MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e
SHA3-384 hash:	b7f23778b1fa9f22b9295a898935b78fc11ba21b8363c78f4021424447db1dcb968e03044f8bc03c68297c3d47920343
SHA1 hash:	4230b0fe61a13dd54fb0f9fb3dc11be9f1caebf1
MD5 hash:	8f99b72b06e280c821da6768ce038cf0
humanhash:	aspen-double-wolfram-california
File name:	cherries.dll
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	761'344 bytes
First seen:	2022-10-06 15:51:36 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	9fc5700f82859d524c68c279be8dc005 (11 x Quakbot)
ssdeep	12288:zxnt9hlMvNICAY0KEkAOl7G79JEXjGOyw3MW:tt9+JFEkAmGyj26M
Threatray	1'482 similar samples on MalwareBazaar
TLSH	T10EF49F33A2E14877D1621A7CDD3B636C94267D003B2CE94B7FE41D4D9F3A680366A297
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	Anonymous
Tags:	dll Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317362/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.92637.5315.12965.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Launching a process

DNS request

Searching for synchronization primitives

Modifying an executable file

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/633ef9a20d3d21420ccab0aa/reports/a73585c3-8886-4767-8494-f3da9c400721/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eef9fe59-6bce-4b8e-aa9e-6fae9b526049

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-06 15:52:07 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ut6fmsekzbyhrparpq7m4cknkcah6mdqgpy24kxvqlrlr43mgkpa._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91

Quakbot

470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e

Quakbot

7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc

Quakbot

7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a

Quakbot

83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43

Quakbot

95f6e67cb136c2e2b798835a017b80d0979cb526121bfb89d89977d2d69fee0a

Quakbot

cb786f48cda7665e5dd07e80672e0c5facb6b6300335561327b95e58029ea376

Quakbot

efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486

Quakbot

+ 1'472 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/221006-ta2t3shgg9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

156.36.22.250:12263
73.225.210.175:40922
19.138.81.187:38748
191.101.43.136:10968
145.20.244.169:39814
74.30.254.35:15530
138.94.26.23:49965
218.175.98.133:15428
181.245.40.43:1982
24.10.174.212:30807
253.219.195.173:1546
51.182.7.163:21304
191.68.117.56:28754
246.29.132.217:16625
149.181.112.217:33637
136.20.21.112:41199
80.65.15.199:35765
0.222.227.111:63041
209.240.1.52:53226
66.57.60.202:19263
204.187.37.185:59783
177.172.2.9:36791
98.78.50.99:11939
11.5.197.37:32044
75.234.214.212:7741
49.66.110.196:42474
97.107.137.246:58239
0.141.208.192:39992
185.156.9.78:29812
219.151.188.60:3622
28.86.80.9:6038
138.226.185.49:25801
99.128.65.72:12277
90.175.231.93:54035
198.125.102.127:36652
148.215.17.55:16834
211.255.222.125:38939
198.140.91.23:0
15.114.17.14:1442
56.9.100.20:53368
88.117.146.12:40265
200.215.143.195:52771
134.133.152.217:5132
227.189.195.57:42370
76.219.151.168:17454
17.1.24.235:65225
217.27.142.33:46036
13.16.220.0:0

Unpacked files

SH256 hash:

d7acf348906ff2c99c0aece101ae5a584c976a807c6eb7eee9895211a3342b1e

MD5 hash:

d844605cc0854b06a1e14f41d0ec4f85

SHA1 hash:

ea3c6ddc54d03ab7feddef4e1d3fd198008b0a28

Link:

https://www.unpac.me/results/ce3eec83-2195-480b-9032-d7df0183faea/

SH256 hash:

37ee19eaf0a3e1dee88152c3ba0673c6994e14648e381aba725e40e94337da86

MD5 hash:

0237cae59e3d959378452902faa2ccf8

SHA1 hash:

66ef4362f632fa43ac9d00107c5563b073bf9b03

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/ce3eec83-2195-480b-9032-d7df0183faea/

Parent samples :

efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e

SH256 hash:

a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e

MD5 hash:

8f99b72b06e280c821da6768ce038cf0

SHA1 hash:

4230b0fe61a13dd54fb0f9fb3dc11be9f1caebf1

Link:

https://www.unpac.me/results/ce3eec83-2195-480b-9032-d7df0183faea/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a4fc56488ac8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Quakbot

DLL dll a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/317362/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample