MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1cc35bebc0eb78fcf54af484936adec1603fdce672c9ac919ef5e739f3a0fd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1cc35bebc0eb78fcf54af484936adec1603fdce672c9ac919ef5e739f3a0fd8
SHA3-384 hash: f5e079ceda5264fc9d222273d1e45841452167a03558ed5650711720704b348f84e4adecfca64f19372aba1ba0c28697
SHA1 hash: 4b55fe56e050613b110d5db2b8a8fe232a660dc7
MD5 hash: c5e7003aa6028dd3efb815b237eb8c20
humanhash: aspen-fanta-emma-oven
File name:wined.temp
Download: download sample
Signature Quakbot
Create hunting rule
File size:380'928 bytes
First seen:2022-11-18 13:22:36 UTC
Last seen:2022-11-18 15:14:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b121f840f8c504d34a3856981e588e27 (4 x Quakbot)
ssdeep 6144:l1eKK1u77wiWjvM9gaYhWawPSxipTR9K1/XseDA+sqKD9oqHs9Dz/RJhKXuz:mKzMD2gaSWcxITi/XsZ+s7pohvRJhr
Threatray 2'115 similar samples on MalwareBazaar
TLSH T1EB84F1A2FDE97F00C062947B429BD6B7B18B099C130BD7D74248E732F1129A55F62B2D
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1668752705 BB06 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335762/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.10270.633.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6377873a6fda73cab64e5b3f/reports/9cfc0f16-1c5b-40e8-992c-10163df3d8b1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0286c78-1f8c-4d0f-bc20-2497656120a0
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1116514
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Gathers network related connection and port information
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs a network lookup / discovery via ARP
Performs a network lookup / discovery via net view
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Uses nslookup.exe to query domains
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 749226 Sample: wined.temp.dll Startdate: 18/11/2022 Architecture: WINDOWS Score: 96 62 71.31.101.183 WINDSTREAMUS United States 2->62 64 94.63.65.146 VODAFONE-PTVodafonePortugalPT Portugal 2->64 66 96 other IPs or domains 2->66 96 Yara detected Qbot 2->96 98 C2 URLs / IPs found in malware configuration 2->98 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->100 11 loaddll32.exe 1 2->11         started        signatures3 process4 signatures5 118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->118 120 Maps a DLL or memory area into another process 11->120 14 cmd.exe 1 11->14         started        16 regsvr32.exe 11->16         started        19 rundll32.exe 11->19         started        21 2 other processes 11->21 process6 signatures7 23 rundll32.exe 14->23         started        80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->80 82 Maps a DLL or memory area into another process 16->82 26 wermgr.exe 16->26         started        84 Writes to foreign memory regions 19->84 86 Allocates memory in foreign processes 19->86 28 wermgr.exe 19->28         started        process8 signatures9 102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->102 104 Writes to foreign memory regions 23->104 106 Allocates memory in foreign processes 23->106 108 Maps a DLL or memory area into another process 23->108 30 wermgr.exe 8 16 23->30         started        110 Uses nslookup.exe to query domains 26->110 112 Uses netstat to query active network connections and open ports 26->112 114 Uses ipconfig to lookup or modify the Windows network settings 26->114 116 3 other signatures 26->116 process10 dnsIp11 74 174.112.25.29, 2222, 49719 ROGERS-COMMUNICATIONSCA Canada 30->74 76 www.irs.gov 30->76 78 irs.gov 30->78 60 C:\Users\user\Desktop\wined.temp.dll, PE32 30->60 dropped 88 Uses nslookup.exe to query domains 30->88 90 Gathers network related connection and port information 30->90 92 Performs a network lookup / discovery via net view 30->92 94 Performs a network lookup / discovery via ARP 30->94 35 nslookup.exe 1 30->35         started        38 ROUTE.EXE 1 30->38         started        40 net.exe 1 30->40         started        42 6 other processes 30->42 file12 signatures13 process14 dnsIp15 68 _ldap._tcp.dc._msdcs.WORKGROUP 35->68 70 8.8.8.8.in-addr.arpa 35->70 44 conhost.exe 35->44         started        72 192.168.2.1 unknown unknown 38->72 46 conhost.exe 38->46         started        48 conhost.exe 40->48         started        50 net1.exe 1 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 42->54         started        56 conhost.exe 42->56         started        58 2 other processes 42->58 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1cc35bebc0eb78fcf54af484936adec1603fdce672c9ac919ef5e739f3a0fd8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhgdlpv4b23y7t2uv5eesnvn5qlah7oom4wjvsiz55phhhz2b7ma._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
2fb93131a102afae241c89384e48f824ff74b43d7ed102b4323d187e89656b9c
Quakbot
40d050f531b57ebeef82d047638bd11795b203ac9132ff9203d1096843f68e44
Quakbot
8ae878effceb1a76ba103550970b27662a0328c00bd0fb8b8d7e78750c0f3b65
Quakbot
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274
Quakbot
abe2930c83d646ca388b1bf050de6c84228069fd77e0f15de06f14b25f213427
Quakbot
b985e5b22bb8e8f23e53a501d795436ebc412e948ec935f6434c6737ebe38e6c
Quakbot
e4525d4812d75697a4b6524258a3e0325e49fce605c1691ba9fb6c2cfd2620ce
Quakbot
+ 2'105 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb06 campaign:1668752705 banker stealer trojan
Link:
https://tria.ge/reports/221118-qmskdsdc8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
98.147.155.235:443
49.175.72.56:443
82.31.37.241:443
73.36.196.11:443
2.84.98.228:2222
188.54.79.88:995
184.153.132.82:443
74.66.134.24:443
172.117.139.142:995
12.172.173.82:990
24.64.114.59:3389
12.172.173.82:2087
78.92.133.215:443
24.64.114.59:2222
50.68.204.71:995
105.184.161.242:443
12.172.173.82:22
221.161.103.6:443
98.145.23.67:443
73.161.176.218:443
50.68.204.71:443
24.142.218.202:443
66.191.69.18:995
183.82.100.110:2222
24.49.232.96:443
70.115.104.126:995
176.151.15.101:443
93.156.103.241:443
86.217.250.15:2222
12.172.173.82:443
173.18.126.3:443
157.231.42.190:443
92.24.200.226:995
187.199.224.16:32103
213.91.235.146:443
188.4.142.139:995
199.83.165.233:443
63.248.148.87:443
58.162.223.233:443
102.159.188.241:443
12.172.173.82:50001
174.45.15.123:443
86.171.75.63:443
75.99.125.238:2222
75.158.15.211:443
79.37.204.67:443
27.110.134.202:995
12.172.173.82:993
58.247.115.126:995
181.118.183.116:443
31.167.227.31:443
2.83.62.105:443
77.126.81.208:443
174.112.25.29:2222
92.106.70.62:2222
82.121.73.56:2222
173.239.94.212:443
213.191.164.70:443
130.43.107.232:995
12.172.173.82:995
71.46.234.170:443
109.11.175.42:2222
73.155.10.79:443
75.191.246.70:443
136.232.184.134:995
102.158.245.248:995
47.176.30.75:443
154.247.94.160:32103
103.141.50.117:995
69.119.123.159:2222
87.223.80.45:443
75.143.236.149:443
74.92.243.113:50000
74.33.84.227:443
86.225.214.138:2222
75.98.154.19:443
117.186.222.30:993
84.113.121.103:443
188.176.170.61:443
121.122.99.151:995
183.87.31.34:443
83.110.223.247:443
86.99.15.243:2222
78.69.251.252:2222
103.55.67.180:443
47.229.96.60:443
84.209.52.11:443
174.112.25.29:2078
84.35.26.14:995
99.253.115.160:443
68.47.128.161:443
87.65.160.87:995
172.90.139.138:2222
86.175.128.143:443
12.172.173.82:465
71.247.10.63:2083
47.41.154.250:443
71.31.101.183:443
81.229.117.95:2222
41.35.196.18:995
91.169.12.198:32100
94.63.65.146:443
80.13.179.151:2222
64.207.237.118:443
24.206.27.39:443
170.253.25.35:443
157.231.42.190:995
170.249.59.153:443
174.101.111.4:443
23.240.47.58:995
94.70.37.145:2222
72.200.109.104:443
99.229.146.120:443
158.62.157.184:443
184.155.91.69:443
80.0.74.165:443
24.4.239.157:443
76.80.180.154:995
176.142.207.63:443
69.133.162.35:443
Unpacked files
SH256 hash:
7a7fa6e8697875e41d06ad3a61e6fa93b567c3e320913a2a0b2ceed234dc9847
MD5 hash:
e3655e42adf2bb106e2c0685b04949a6
SHA1 hash:
f7a84a361766357739588446b58fe20afeec0b6e
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/975eb2b0-d080-472a-baf9-0125e4f10565/
SH256 hash:
c1cc35bebc0eb78fcf54af484936adec1603fdce672c9ac919ef5e739f3a0fd8
MD5 hash:
c5e7003aa6028dd3efb815b237eb8c20
SHA1 hash:
4b55fe56e050613b110d5db2b8a8fe232a660dc7
Link:
https://www.unpac.me/results/975eb2b0-d080-472a-baf9-0125e4f10565/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1cc35bebc0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/335762/

Comments