MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c42240219e6f44459226921e87d6a314ad24ccaf67364df26f940ae544da4113. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c42240219e6f44459226921e87d6a314ad24ccaf67364df26f940ae544da4113
SHA3-384 hash: 72307da4b8507efa15225090a165e451c6a215ad0315b3a67aa8f4dbdad7177068c35253a2bc04dc96f4af7e337dfb08
SHA1 hash: 0764e79b1b590935968cfb2cbcab71f523601b0e
MD5 hash: 746d9daaaa845a5672d2db902cb37d28
humanhash: lemon-thirteen-alpha-table
File name:1 (17)
Download: download sample
Signature Quakbot
Create hunting rule
File size:4'202'448 bytes
First seen:2020-10-05 08:10:55 UTC
Last seen:2020-10-05 08:54:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 46bc8fadc9354542964a11262484657c (34 x Quakbot)
ssdeep 6144:aId1grY0tn9cV1pZzcF0t+gydsdHWflS9klcRfw63wTcggE:aId5N7zHV762RIt
Threatray 520 similar samples on MalwareBazaar
TLSH C31622527A8EDE065F5F6D92C37E1799DA075A0D02B2100DB70FA24AE45F0B224F69FC
Reporter JAMESWT_WT
Tags:Qakbot Quakbot Service lab LLC signed

Code Signing Certificate

Organisation:Service lab LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Sep 4 00:00:00 2020 GMT
Valid to:Sep 4 23:59:59 2021 GMT
Serial number: 539015999E304A5952985A994F9C3A53
Intelligence: 35 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 7731825AEA38CFC77BA039A74417DD211ABEF2E16094072D8C2384AF1093F575
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481122
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293012 Sample: 1 (17) Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Detected unpacking (changes PE section rights) 2->34 36 7 other signatures 2->36 7 1 (17).exe 4 2->7         started        10 1 (17).exe 2->10         started        process3 file4 26 C:\Users\user\AppData\...\viwftylp.exe, PE32 7->26 dropped 28 C:\Users\...\viwftylp.exe:Zone.Identifier, ASCII 7->28 dropped 12 viwftylp.exe 7->12         started        15 schtasks.exe 1 7->15         started        17 1 (17).exe 7->17         started        process5 signatures6 40 Antivirus detection for dropped file 12->40 42 Multi AV Scanner detection for dropped file 12->42 44 Detected unpacking (changes PE section rights) 12->44 46 6 other signatures 12->46 19 explorer.exe 1 12->19         started        22 viwftylp.exe 12->22         started        24 conhost.exe 15->24         started        process7 signatures8 38 Contains functionality to compare user and computer (likely to detect sandboxes) 19->38
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c42240219e6f44459226921e87d6a314ad24ccaf67364df26f940ae544da4113/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-04 07:34:23 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqreaim6n5celergsipipvvdcswsjtfpm43e34tpsqfokrg2iejq._file
Verdict:
malicious
Similar samples:
1b7ac92adcbbbf8f23ff99a923a040667b8537d9dc85050f73576c4801242e14
Quakbot
450aed9cb25962eafb35ef71dc76b392a9e0a155bc934a6bb4a93f76d172b239
Quakbot
47f1147be9688a5308affdf525f3c15d905188b4fbea7b248e13ef6eb9e3fb74
Quakbot
52f0e75625f33de9006ca9befdff742f569a21d60a82ab6bc170dde25ca99755
Quakbot
6f0a5dd852d0fcd5ae30a474f2295cb8c76f23b8946b3f4cc631bcd60f5b2b61
Quakbot
74591f116111efabaef947629c7fa4c9714c23b28188849dd23df7b91a466f5f
Quakbot
c070e46c9003e884b7e55e7b1df38be98ec2e54166adfcdb3bdfd279da3a7f5e
