MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c
SHA3-384 hash: 64deb9ddb0bf7cb2f916bc9887334369e14046246506c6e5d9112d413cd93fbb6df4452e53ff943dfebaa79d4faa8e9f
SHA1 hash: 242a6dd25950b4387713b5930cba32fc94a26d61
MD5 hash: 698f22704c0b6015fad6d7c7a8b4bc1d
humanhash: twelve-oranges-seventeen-quebec
File name:wangles.tmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:855'040 bytes
First seen:2022-11-18 15:14:49 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9d3467d46ceec8d78b0d336f023ce11c (1 x Quakbot)
ssdeep 12288:T6F+DfZxL4+Dir8lkQ5z4hbrmKFX4GfOs5VBNYRbWAUWWvoYPiwBP:T6F+DRt4Tr8lkBhXp2QOU
Threatray 1'801 similar samples on MalwareBazaar
TLSH T11405AE28F900ADB3C11726778CE43A28965D2F162B15E7B76600B77B5A301F3DFA646C
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:dll Quakbot tmp

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335797/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.31859.11446.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware qakbot qbot
Link:
https://www.filescan.io/uploads/6377a1777db879aacbcec850/reports/2450c8d1-5194-42b1-aa7e-d83fedded543/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/23ab8b6f-141d-4758-ac96-85f3721bd1f6
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1116614
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Run temp file via regsvr32
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 749326 Sample: wangles.tmp.dll Startdate: 18/11/2022 Architecture: WINDOWS Score: 88 34 71.31.101.183 WINDSTREAMUS United States 2->34 36 190.100.149.122 VTRBANDAANCHASACL Chile 2->36 38 96 other IPs or domains 2->38 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Qbot 2->48 50 Sigma detected: Run temp file via regsvr32 2->50 52 2 other signatures 2->52 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->62 64 Writes to foreign memory regions 9->64 66 Allocates memory in foreign processes 9->66 68 Maps a DLL or memory area into another process 9->68 12 cmd.exe 1 9->12         started        14 regsvr32.exe 9->14         started        17 rundll32.exe 9->17         started        19 2 other processes 9->19 process6 dnsIp7 23 rundll32.exe 12->23         started        70 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->70 72 Writes to foreign memory regions 14->72 74 Allocates memory in foreign processes 14->74 26 wermgr.exe 14->26         started        76 Maps a DLL or memory area into another process 17->76 28 wermgr.exe 17->28         started        40 105.111.45.51, 995 ALGTEL-ASDZ Algeria 19->40 42 oracle.com 138.1.33.162, 443, 49701 ORACLE-BMC-31898US United States 19->42 44 www.oracle.com 19->44 32 C:\Users\user\Desktop\wangles.tmp.dll, Unknown 19->32 dropped file8 signatures9 process10 signatures11 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->54 56 Writes to foreign memory regions 23->56 58 Allocates memory in foreign processes 23->58 60 Maps a DLL or memory area into another process 23->60 30 wermgr.exe 23->30         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-17 17:45:00 UTC
File Type:
PE (Dll)
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgc6lmrlxdupepstuua5pfkdn26ecluur3etl5sdjrttp27drzwa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
2fb93131a102afae241c89384e48f824ff74b43d7ed102b4323d187e89656b9c
Quakbot
40d050f531b57ebeef82d047638bd11795b203ac9132ff9203d1096843f68e44
Quakbot
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
Quakbot
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Quakbot
abe2930c83d646ca388b1bf050de6c84228069fd77e0f15de06f14b25f213427
Quakbot
c1cc35bebc0eb78fcf54af484936adec1603fdce672c9ac919ef5e739f3a0fd8
Quakbot
+ 1'791 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668670510 banker stealer trojan
Link:
https://tria.ge/reports/221118-smwm6ahf77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
86.225.214.138:2222
71.183.236.133:443
182.66.197.35:443
70.66.199.12:443
76.80.180.154:995
180.151.104.143:443
92.149.205.238:2222
83.110.223.247:443
183.87.31.34:443
105.103.50.1:990
103.141.50.117:995
105.103.50.1:465
105.103.50.1:22
86.130.9.167:2222
86.99.15.243:2222
90.104.22.28:2222
172.117.139.142:995
176.142.207.63:443
142.161.27.232:2222
71.247.10.63:50003
108.6.249.139:443
184.176.154.83:995
47.34.30.133:443
71.247.10.63:995
92.207.132.174:2222
89.129.109.27:2222
197.148.17.17:2078
105.111.45.51:995
12.172.173.82:21
87.202.101.164:50000
184.153.132.82:443
74.66.134.24:443
24.64.114.59:3389
73.155.10.79:443
136.232.184.134:995
105.184.161.242:443
2.14.241.33:2222
72.82.136.90:443
73.36.196.11:443
82.31.37.241:443
24.116.45.121:443
213.67.255.57:2222
90.221.5.105:443
66.191.69.18:995
175.205.2.54:443
64.121.161.102:443
41.35.196.18:995
73.230.28.7:443
176.151.15.101:443
24.64.114.59:2222
85.59.61.52:2222
157.231.42.190:443
27.110.134.202:995
49.175.72.56:443
12.172.173.82:2087
12.172.173.82:22
50.68.204.71:995
213.91.235.146:443
174.77.209.5:443
117.186.222.30:993
76.127.192.23:443
50.68.204.71:443
109.11.175.42:2222
199.83.165.233:443
45.248.169.101:443
174.0.224.214:443
151.30.53.233:443
12.172.173.82:443
181.118.183.116:443
174.45.15.123:443
77.126.81.208:443
92.106.70.62:2222
82.121.73.56:2222
173.239.94.212:443
187.199.224.16:32103
183.82.100.110:2222
190.100.149.122:995
41.62.227.225:443
75.99.125.238:2222
2.84.98.228:2222
188.24.223.55:443
79.37.204.67:443
24.228.132.224:2222
69.119.123.159:2222
47.176.30.75:443
174.104.184.149:443
58.247.115.126:995
12.172.173.82:993
102.157.69.217:995
186.52.227.51:995
98.147.155.235:443
173.32.181.236:443
172.90.139.138:2222
75.143.236.149:443
75.98.154.19:443
74.92.243.113:50000
12.172.173.82:995
58.186.75.42:443
105.103.50.1:32103
121.122.99.151:995
12.172.173.82:50001
24.49.232.96:443
85.74.158.150:2222
75.156.125.215:995
68.47.128.161:443
71.31.101.183:443
75.191.246.70:443
80.0.74.165:443
87.65.160.87:995
70.64.77.115:443
81.229.117.95:2222
47.41.154.250:443
174.60.47.98:443
186.88.53.160:2222
84.143.91.238:443
47.185.141.97:443
69.133.162.35:443
84.35.26.14:995
74.33.84.227:443
Unpacked files
SH256 hash:
e63969a9f13c070988831fdaefa5cd9b83b3d2faa82ae8eb14fc1dce6d2c1bfc
MD5 hash:
1d1b2d7bec5abbef58298a48d867e9d3
SHA1 hash:
d9ba8a210c6345a7c80f1a922712742f4df08fa8
Link:
https://www.unpac.me/results/76077757-70f4-4f20-8093-0662ed287623/
SH256 hash:
21aa5a09d063b3bc209460e5c78a7a33a74c31260917dcadfad7a3dfa11d77f9
MD5 hash:
f97c037e94ef0b1f19dbfe12d0b6880c
SHA1 hash:
2973bd20a49c8ec4ca9d752299818056957d2937
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/76077757-70f4-4f20-8093-0662ed287623/
SH256 hash:
b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c
MD5 hash:
698f22704c0b6015fad6d7c7a8b4bc1d
SHA1 hash:
242a6dd25950b4387713b5930cba32fc94a26d61
Link:
https://www.unpac.me/results/76077757-70f4-4f20-8093-0662ed287623/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b985e5b22bb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/335797/

Comments