MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27
SHA3-384 hash:	df26326b46ee29bce2f87f843eb1a29ce47fda8f3061bbc8dcb7aea2f536f2ef7065652ac353e3385ce67995f6ac1338
SHA1 hash:	cc4c78a9ec5fa2b074bec5cb2c85f529e154cd64
MD5 hash:	48e9e0f6f6ee5aed6446fe4f9aaac2bd
humanhash:	sixteen-hawaii-eighteen-september
File name:	weakly.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	495'104 bytes
First seen:	2022-11-02 10:33:44 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	e7dcd6fa677aaf88189f9519be3de2ee (2 x Quakbot)
ssdeep	12288:mIQG2dEYsv2gJEXE1DMv9/rsGPDp7O8k4:9s0pMVtPD13
TLSH	T18EB4BE03B111E232F5BA047504BD46654B2CBD2107664CEBB3C47A7A5EF16D2BE32BA7
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Uxtal
Tags:	dll Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/327094/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Modifying an executable file

Creating a window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug greyware hacktool kbot qakbot qbot zusy

Link:

https://www.filescan.io/uploads/6362479b58409ff7bc0c883d/reports/32a3637d-58a6-45bb-979f-6862436b2e58/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/31256399-51ea-49be-8a7f-2d71c5ebb13c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-11-02 10:34:08 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvtmjpnexayumnwac7vhoq5dy4yxep2bfdigphsdrk3iqpyuhitq._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb05 campaign:1667208499 banker stealer trojan

Link:

https://tria.ge/reports/221102-ml4dqabhdk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Qakbot/Qbot

Malware Config

C2 Extraction:

174.77.209.5:443
187.0.1.74:23795
24.206.27.39:443
1.156.220.169:30723
156.216.39.119:995
58.186.75.42:443
1.156.197.160:30467
187.1.1.190:4844
186.18.210.16:443
1.181.56.171:771
90.165.109.4:2222
187.0.1.186:39742
87.57.13.215:443
187.0.1.207:52344
227.26.3.227:1
98.207.190.55:443
187.0.1.197:7017
188.49.56.189:443
102.156.160.115:443
187.0.1.24:17751
70.51.139.148:2222
187.0.1.109:34115
14.164.18.210:443
187.0.1.97:30597
205.161.22.189:443
187.0.1.151:54711
196.217.63.248:443
187.0.1.160:45243
66.37.239.222:443
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993

Unpacked files

SH256 hash:

09e6b492b5d91162e02f5b997aa417ec05fefe26876f0ed1c39e64577210a906

MD5 hash:

41960c83b0ed8ab337951589275b1deb

SHA1 hash:

4c37a8e13aecc699540e6902652b8eccabd135e4

Link:

https://www.unpac.me/results/349fba93-a438-40f9-9d66-8418e5a91694/

SH256 hash:

35c4103b93186237af3695c53974487bdf40b62d99a32804599a6d335853f20c

MD5 hash:

ff1df3d1018171c7b0dccdec99cbaee6

SHA1 hash:

458324c68db5eb87c6a39902d23615f3ff5984e2

Link:

https://www.unpac.me/results/349fba93-a438-40f9-9d66-8418e5a91694/

SH256 hash:

5f642c234855d80af8b660e8b4cf9c5ea196e89b224959f6d425ef4048b2828e

MD5 hash:

3816190eb3ecc0f29cbdf2b076d1c475

SHA1 hash:

33a0a03f3729dc95d74aa51b960dc3bd12265ad4

Link:

https://www.unpac.me/results/349fba93-a438-40f9-9d66-8418e5a91694/

SH256 hash:

7fe3748859c1d1e26fdefa94348a1b0384371956d37dcb443cc41fe089ac0980

MD5 hash:

4422b69dfee21253d9a0d3ae931b2498

SHA1 hash:

d5849a933708338e68d64aa25e6ec03501db2737

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/349fba93-a438-40f9-9d66-8418e5a91694/

Parent samples :

68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270
bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27
ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d

SH256 hash:

bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27

MD5 hash:

48e9e0f6f6ee5aed6446fe4f9aaac2bd

SHA1 hash:

cc4c78a9ec5fa2b074bec5cb2c85f529e154cd64

Link:

https://www.unpac.me/results/349fba93-a438-40f9-9d66-8418e5a91694/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bd66c4bda4b8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/327094/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample