MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1
SHA3-384 hash: a83736ea96ea32ac747053832c3c8ce08a67a75f92cfb9f7a087e95b3b416256e6012d701bcdd18a25e534e9d6cc723d
SHA1 hash: b3e5ceb0bf9c3d10e626a448afb3d06f01d6b57c
MD5 hash: 7d3c7803b0c08b9c23a918fe9bf1ac6c
humanhash: golf-mexico-butter-arkansas
File name:kaleidoscope.tmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:541'184 bytes
First seen:2022-11-18 06:26:09 UTC
Last seen:2022-11-18 07:45:27 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 56f8bdaa89cf74d2e96e7a455930a4fa (2 x Quakbot)
ssdeep 12288:Sx4YGJ7FVsr0DUESxof9TQGWCIQ1HvhL3iL/wXLK:Sx4Yk7A4DUESx69MuI4vhL3tX
Threatray 1'793 similar samples on MalwareBazaar
TLSH T1EDB4E115E482C637C8BE063060E797262E385A31472E49FB57C86E3E5EB13D06E37667
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter fabjer
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335656/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.16043.5852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed rat
Link:
https://www.filescan.io/uploads/637725b78d07bb59f81b1147/reports/104a98bb-ffdb-4491-b7a7-ec317982a627/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65857edd-298e-4d16-83b3-f22e7d88890b
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1116323
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Run temp file via regsvr32
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 749032 Sample: kaleidoscope.tmp.dll Startdate: 18/11/2022 Architecture: WINDOWS Score: 96 33 71.31.101.183 WINDSTREAMUS United States 2->33 35 89.115.196.99 VODAFONE-PTVodafonePortugalPT Portugal 2->35 37 98 other IPs or domains 2->37 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Qbot 2->43 45 3 other signatures 2->45 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->55 57 Writes to foreign memory regions 9->57 59 Allocates memory in foreign processes 9->59 61 Maps a DLL or memory area into another process 9->61 12 rundll32.exe 9->12         started        15 cmd.exe 1 9->15         started        17 regsvr32.exe 9->17         started        19 3 other processes 9->19 process6 signatures7 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->63 65 Writes to foreign memory regions 12->65 67 Allocates memory in foreign processes 12->67 21 wermgr.exe 8 1 12->21         started        24 rundll32.exe 15->24         started        69 Maps a DLL or memory area into another process 17->69 27 wermgr.exe 17->27         started        process8 file9 31 C:\Users\user\Desktop\kaleidoscope.tmp.dll, PE32 21->31 dropped 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->47 49 Writes to foreign memory regions 24->49 51 Allocates memory in foreign processes 24->51 53 Maps a DLL or memory area into another process 24->53 29 wermgr.exe 24->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 06:27:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=us6t42kp52isxsehdm62smbokyelfru6nsq2xgn5ojwmy2jd5xaq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
Quakbot
40d050f531b57ebeef82d047638bd11795b203ac9132ff9203d1096843f68e44
Quakbot
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
Quakbot
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Quakbot
a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1
Quakbot
b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c
Quakbot
e4525d4812d75697a4b6524258a3e0325e49fce605c1691ba9fb6c2cfd2620ce
Quakbot
+ 1'783 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668610672 banker stealer trojan
Link:
https://tria.ge/reports/221118-g7rn6agg62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
87.243.146.59:443
90.104.22.28:2222
200.93.14.206:2222
86.171.75.63:443
92.185.204.18:2078
86.225.214.138:2222
152.170.17.136:443
92.27.86.48:2222
76.80.180.154:995
71.31.101.183:443
91.254.215.167:443
73.22.121.210:443
87.202.101.164:50000
24.228.132.224:2222
70.121.198.103:2078
186.28.85.119:995
193.251.52.34:2222
98.211.64.94:443
172.117.139.142:995
70.51.153.72:2222
88.152.182.39:443
75.191.246.70:443
109.11.175.42:2222
76.20.42.45:443
213.67.255.57:2222
142.161.27.232:2222
212.251.122.147:995
108.6.249.139:443
90.162.45.154:2222
72.82.136.90:443
47.34.30.133:443
45.62.78.1:443
197.148.17.17:2078
89.115.196.99:443
90.4.98.190:2222
92.207.132.174:2222
86.217.250.15:2222
105.184.161.242:443
86.195.32.149:2222
73.36.196.11:443
197.26.174.95:443
105.103.50.1:2078
24.116.45.121:443
90.221.5.105:443
105.103.50.1:22
184.153.132.82:443
74.66.134.24:443
142.119.40.220:2222
188.92.64.68:443
109.145.27.139:443
24.64.114.59:3389
47.6.225.229:443
176.151.15.101:443
24.64.114.59:2222
82.34.170.37:443
66.191.69.18:995
62.31.130.138:465
80.103.77.44:2222
37.14.229.220:2222
98.30.233.14:443
177.205.92.100:2222
71.67.96.151:443
89.152.120.181:443
82.9.210.36:443
73.230.28.7:443
77.129.205.124:995
182.66.197.35:443
85.74.158.150:2222
76.127.192.23:443
50.68.204.71:443
199.83.165.233:443
85.59.61.52:2222
174.77.209.5:443
157.231.42.190:443
80.121.8.212:995
93.164.248.234:443
50.68.204.71:995
87.223.80.45:443
91.180.68.95:2222
190.24.45.24:995
190.75.110.239:443
105.105.232.103:995
72.88.245.71:443
61.92.123.169:443
197.14.218.253:443
213.91.235.146:443
47.16.73.77:2222
200.233.108.153:995
187.199.224.16:32103
98.145.23.67:443
75.99.125.238:2222
79.37.204.67:443
183.82.100.110:2222
181.118.183.116:443
77.126.81.208:443
80.189.213.49:2222
92.106.70.62:2222
82.121.73.56:2222
170.249.59.153:443
99.253.103.210:443
65.190.156.10:443
173.239.94.212:443
2.99.47.198:2222
86.165.15.180:2222
83.7.53.150:443
62.35.67.88:443
75.156.125.215:995
174.45.15.123:443
172.90.139.138:2222
75.143.236.149:443
86.176.144.225:2222
75.98.154.19:443
173.18.126.3:443
85.241.180.94:443
74.92.243.113:50000
177.46.111.176:995
105.103.50.1:32103
121.122.99.151:995
88.126.94.4:50000
174.104.184.149:443
Unpacked files
SH256 hash:
3db95d11a75e75ff31a814f639ea5e0657623f17ead0f93c1271e2fdc68b4fea
MD5 hash:
6ad19bb96ced5c170e9e589405f5e815
SHA1 hash:
2d368ecd0cbbddcc0977612e3d11ccd9fe73aebc
Link:
https://www.unpac.me/results/65f08e04-72d4-417d-a786-fab9bea0f312/
SH256 hash:
21cdde03d2f11c78415f453efca0cad868cd76fd1ebd83ac6697947e94828186
MD5 hash:
55f1e255a53d638162a74e9f162ced8c
SHA1 hash:
758d169115795d98502b6c2f9443923c818c6c9c
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/65f08e04-72d4-417d-a786-fab9bea0f312/
SH256 hash:
a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1
MD5 hash:
7d3c7803b0c08b9c23a918fe9bf1ac6c
SHA1 hash:
b3e5ceb0bf9c3d10e626a448afb3d06f01d6b57c
Link:
https://www.unpac.me/results/65f08e04-72d4-417d-a786-fab9bea0f312/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a4bd3e694fee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/335656/

Comments