Quakbot
d5184f194e1fa5b0b868d4cef6f449d12f7184b9652ab9274fd0a1f3065978f9
Quakbot
e30a5990dc9c3fa17df63ff06621ecd0bb546b4141de13999a4dbe033c940b08
Quakbot
f0f993925f000b7bd91578d59bc3731247e7122f81e4439347bc145f2dfb1215
Quakbot
+ 510 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201005-hps1rawv3j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Malware Config
C2 Extraction:
207.255.161.8:993
103.206.112.234:443
94.49.70.137:995
98.26.50.62:995
98.38.47.1:443
78.97.110.47:443
24.43.22.220:993
46.209.102.43:995
69.11.247.242:443
66.208.105.6:443
199.247.22.145:443
217.162.149.212:443
45.32.155.12:443
5.12.218.57:2222
190.85.91.154:443
103.76.160.110:443
77.27.174.49:995
172.78.30.215:443
71.187.170.235:443
89.42.142.35:443
185.19.190.81:443
184.97.132.62:443
95.77.223.148:443
86.98.74.44:995
2.7.65.32:2222
81.133.234.36:2222
84.117.176.32:443
71.12.214.209:2222
199.116.241.147:443
12.33.30.180:443
98.16.204.189:995
71.126.139.251:443
207.246.75.201:443
96.30.198.161:443
45.77.193.83:443
146.200.250.36:2222
72.204.242.138:443
108.5.34.248:443
72.204.242.138:990
2.90.26.187:443
103.238.231.40:443
24.122.0.90:443
207.255.161.8:995
207.237.1.152:443
184.180.157.203:2222
208.99.100.129:443
213.31.203.109:2222
45.32.154.10:443
94.52.68.72:443
173.245.152.231:443
78.96.199.79:443
77.46.172.129:995
190.220.8.10:443
175.142.189.201:443
72.204.242.138:50001
134.228.24.29:443
80.14.209.42:2222
68.190.152.98:443
72.190.101.70:443
185.246.9.69:995
199.247.16.80:443
45.46.53.140:2222
66.215.32.224:443
95.179.247.224:443
24.139.132.70:443
207.255.161.8:443
100.4.173.223:443
203.45.104.33:443
80.195.103.146:2222
36.77.151.211:443
24.104.222.81:443
93.149.253.201:2222
31.5.21.66:443
108.30.125.94:443
84.247.55.190:443
141.158.47.123:443
85.186.115.219:995
94.52.160.116:443
66.26.160.37:443
50.244.112.106:443
184.98.103.204:995
5.15.90.159:2222
41.228.227.172:443
75.136.40.155:443
39.36.218.78:995
67.60.113.253:2222
89.137.211.239:443
47.44.217.98:443
2.50.131.64:443
66.222.88.126:995
2.50.59.177:443
86.97.161.201:443
190.30.185.80:443
71.80.66.107:443
148.240.52.146:443
24.234.86.201:995
173.22.125.129:2222
203.198.96.200:443
117.218.208.239:443
188.247.252.243:443
144.139.47.206:443
90.175.88.99:2222
68.225.60.77:443
189.183.74.198:995
47.185.140.236:80
216.201.162.158:443
65.131.33.110:995
203.106.195.67:443
24.40.173.134:443
71.220.200.82:2222
65.102.149.94:995
69.123.116.167:2222
23.240.70.80:443
79.113.8.149:443
205.178.7.90:443
96.18.240.158:443
24.28.183.107:995
73.225.67.0:443
87.65.204.240:995
71.197.126.250:443
70.124.29.226:443
173.173.1.164:443
69.40.16.109:443
24.128.117.95:443
96.255.188.58:443
69.47.239.10:443
65.24.76.114:443
71.199.99.229:995
24.191.214.43:2083
174.101.142.231:443
173.21.10.71:2222
70.92.123.49:443
24.27.82.216:2222
64.201.125.138:443
75.182.220.196:2222
73.200.219.143:443
50.29.166.232:995
73.23.194.75:443
68.46.142.48:995
71.74.12.34:443
71.218.58.245:443
68.184.45.73:443
89.33.87.107:443
70.123.92.175:2222
2.51.221.138:995
74.68.144.202:443
75.82.182.228:2222
98.240.24.57:443
71.56.53.127:443
Unpacked files
SH256 hash:
c42240219e6f44459226921e87d6a314ad24ccaf67364df26f940ae544da4113
MD5 hash:
746d9daaaa845a5672d2db902cb37d28
SHA1 hash:
0764e79b1b590935968cfb2cbcab71f523601b0e
Link:
https://www.unpac.me/results/897ab985-7c2e-459a-ae23-4ad14108d8f2/
SH256 hash:
38e13cd29d61748bb51b86010ff5f135d39aa0b0c67cf39247de6155b370b9e1
MD5 hash:
850e2116f07490becfc5a66d92cc1c71
SHA1 hash:
9386ce1c55519218b2c9972d90f3dfc09556a4c2
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/897ab985-7c2e-459a-ae23-4ad14108d8f2/
SH256 hash:
7d4fba760efe7f266fb553f7594ae7bdfc2748baefe06505e7e90aa85334b6d6
MD5 hash:
40a32e73a887f2dec92293c60abbf0ef
SHA1 hash:
f49c26522e72c81ea7c0f53e09dda1adcab467f1
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/897ab985-7c2e-459a-ae23-4ad14108d8f2/
Parent samples :
47f1147be9688a5308affdf525f3c15d905188b4fbea7b248e13ef6eb9e3fb74
52f0e75625f33de9006ca9befdff742f569a21d60a82ab6bc170dde25ca99755
68da0929629b6ff4834c4238a08a42618f327c140e64f7700b4857cb7f261675
72b68249a4e34e5d396bdd07e3d0d71d73d11a967173d8ce344d2cabf22f8fa9
82b0c1e35b05061ea0fb2a12c7ea591573f3a6b8f919ab91c8dffb9a9c9b84eb
184ce84a0ed0e2718babfbcb846ddeb5fa5418198bff0bdcd6622262586646be
450aed9cb25962eafb35ef71dc76b392a9e0a155bc934a6bb4a93f76d172b239
589a1bf653a1dd57b62f42471df6b1a39a46a76ed0c7fbbdc73a70588d4c3c0f
7476a5253dd78e85669926b4465ccb7d64ad152f49c070f5e897d84d402c3364
74591f116111efabaef947629c7fa4c9714c23b28188849dd23df7b91a466f5f
78980d1625f3788b42bc91193454a82af9c0eda33ab247fcd065e226791e4834
c42240219e6f44459226921e87d6a314ad24ccaf67364df26f940ae544da4113
d0c433ed32c39118f4f248cc4ebc625aa260a09f1be1f71780cbe455d190c173
d64717224f71701a268e7b77052ff468790e4681f7244d6a86ba352a67684c61
3129e72e79ade0b39971ea8db57eba1a3958a662e98a0c02d04359744783adb1
40940180bdbdeaad0fb861d4f9cd3272c41d0a1b496430de07b342482fe19359
c070e46c9003e884b7e55e7b1df38be98ec2e54166adfcdb3bdfd279da3a7f5e
c641c51101e0203a2a781f0d6f9dabbb664d4d80f10f1950b7c7fe1b602e8886
d5184f194e1fa5b0b868d4cef6f449d12f7184b9652ab9274fd0a1f3065978f9
e30a5990dc9c3fa17df63ff06621ecd0bb546b4141de13999a4dbe033c940b08
e9738b0ef7708841c35d58ce22cef092907271b26362921b1b5e393992f972af
efa5e46131a9f87b24d67235a3bab0ea00bc6870f580a4d0da103252d4707eee
f0f993925f000b7bd91578d59bc3731247e7122f81e4439347bc145f2dfb1215
f6b97a4765ce7b2dce94e2a6941d95c4702e13c210ab8f5d1212c45ff1610dee
fff7da9096a1c7b6dfaf8d9ff9f06f7cd84fe1ef88bcbb578404dd682b24b58a
1b7ac92adcbbbf8f23ff99a923a040667b8537d9dc85050f73576c4801242e14
3b926126d5122582608094e7bc96d677cd374ae5d82160b118a72802912f9c75
3fb0a689d528f83fa4ac65b273786862ba791078c67a98a3de36ab0761e4a4b3
6f0a5dd852d0fcd5ae30a474f2295cb8c76f23b8946b3f4cc631bcd60f5b2b61
7a67d35fd9892a0eb7f7222d9e0e1e384e63347147f54ce214f685669c7528c6
7d551a841d4b78a02545fd39f09b588582589deaaf1ce6a6aebd5ab8689da9c1
8a55f40a351586458431ebffaf9b3a714eaa1e950a6b3b8bd58973df154e951f
31b1c3b7706cbd03c97eb962c049dd024c06129648849206530dd960d2fdf115
5f7d55af8848c847df0c0084e4511d3cca24b60e9487c52fb948d05f82976f42
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptolocker
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c42240219e6f44459226921e87d6a314ad24ccaf67364df26f940ae544da4113

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_Quakbot_20200929
Create hunting rule
Author:abuse.ch
Description:Detects QuakBot PE
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68086/

Comments