MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c053795483b5ddb0176a84998a8907fa1997af0e0376275ebf34655f10b174e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c053795483b5ddb0176a84998a8907fa1997af0e0376275ebf34655f10b174e7
SHA3-384 hash: b1ff9047b5d8a3051ddc7ab712d036f4e24dca547ff3afbfd4a10b42ea39fc6348d098115f181fcce901b834f984dab6
SHA1 hash: 1d8df70dbcda228394786454f86681211139729f
MD5 hash: 8043b539a663ad49d50de454019c247f
humanhash: uncle-north-cat-march
File name:n3
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'153'585 bytes
First seen:2021-11-29 13:51:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d5d23d985af6616064100c4bb429c6f (1 x Quakbot)
ssdeep 12288:bmBYAOgAXHssei9WzD2GzkJGNx/3uOTmv0R7E5:CYAOgAXHWn2GzkAx/+OTmsRE
Threatray 390 similar samples on MalwareBazaar
TLSH T1CC357DC1FB23EE07F7A0C43D90367FA54DDD30AB1B92A4F8B86C65E5AE8D260144A547
Reporter Anonymous
Tags:exe Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
n3
Verdict:
No threats detected
Analysis date:
2021-11-29 16:59:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7acb077c-8725-456e-9155-04c62cf40864

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/131/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
monero overlay
Link:
https://www.filescan.io/uploads/61a4db04bbfd2af97cba0efe/reports/9115f778-54d5-44cd-811b-6ecebb3c3f89/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5a80576-f762-424d-941f-cba00dfb49ea
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/897902
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 530382 Sample: n3 Startdate: 29/11/2021 Architecture: WINDOWS Score: 72 44 Multi AV Scanner detection for submitted file 2->44 46 Machine Learning detection for sample 2->46 8 loaddll32.exe 1 2->8         started        process3 signatures4 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->48 50 Injects code into the Windows Explorer (explorer.exe) 8->50 52 Maps a DLL or memory area into another process 8->52 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 2 other processes 8->18 process5 dnsIp6 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->62 64 Injects code into the Windows Explorer (explorer.exe) 11->64 66 Writes to foreign memory regions 11->66 21 explorer.exe 11->21         started        24 rundll32.exe 14->24         started        68 Allocates memory in foreign processes 16->68 70 Maps a DLL or memory area into another process 16->70 27 explorer.exe 16->27         started        36 192.168.2.1 unknown unknown 18->36 29 iexplore.exe 18->29         started        signatures7 process8 dnsIp9 34 C:\Users\user\Desktop\n3.dll, MS-DOS 21->34 dropped 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->54 56 Injects code into the Windows Explorer (explorer.exe) 24->56 58 Writes to foreign memory regions 24->58 60 2 other signatures 24->60 32 explorer.exe 24->32         started        38 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49830, 49831 YAHOO-DEBDE United Kingdom 29->38 40 dart.l.doubleclick.net 142.250.180.134, 443, 49836, 49837 GOOGLEUS United States 29->40 42 12 other IPs or domains 29->42 file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c053795483b5ddb0176a84998a8907fa1997af0e0376275ebf34655f10b174e7/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 13:52:15 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybjxsvedwxo3af3kqsmyvcih7imzplyoan3coxv7grsv6efrottq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
283318a272b4164ad445104b29583a873b16e9d5f8c5976e994f513cd3390fd3
Quakbot
2b06b75f6b51eb26fccc795e4a8f7923119ddf60d4a6f3170c1867cf8dc62fb0
Quakbot
421082e36a21c830cc0c12eb9dcbebaa13b5cc42008c1dc29c643d83df76ffb0
Quakbot
74ddf08baf8103c7c9101cb2a837c359e01b8c71b9afa92b26dd09851c4a358e
Quakbot
c7a0cf59d0df795f6fc9383cfdeb2335b658ea12ad6ea8a5b69a211601ff975d
Quakbot
+ 380 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1637746295 banker evasion stealer trojan
Link:
https://tria.ge/reports/211129-q6d64sfbg8/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
5.193.134.177:995
140.82.49.12:443
120.150.218.241:995
39.49.95.46:995
117.198.148.163:443
111.250.48.162:443
105.198.236.99:995
117.248.109.38:21
103.142.10.177:443
123.252.190.14:443
89.101.97.139:443
78.191.52.30:995
39.33.218.78:995
207.246.112.221:443
207.246.112.221:995
102.65.38.57:443
194.36.28.26:443
93.48.80.198:995
218.101.110.3:995
81.250.153.227:2222
216.238.71.31:443
89.137.52.44:443
136.232.34.70:443
173.21.10.71:2222
41.228.22.180:443
136.143.11.232:443
71.74.12.34:443
76.25.142.196:443
103.116.178.85:993
197.89.108.222:443
75.169.58.229:32100
67.165.206.193:993
73.151.236.31:443
189.135.61.226:443
176.63.117.1:22
94.60.254.81:443
200.127.27.220:465
189.175.54.178:80
100.1.119.41:443
189.147.225.12:443
50.194.160.233:443
50.194.160.233:32100
24.229.150.54:995
24.55.112.61:443
24.139.72.117:443
109.12.111.14:443
45.46.53.140:2222
2.222.167.138:443
86.123.105.31:443
111.91.87.187:443
86.8.177.143:443
86.97.10.103:443
129.208.184.37:995
220.255.25.187:2222
92.59.35.196:2222
72.252.201.34:465
209.210.95.228:443
68.186.192.69:443
187.121.105.111:995
73.171.4.177:443
27.5.4.111:2222
103.168.241.180:995
103.168.241.180:465
182.176.180.73:443
75.188.35.168:995
86.173.96.86:443
217.165.237.42:443
93.147.212.206:443
5.238.149.197:61202
72.252.201.34:995
24.152.219.253:995
96.37.113.36:993
186.64.67.17:443
45.9.20.200:2211
190.73.3.148:2222
103.150.40.76:995
68.204.7.158:443
80.6.192.58:443
65.100.174.110:8443
103.116.178.85:61200
93.48.58.123:2222
27.223.92.142:995
91.178.126.51:995
41.235.5.174:443
96.246.158.154:995
94.200.181.154:443
50.194.160.233:465
96.21.251.127:2222
216.238.71.31:995
216.238.72.121:995
216.238.72.121:443
162.244.227.45:443
75.66.88.33:443
78.153.126.175:443
206.47.134.234:2222
71.13.93.154:2083
178.239.56.80:443
63.143.92.99:995
189.223.33.109:443
71.13.93.154:6881
81.174.162.180:995
103.143.8.71:995
73.140.38.124:443
79.160.207.214:443
83.223.164.163:443
71.13.93.154:2222
115.96.64.9:995
Unpacked files
SH256 hash:
bd7bee9608b74d4301d0cbdb8a6f61bf849fef383f3df673a67b8915fd233b77
MD5 hash:
836f902da17b5c93778ad776c21fae22
SHA1 hash:
f102b0254055d9a47e95062c9b4688e17306b2e7
Link:
https://www.unpac.me/results/411361ef-4ae2-4d49-8280-a1f358e08a11/
SH256 hash:
04734be8feb6bf332cba55d71de5b62dd9f43e4ab8f236c5799c6f9d9a0c5c90
MD5 hash:
dd1d4edf9ab9f6ba12a1edd8f18ae7bc
SHA1 hash:
382686cc75283db45437ddbe3cfa4684679fbc59
Link:
https://www.unpac.me/results/411361ef-4ae2-4d49-8280-a1f358e08a11/
SH256 hash:
c053795483b5ddb0176a84998a8907fa1997af0e0376275ebf34655f10b174e7
MD5 hash:
8043b539a663ad49d50de454019c247f
SHA1 hash:
1d8df70dbcda228394786454f86681211139729f
Link:
https://www.unpac.me/results/411361ef-4ae2-4d49-8280-a1f358e08a11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c053795483b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c053795483b5ddb0176a84998a8907fa1997af0e0376275ebf34655f10b174e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments