MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff
SHA3-384 hash:	e9ef75d145e3995dd2344d7d7a75a69b2589faac86a90ad5e129a4d0ac5803005b41875adf8ed2eac3b36c80642fc479
SHA1 hash:	510f5aa278ca95680283e4726cf7410568e4c301
MD5 hash:	a67c6ecac50fc0e8413b46534162e5be
humanhash:	mirror-mobile-virginia-fillet
File name:	191.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'556'480 bytes
First seen:	2022-06-22 13:59:15 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	4284c161b06026d730cee3ab3bec413e (1 x Quakbot)
ssdeep	24576:J3u69EF8Cz9Z2ZYLSdjmA6E9SCOMmqw348ePlzkflMnzCJWljw:J9CN2PYoiMnz4+jw
Threatray	1'268 similar samples on MalwareBazaar
TLSH	T113757E31B2D18437E473163C9C6BB7ADA829BE112E38944B7BE45F4C1F366413A352A7
TrID	72.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 7.8% (.EXE) Win32 Executable (generic) (4505/5/1) 5.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 3.6% (.EXE) Win16/32 Executable Delphi generic (2072/23) 3.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	AA dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/282304/

Detection(s):

Win.Malware.Qakbot-9939298-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Launching a process

Modifying an executable file

Searching for synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger packed qakbot

Link:

https://www.filescan.io/uploads/62b320a5e88d6da4ffbc7532/reports/46cc80e8-9b40-4297-9ea4-3cfe85e88fbb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/707086f6-b7f9-4f8f-b6a2-2b431fdfe7c8

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017944

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Creates files in the system32 config directory

Encrypted powershell cmdline option found

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Schedule system process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-06-22 14:00:12 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wzqvjqn7hshmhaxbng4a2x5w3gz7urw5yaotxrhh4jeylc2nwt7q._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama190 campaign:1655819798 banker stealer trojan

Link:

https://tria.ge/reports/220622-rbjnsagcak/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in System32 directory

Loads dropped DLL

Qakbot/Qbot

Malware Config

C2 Extraction:

100.38.242.113:995
173.21.10.71:2222
72.252.157.93:995
72.252.157.93:990
72.252.157.93:993
202.134.152.2:2222
45.241.205.91:993
90.120.209.197:2078
188.136.218.225:61202
41.228.22.180:443
76.25.142.196:443
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
63.143.92.99:995
83.110.94.105:443
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
104.34.212.7:32103
102.182.232.3:995
120.150.218.241:995
208.107.221.224:443
92.137.225.8:2222
88.251.195.142:443
24.139.72.117:443
2.34.12.8:443
24.55.67.176:443
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
210.246.4.69:995
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
39.52.59.14:995
31.215.70.37:443
175.145.235.37:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
109.12.111.14:443
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443

Unpacked files

SH256 hash:

7f1dcf6c9346d6da73d77e6a5ea430a48553d786141ee0edb038b9b4d97df702

MD5 hash:

2fe6395ae51724c8f3beba220b2346a8

SHA1 hash:

2c312c81dd84d3e5637037068006849fca15b019

Link:

https://www.unpac.me/results/2ba49f51-70d2-4bb6-a184-34dfb4f13f75/

SH256 hash:

1cfa8764c472987678175aa86d34aaf9b06bf1e7eb243b0e9abc2b512700c755

MD5 hash:

0a1b1909869db6a5d3521d757c39d5cf

SHA1 hash:

be04fbcfb11bff35332443d0e3d0d313b30548d5

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/2ba49f51-70d2-4bb6-a184-34dfb4f13f75/

Parent samples :

414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff

SH256 hash:

b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff

MD5 hash:

a67c6ecac50fc0e8413b46534162e5be

SHA1 hash:

510f5aa278ca95680283e4726cf7410568e4c301

Link:

https://www.unpac.me/results/2ba49f51-70d2-4bb6-a184-34dfb4f13f75/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b66154c1bf3c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/282304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample