MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcf7164f6f8a9b8c547be09d6c50782bd622876a392cc30235d952e77b9ed638. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcf7164f6f8a9b8c547be09d6c50782bd622876a392cc30235d952e77b9ed638
SHA3-384 hash: f5c483f37aa7f5faa4edc93c2d2e71bef1ef4b821b43d0deff04e214665224b753857890d4bf2258119ae505b01f1fde
SHA1 hash: 9f4c39aeaaafc5e739eac207b18d95997b09d489
MD5 hash: 00be7b1382dad8a823f98ca18c5e49f8
humanhash: timing-eleven-sodium-gee
File name:shark.des
Download: download sample
Signature Quakbot
Create hunting rule
File size:574'464 bytes
First seen:2022-10-18 13:06:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 901da269fb08ee80540f12ffcb2dfc6d (1 x Quakbot)
ssdeep 6144:ypIe6W8uc0KxlK9gpC1d88LKXvAOkuL9P5Qt6frqLwYzbn4NKToC2HD9qFmq:yptV8uc0KS9gpC1GIYv9PmgfKP1KJq
Threatray 1'545 similar samples on MalwareBazaar
TLSH T118C4CF00B151E07AF9BF157648B986695A2DBD300718DCDBA3C49E2F8FB12D2FA31527
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:BB03 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321399/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.9686.18896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/634ea4f8339362a6061aeff1/reports/78470954-15db-4477-8e7a-b6c1cb737172/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73a8d721-94c8-499c-930b-c45562c58cd7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcf7164f6f8a9b8c547be09d6c50782bd622876a392cc30235d952e77b9ed638/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 13:07:10 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xt3rmt3prknyyvd34cowyudyfplcfb3khewmgarv3fjoo6462y4a._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f
Quakbot
616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88
Quakbot
80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172
Quakbot
9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c
Quakbot
+ 1'535 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb03 campaign:1666073717 banker stealer trojan
Link:
https://tria.ge/reports/221018-qcmw6agbfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
190.199.99.171:993
41.69.192.245:443
167.58.254.85:443
206.1.172.1:443
5.163.177.234:443
134.35.0.103:443
105.96.221.136:443
41.101.100.7:443
186.177.93.18:2222
78.179.135.247:443
177.205.74.14:2222
102.47.218.41:443
102.156.149.226:443
41.250.48.206:443
41.107.58.251:443
187.198.16.39:443
193.201.187.64:443
41.102.134.89:443
102.159.77.134:995
105.159.49.123:995
197.200.236.69:443
154.247.82.36:443
37.37.80.2:3389
190.11.198.76:443
197.158.87.248:443
186.188.96.197:443
82.12.196.197:443
91.171.72.214:32100
72.88.245.71:443
84.220.94.231:443
151.251.50.117:443
105.154.56.232:995
41.107.116.19:443
159.192.204.135:443
177.152.65.142:443
176.45.35.243:443
104.233.202.195:443
149.126.159.254:443
181.56.171.3:995
200.93.11.28:2222
163.182.177.80:443
72.21.109.1:443
190.193.180.228:443
190.204.112.207:2222
41.97.56.102:443
206.1.208.223:2087
41.251.219.50:443
105.111.141.73:443
190.39.218.17:443
190.100.149.122:995
196.64.70.216:443
196.89.213.40:995
181.168.145.94:443
187.101.200.186:995
41.105.245.174:443
179.25.144.177:995
94.52.127.44:443
186.18.210.16:443
102.158.215.180:443
78.183.238.79:443
197.1.50.150:443
42.189.32.186:80
14.54.83.15:443
71.239.12.136:443
112.70.141.221:443
37.245.136.135:2222
88.232.10.69:443
41.98.250.65:443
82.205.9.34:443
196.64.239.75:443
37.8.68.1:443
197.1.248.244:443
197.2.139.7:443
79.45.134.162:22
182.183.211.163:995
154.246.14.94:443
144.86.17.168:443
182.185.29.69:995
160.177.47.116:6881
181.197.41.173:443
160.248.194.147:443
85.109.221.97:443
125.25.77.249:995
125.26.173.215:443
197.10.195.7:443
45.160.33.163:443
202.170.206.61:995
96.9.66.118:995
132.251.244.227:443
113.188.13.246:443
78.181.39.116:443
1.53.101.75:443
31.201.40.194:443
197.116.178.224:443
79.155.159.177:443
181.188.164.123:443
156.221.50.226:995
41.251.15.7:990
45.240.140.233:995
189.243.187.76:443
Unpacked files
SH256 hash:
2579ad30d3880a20e176361b6d91825f8df022ba58184e29f8c4c38468b3ae9c
MD5 hash:
917faed14dce2b2ad1b9bfc18d4728ee
SHA1 hash:
f5c83477b96158f0ba9013e4f57c2184f057bb44
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
e66a4cf1648270e007ed9a243a495b485863c6c187a0d16a56d8235227dfac12
MD5 hash:
e7df81548706e642eb57a4ed01b2b651
SHA1 hash:
d632bde754c12769befe5ec8ce37c3483eebff56
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
1069fbc4345ed952418673eb2c179515630a003dd55f4838c6809de3891bb970
MD5 hash:
0ad4b9c3181bbc459422418983049967
SHA1 hash:
88c9a45484a44822d96bd18b5f05a1370ab4c3df
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
f75e07de7ba55398ddcf51f4fbfe7b57ec72167c74d2a9bfd25f37c6cf5924d1
MD5 hash:
f7b2c04269b0c3d1cb88fa5bf673708d
SHA1 hash:
76095cd90d5e16ccf8174eee717fe4a3bd67441a
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
dc8eab671ba36bca023d3ee32918ddb577638baf32957e9b11bb11884044f75f
MD5 hash:
fc0d594a1ed89f02dc308e8e13842ca2
SHA1 hash:
646655645f4786cc7e35a3d85fed106d2a298a11
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
3510f7d19a0dc9d3ab5e24847905ebc61fe240ad11ba9bfde5bf20a9f14d4257
MD5 hash:
33947063618f6f1393bbd646b2d42154
SHA1 hash:
1df98a95d5f8a9de9f6f6aeaac319b01204424eb
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
0808eb8fa7fbcceb048f55822d8ffe477c91cac78423a150dd21e210778eb1bc
MD5 hash:
68c6996610c944882c9440c1c94653ad
SHA1 hash:
ef8ee77385664ef365ccdc3cb8fcfe365f0754f6
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
f45756a71535d4d8df36c84c622353df917a5dee57b447170fd8eb2996e4f526
MD5 hash:
a527a73b675c5547fb8ae7e183fdd498
SHA1 hash:
15d2acbefedb48139044cddf93d322ee626b2119
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
23e1c355a82040cc1aefed12727d4aa4dba67505fb1ed87a2b25ecf3adaafdfe
MD5 hash:
7b6bf73e5c5847e840de70edfcc87b26
SHA1 hash:
1c7dc4e10c1f32e74621916182530bbf43b099fe
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
SH256 hash:
bcf7164f6f8a9b8c547be09d6c50782bd622876a392cc30235d952e77b9ed638
MD5 hash:
00be7b1382dad8a823f98ca18c5e49f8
SHA1 hash:
9f4c39aeaaafc5e739eac207b18d95997b09d489
Link:
https://www.unpac.me/results/9abf1734-3b5e-45cb-88e3-0439a974f0ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcf7164f6f8a9b8c547be09d6c50782bd622876a392cc30235d952e77b9ed638

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321399/

Comments