97a095950c90872335e30dff1355adc48781d39f5612ed44fb477c99
SH256 hash:
9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b
MD5 hash:
b8fbd8b16ad9ff30ceb83a845ef9c413
SHA1 hash:
5f3774bf2d9de080b8687c73607a26bd83e5324f
Link:
https://www.unpac.me/results/9a659f25-83ad-49d0-8ee1-5d45f02d4a65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/322074/

Comments