MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8
SHA3-384 hash: a12613a03d188a699661f4f2663a0cc948c08116f13474b23d025ecc109fa158f057dff105f18b23b3dc215a4815879f
SHA1 hash: d3a25362849bcef1a1630ac3a453da9b526fb1be
MD5 hash: f78dc8140535e31f6890e4ca3c2821fa
humanhash: stream-quebec-kilo-seventeen
File name:B png
Download: download sample
Signature Quakbot
Create hunting rule
File size:715'306 bytes
First seen:2022-05-16 10:17:38 UTC
Last seen:2022-05-16 10:18:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash df2c97204ed982b8b3e7393fd2a71059 (7 x Quakbot)
ssdeep 12288:lD25c7bMl3XyN6VqX1bFJf44pnlG2LniES2DY0HfyHHsPNfvZRzsvBn:98Aw3CowXrJf44pnw2Ln1jY0HaHHsPNw
Threatray 1'074 similar samples on MalwareBazaar
TLSH T102E4AF22E3D04C77C1772A789C2B7768A839BE112D7899C72BE42D4C4F3569136362B7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271013/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed qbot
Link:
https://www.filescan.io/uploads/628224dbbc516cf66c289870/reports/4b3e7a2d-6f56-40fb-9385-32e59969f0aa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/968258ee-5287-42d9-9189-c75d25e00467
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994792
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627285 Sample: B png Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected CryptOne packer 2->67 69 3 other signatures 2->69 9 regsvr32.exe 2->9         started        11 loaddll32.exe 1 2->11         started        14 regsvr32.exe 2->14         started        process3 signatures4 16 regsvr32.exe 9->16         started        73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->73 75 Injects code into the Windows Explorer (explorer.exe) 11->75 77 Maps a DLL or memory area into another process 11->77 79 Contains functionality to detect sleep reduction / modifications 11->79 19 explorer.exe 8 1 11->19         started        22 cmd.exe 1 11->22         started        24 regsvr32.exe 14->24         started        process5 file6 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->51 53 Injects code into the Windows Explorer (explorer.exe) 16->53 55 Writes to foreign memory regions 16->55 61 3 other signatures 16->61 26 explorer.exe 8 2 16->26         started        49 C:\Users\user\Desktop\B png.dll, PE32 19->49 dropped 57 Uses cmd line tools excessively to alter registry or file data 19->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 19->59 29 schtasks.exe 1 19->29         started        31 rundll32.exe 22->31         started        signatures7 process8 signatures9 71 Uses cmd line tools excessively to alter registry or file data 26->71 33 reg.exe 1 1 26->33         started        35 reg.exe 1 1 26->35         started        37 conhost.exe 26->37         started        39 conhost.exe 29->39         started        41 WerFault.exe 23 9 31->41         started        43 explorer.exe 31->43         started        process10 process11 45 conhost.exe 33->45         started        47 conhost.exe 35->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 10:18:10 UTC
File Type:
PE (Dll)
Extracted files:
62
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
Quakbot
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
Quakbot
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
Quakbot
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
Quakbot
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
Quakbot
811399465b79b10495080b65b9d6b797d394df034f44d3aadd18be86c0c19e0d
Quakbot
+ 1'064 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1652692798 banker stealer trojan
Link:
https://tria.ge/reports/220516-mbxs7abahk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
91.177.173.10:995
172.115.177.204:2222
70.46.220.114:443
24.178.196.158:2222
103.246.242.202:443
176.67.56.94:443
146.66.139.14:443
1.161.100.47:443
111.125.245.118:995
39.49.31.161:995
197.89.12.59:443
124.40.244.118:2222
37.186.54.254:995
187.207.131.50:61202
2.34.12.8:443
1.161.100.47:995
140.82.49.12:443
196.203.37.215:80
46.103.186.43:995
40.134.246.185:995
67.209.195.198:443
81.129.112.49:2078
172.114.160.81:995
120.150.218.241:995
74.14.7.71:2222
174.69.215.101:443
5.32.41.45:443
39.44.66.76:995
203.122.46.130:443
84.241.8.23:32103
148.64.96.100:443
37.210.158.242:2222
2.50.4.57:443
182.191.92.203:995
117.248.109.38:21
32.221.224.140:995
38.70.253.226:2222
41.228.22.180:443
75.99.168.194:443
37.34.253.233:443
69.14.172.24:443
217.128.122.65:2222
186.90.153.162:2222
39.52.7.77:995
43.248.68.33:2222
103.107.113.84:443
76.70.9.169:2222
72.76.94.99:443
75.99.168.194:61201
197.164.163.81:993
86.98.208.214:2222
46.107.48.202:443
144.202.2.175:995
45.76.167.26:443
144.202.3.39:995
149.28.238.199:443
149.28.238.199:995
144.202.2.175:443
45.63.1.12:443
140.82.63.183:443
140.82.63.183:995
45.63.1.12:995
144.202.3.39:443
45.76.167.26:995
173.22.32.101:443
47.23.89.60:993
92.132.172.197:2222
93.48.80.198:995
108.60.213.141:443
89.86.33.217:443
80.11.74.81:2222
179.145.13.69:32101
76.23.237.163:995
45.46.53.140:2222
73.151.236.31:443
173.21.10.71:2222
121.7.223.59:2222
208.107.221.224:443
96.37.113.36:993
200.109.56.159:2222
122.118.146.205:995
47.157.227.70:443
37.208.129.81:6883
189.146.41.43:443
102.182.232.3:995
67.165.206.193:993
90.120.65.153:2078
76.25.142.196:443
41.84.233.226:995
106.51.48.170:50001
131.0.196.234:443
197.162.117.38:995
5.193.138.70:2222
191.99.191.28:443
186.105.116.20:443
179.158.105.44:443
201.172.23.68:2222
39.44.223.101:995
109.228.220.196:443
183.82.103.213:443
78.172.99.29:443
102.65.62.196:443
103.73.101.14:995
188.50.2.220:995
103.139.243.207:990
85.246.82.244:443
187.149.227.152:443
201.142.133.198:443
187.208.122.239:443
187.213.18.52:22
190.252.242.69:443
70.51.137.64:2222
72.252.157.172:995
63.143.92.99:995
100.1.108.246:443
201.1.202.82:32101
24.139.72.117:443
109.12.111.14:443
72.252.157.172:990
187.16.64.194:2222
24.55.67.176:443
68.204.7.158:443
148.0.57.85:443
82.152.39.39:443
31.215.102.193:2078
79.129.121.68:995
189.26.55.114:443
217.165.147.77:993
89.101.97.139:443
82.41.63.217:443
86.190.159.132:443
39.41.250.39:995
121.74.167.191:995
115.164.63.113:443
86.97.247.101:2222
181.208.248.227:443
217.164.119.236:1194
41.84.248.225:443
189.253.214.159:443
86.195.158.178:2222
94.36.195.102:2222
86.97.8.200:443
83.110.93.158:443
118.172.251.136:443
120.61.3.164:443
191.251.134.129:443
173.174.216.62:443
41.38.167.179:995
58.105.167.36:50000
128.106.123.187:443
Unpacked files
SH256 hash:
7e3753e314c1fbc164c54cc26fc57e9fa3148bc515c5b6d6b644e6a8e836585e
MD5 hash:
44c6c3f0a480c1ae10029d4b891cc225
SHA1 hash:
cdaf4ec78dbfe2bc0689999de79be3f7922b07cb
Link:
https://www.unpac.me/results/9a504121-7adf-4410-9c6d-bf3074af3eda/
SH256 hash:
30949b22263a25152f531e8b16220a2be6a7fb3cae079618d3ccb119afd8acd9
MD5 hash:
f1d47a4dc1d11b17e51419299dc282e4
SHA1 hash:
ef9c0bb412113cbff26a5fed080212284c56b09d
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a504121-7adf-4410-9c6d-bf3074af3eda/
Parent samples :
bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8
7b265f068c1485a453d3ab7ad30bc1709760d5162fa641fd4996947b4d642f96
SH256 hash:
bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8
MD5 hash:
f78dc8140535e31f6890e4ca3c2821fa
SHA1 hash:
d3a25362849bcef1a1630ac3a453da9b526fb1be
Link:
https://www.unpac.me/results/9a504121-7adf-4410-9c6d-bf3074af3eda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271013/

Comments