MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1efca753dedafb2fa206085cc45583e9af9e233a3248e958a5e1ece7982837f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 5

Intelligence 5 IOCs YARA 6 File information Comments

SHA256 hash:	c1efca753dedafb2fa206085cc45583e9af9e233a3248e958a5e1ece7982837f
SHA3-384 hash:	a4a6686000dad6015e902be89019288f42d4a9d72f0cf9869e62ecbfc3d97aeb5459ec6c4ba3eb3b0d2c60f35ff64c75
SHA1 hash:	89631607e492e68ccc3b227e9dfe1b70e7fff994
MD5 hash:	ee274056a1eba6da6e98d934988a8e25
humanhash:	helium-spaghetti-cup-alaska
File name:	Overdue_1833.iso
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	456'704 bytes
First seen:	2022-10-06 16:06:22 UTC
Last seen:	Never
File type:	iso
MIME type:	application/x-iso9660-image
ssdeep	6144:0tgTFlqteWTBa5WsoUReNsyLK9+8WqniKS9jyA9yjHHXsBcfmL/p+LIORL6qYFYM:y8z4TU5WsoURzN9ftniPHlQEFYM
TLSH	T135A42B86ED54DFBBC6AD81B9AA5E069F821341167F4336EB721D4190B68374333E638C
TrID	99.6% (.NULL) null bytes (2048000/1) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3) 0.0% (.SMT) Memo File Apollo Database Engine (88/84)
Reporter	pr0xylife
Tags:	iso obama210 Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:	Overdue.lnk
File size:	1'207 bytes
SHA256 hash:	5f0e2ea9dd2937edc742420b739775bae7d89bac5f208eefbea44200ce2698ca
MD5 hash:	dfa86146631771fbd7e584549c66d129
MIME type:	application/octet-stream
Signature	Quakbot

File name:	fearfully.dat
File size:	395'776 bytes
SHA256 hash:	051eda78705b38dc1577ef8ea4e972990d32ca7b39b4981127b2e4221d110f2a
MD5 hash:	b5cd890b8ba5f31c3f7e457f40f5d728
MIME type:	application/x-dosexec
Signature	Quakbot

File name:	1722.cmd
File size:	259 bytes
SHA256 hash:	4ce57b83a2c32680ec5c45efc486e38e6985cdcea78593882ce041940014dbfa
MD5 hash:	3c3c6861a7b06edf3d7ab40e6a239eb7
MIME type:	text/x-msdos-batch
Signature	Quakbot

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.ISOICEDAllTheWayOut.20220816.UNOFFICIAL

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/633efd29c9e2f3435432f288/reports/0c038483-95ff-403f-95bf-96991cb7adfc/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1efca753dedafb2fa206085cc45583e9af9e233a3248e958a5e1ece7982837f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yhx4u5j55wx3f6ramcc4yrkyh2nptyrtumsi5fmklypm46mcqn7q._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/221006-tkmg5shha7/

Behaviour

Runs ping.exe

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Malware Config

C2 Extraction:

78.94.148.92:1753
134.180.185.240:32987
201.136.101.182:38323
124.77.95.5:46163
196.90.29.190:30693
187.144.110.117:36330
10.44.33.140:65267
162.117.200.91:29984
159.254.223.192:31154
11.239.81.233:37
31.248.76.23:24072
224.77.182.18:55579
124.230.27.11:44408
205.255.39.94:54675
192.1.213.104:14212
145.3.120.239:20068
242.199.30.106:9157
243.240.195.106:42825
74.234.32.185:42698
102.51.5.67:47820
43.190.241.127:50708
29.119.168.182:51370
54.106.172.208:21101
76.55.174.209:2746
71.182.193.130:5327
111.143.132.167:9985
173.210.161.232:27188
22.155.219.162:29117
167.159.67.2:42455
80.214.112.151:9618
75.86.4.24:35165
106.146.239.56:49679
194.127.196.112:59762
64.184.233.29:48193
218.86.11.123:62100
108.87.254.103:36138
240.129.151.227:4400
96.117.66.72:0
48.220.224.248:32917
240.164.22.246:57048
224.87.85.180:40164
214.9.213.13:12523
117.180.92.184:46633
73.23.253.56:17393
162.74.55.118:4571
9.252.189.253:60714
101.200.152.191:46287
110.117.95.0:0

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c1efca753dedafb2fa206085cc45583e9af9e233a3248e958a5e1ece7982837f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	iso_lnk Create hunting rule
Author:	tdawg

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	SUSP_EXE_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:	Internal Research

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample