MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beafeae4fa11d40d69987a45a5c654f67dbc3793f1088746771e61a2256b88e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beafeae4fa11d40d69987a45a5c654f67dbc3793f1088746771e61a2256b88e3
SHA3-384 hash: db668bbdb8ea526a984534b435855006661de69f89d5014e05cc691a7fa2337d9764401bd375a45663b3c9d4478e5b75
SHA1 hash: 5a2c582c6f22ec387e2d800bd5aa85d676599932
MD5 hash: 1096fd31db8e76378bea0602fae2754b
humanhash: crazy-avocado-high-mobile
File name:april.temp
Download: download sample
Signature Quakbot
Create hunting rule
File size:380'928 bytes
First seen:2022-11-18 14:19:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b121f840f8c504d34a3856981e588e27 (4 x Quakbot)
ssdeep 6144:l1eKK1u77wiWjvM9gaYhWawPSxipTR9K1/XNeDA+sqKD9oqHs9Dz/RJhKXuz:mKzMD2gaSWcxITi/XNZ+s7pohvRJhr
Threatray 2'127 similar samples on MalwareBazaar
TLSH T14D84F1A2FDE97F00C062947B429BD6B7B18B099C130BD7D74248E732F1119A55F62B2D
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter mikegmcg
Tags:dll qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335787/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.10270.633.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6377949607c3f5e84a01d4c7/reports/cc43aed6-a111-44f9-8be0-755bf1f5bcd8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7e1472b-9d55-442b-b5eb-eef6fa080def
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1116563
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 749275 Sample: april.temp.dll Startdate: 18/11/2022 Architecture: WINDOWS Score: 80 33 71.31.101.183 WINDSTREAMUS United States 2->33 35 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->35 37 98 other IPs or domains 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Qbot 2->41 43 C2 URLs / IPs found in malware configuration 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->45 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->55 57 Maps a DLL or memory area into another process 9->57 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 regsvr32.exe 9->17         started        19 2 other processes 9->19 process6 file7 22 rundll32.exe 12->22         started        59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->59 61 Writes to foreign memory regions 14->61 63 Allocates memory in foreign processes 14->63 25 wermgr.exe 14->25         started        65 Maps a DLL or memory area into another process 17->65 27 wermgr.exe 17->27         started        31 C:\Users\user\Desktop\april.temp.dll, PE32 19->31 dropped signatures8 process9 signatures10 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->47 49 Writes to foreign memory regions 22->49 51 Allocates memory in foreign processes 22->51 53 Maps a DLL or memory area into another process 22->53 29 wermgr.exe 22->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/beafeae4fa11d40d69987a45a5c654f67dbc3793f1088746771e61a2256b88e3/
Threat name:
Win32.Trojan.KBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 14:20:11 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2x6vzh2chka22mypjc2lrsu6z63yn4t6eeiortxdzq2ejllrdrq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
40d050f531b57ebeef82d047638bd11795b203ac9132ff9203d1096843f68e44
Quakbot
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
Quakbot
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Quakbot
a4bd3e694fee912bc8871b3da9302e5608b2c69e6ca1ab99bd726ccc6923edc1
Quakbot
b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c
Quakbot
e4525d4812d75697a4b6524258a3e0325e49fce605c1691ba9fb6c2cfd2620ce
Quakbot
+ 2'117 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668752705 banker stealer trojan
Link:
https://tria.ge/reports/221118-rnekladd8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
98.147.155.235:443
49.175.72.56:443
82.31.37.241:443
73.36.196.11:443
2.84.98.228:2222
188.54.79.88:995
184.153.132.82:443
74.66.134.24:443
172.117.139.142:995
12.172.173.82:990
24.64.114.59:3389
12.172.173.82:2087
78.92.133.215:443
24.64.114.59:2222
50.68.204.71:995
105.184.161.242:443
12.172.173.82:22
221.161.103.6:443
98.145.23.67:443
73.161.176.218:443
50.68.204.71:443
24.142.218.202:443
66.191.69.18:995
183.82.100.110:2222
24.49.232.96:443
70.115.104.126:995
176.151.15.101:443
93.156.103.241:443
86.217.250.15:2222
12.172.173.82:443
173.18.126.3:443
157.231.42.190:443
92.24.200.226:995
187.199.224.16:32103
213.91.235.146:443
188.4.142.139:995
199.83.165.233:443
63.248.148.87:443
58.162.223.233:443
102.159.188.241:443
12.172.173.82:50001
174.45.15.123:443
86.171.75.63:443
75.99.125.238:2222
75.158.15.211:443
79.37.204.67:443
27.110.134.202:995
12.172.173.82:993
58.247.115.126:995
181.118.183.116:443
31.167.227.31:443
2.83.62.105:443
77.126.81.208:443
174.112.25.29:2222
92.106.70.62:2222
82.121.73.56:2222
173.239.94.212:443
213.191.164.70:443
130.43.107.232:995
12.172.173.82:995
71.46.234.170:443
109.11.175.42:2222
73.155.10.79:443
75.191.246.70:443
136.232.184.134:995
102.158.245.248:995
47.176.30.75:443
154.247.94.160:32103
103.141.50.117:995
69.119.123.159:2222
87.223.80.45:443
75.143.236.149:443
74.92.243.113:50000
74.33.84.227:443
86.225.214.138:2222
75.98.154.19:443
117.186.222.30:993
84.113.121.103:443
188.176.170.61:443
121.122.99.151:995
183.87.31.34:443
83.110.223.247:443
86.99.15.243:2222
78.69.251.252:2222
103.55.67.180:443
47.229.96.60:443
84.209.52.11:443
174.112.25.29:2078
84.35.26.14:995
99.253.115.160:443
68.47.128.161:443
87.65.160.87:995
172.90.139.138:2222
86.175.128.143:443
12.172.173.82:465
71.247.10.63:2083
47.41.154.250:443
71.31.101.183:443
81.229.117.95:2222
41.35.196.18:995
91.169.12.198:32100
94.63.65.146:443
80.13.179.151:2222
64.207.237.118:443
24.206.27.39:443
170.253.25.35:443
157.231.42.190:995
170.249.59.153:443
174.101.111.4:443
23.240.47.58:995
94.70.37.145:2222
72.200.109.104:443
99.229.146.120:443
158.62.157.184:443
184.155.91.69:443
80.0.74.165:443
24.4.239.157:443
76.80.180.154:995
176.142.207.63:443
69.133.162.35:443
Unpacked files
SH256 hash:
4678418bd4023942c0d4e143a4493da784d288bd961d92f7aac6b01341643571
MD5 hash:
c844ce939af39bce280abb33ac01ef76
SHA1 hash:
1eb6fe87165f243b2a4cf97e4bfca6abd92b2b5a
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2d94a2b2-2fdd-4909-85b1-34067286abb9/
SH256 hash:
beafeae4fa11d40d69987a45a5c654f67dbc3793f1088746771e61a2256b88e3
MD5 hash:
1096fd31db8e76378bea0602fae2754b
SHA1 hash:
5a2c582c6f22ec387e2d800bd5aa85d676599932
Link:
https://www.unpac.me/results/2d94a2b2-2fdd-4909-85b1-34067286abb9/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/beafeae4fa11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

img d6e52031d9247741776603fee48efca924bd7b9047f234c368a0ab0e84582aa0

Quakbot

DLL dll beafeae4fa11d40d69987a45a5c654f67dbc3793f1088746771e61a2256b88e3

(this sample)

  
Dropped by
SHA256 d6e52031d9247741776603fee48efca924bd7b9047f234c368a0ab0e84582aa0
Cape
Cape
https://www.capesandbox.com/analysis/335787/
  
Dropped by
MD5 62cc17ce3cda871877e6de3a391ff2cc

Comments