MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c729f364bc952590a87aa014b4e4289716ca0f2b8be27965194ce58d174087f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c729f364bc952590a87aa014b4e4289716ca0f2b8be27965194ce58d174087f2
SHA3-384 hash: 371fc08845a0250ca99311ec98dcadb579d75cbea0195c5d1645cca87c8ba8e235111df74566562621a6ba9e4ec3bd6f
SHA1 hash: d4e60d214ec848b31d770feb683a1a83adb3579d
MD5 hash: 78f012242702c5065db960e0b5056072
humanhash: uncle-michigan-mississippi-carbon
File name:startlingly.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:547'328 bytes
First seen:2022-10-24 15:15:07 UTC
Last seen:2022-10-24 16:09:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4b5a5483fcf7fe55868677e5590256c9 (3 x Quakbot)
ssdeep 6144:S0shN3HmQivsnnYEiaNZPiou5g3XRLQN4GWdCh7R2NZdPqiekqRIg0Qm5bTgDn2c:S0shZU5aqo+Nvvy5bcS5g+g5N
Threatray 1'567 similar samples on MalwareBazaar
TLSH T1F0C4AF10D98519F1D199CA3FB97FDC5AC72822B9FF62774A3A4C8118A5E2282DF07707
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1666604608 BB04 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323478/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.154619.29603.30702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02ba3b47-b7c2-4623-b75f-77247a1152ed
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1096677
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729322 Sample: startlingly.dat.dll Startdate: 24/10/2022 Architecture: WINDOWS Score: 88 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Qbot 2->34 36 Sigma detected: Execute DLL with spoofed extension 2->36 38 2 other signatures 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->48 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Maps a DLL or memory area into another process 8->54 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 2 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->56 58 Writes to foreign memory regions 13->58 60 Allocates memory in foreign processes 13->60 23 wermgr.exe 13->23         started        62 Maps a DLL or memory area into another process 16->62 25 wermgr.exe 16->25         started        process7 signatures8 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->40 42 Writes to foreign memory regions 20->42 44 Allocates memory in foreign processes 20->44 46 Maps a DLL or memory area into another process 20->46 27 wermgr.exe 8 1 20->27         started        process9 file10 30 C:\Users\user\Desktop\startlingly.dat.dll, PE32 27->30 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c729f364bc952590a87aa014b4e4289716ca0f2b8be27965194ce58d174087f2/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 16:10:06 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 40 (55.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4u7gzf4suszbkd2uakljzbis4lmudzlrprhszizjtsy2f2aq7za._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
290634e84d2e79107f8abf4b6943c6e900fc7efda85f3a1e83a9ac420d160d75
Quakbot
4df936e24707cbb9332c99488a20f5fa0f9e0ac5cc3a2ea4d509f3539ea79200
Quakbot
581a2c8b97a095950c90872335e30dff1355adc48781d39f5612ed44fb477c99
Quakbot
97bb01022eaa46e69d39cbddd770c5d5312b806d0b94836f96d026db1d54bf03
Quakbot
9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b
Quakbot
+ 1'557 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb04 campaign:1666604608 banker stealer trojan
Link:
https://tria.ge/reports/221024-snfnbshdel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
222.117.141.133:443
198.2.51.242:993
27.110.134.202:995
172.117.139.142:995
144.202.15.58:443
193.3.19.137:443
208.78.220.120:443
45.230.169.132:995
102.157.250.192:995
93.156.96.171:443
41.109.170.156:995
58.247.115.126:995
200.233.108.153:995
197.204.107.51:443
201.68.209.47:32101
156.220.185.41:993
37.8.67.5:443
181.164.194.228:443
156.197.230.148:995
175.205.2.54:443
105.111.102.145:443
156.217.185.90:995
2.88.206.121:443
58.186.75.42:443
189.110.3.60:2222
190.33.241.216:443
190.207.137.189:2222
105.98.89.54:443
190.74.248.136:443
189.129.38.158:2222
190.193.180.228:443
200.109.204.20:2222
105.111.81.57:443
190.27.103.174:995
206.1.175.95:443
167.58.254.85:443
160.176.137.80:443
41.98.239.92:443
186.18.77.99:443
90.165.109.4:2222
41.107.78.169:443
105.158.78.156:443
197.0.161.64:443
149.126.159.224:443
201.208.58.92:2222
78.179.135.247:443
156.196.169.222:443
196.207.146.151:443
190.100.149.122:995
201.210.121.95:993
1.0.215.176:443
125.25.73.17:995
202.5.53.143:443
206.1.254.89:2087
102.156.162.83:443
220.134.54.185:2222
190.37.174.11:2222
176.241.48.177:443
190.29.228.61:443
72.217.105.238:443
186.188.80.134:443
41.98.4.251:443
41.101.183.90:443
94.36.5.31:443
41.100.133.221:443
41.108.69.247:443
102.184.30.42:443
102.187.63.127:995
190.33.87.140:443
187.198.16.39:443
62.46.231.64:443
186.18.210.16:443
42.116.54.220:443
197.244.204.128:443
190.203.106.109:2222
200.155.61.245:995
200.155.61.245:443
160.177.168.51:995
105.105.46.239:443
78.162.135.45:443
200.233.108.153:993
41.143.109.111:61202
91.171.72.214:32100
197.58.185.117:443
136.232.184.134:995
186.52.96.202:995
163.182.177.80:443
113.170.217.46:443
167.56.53.143:995
181.141.3.126:443
189.216.29.135:443
191.84.65.116:443
196.65.123.130:995
152.170.17.136:443
186.213.214.13:2222
216.131.22.236:995
98.207.190.55:443
186.14.70.229:443
70.173.248.13:443
41.103.187.192:443
197.253.237.2:443
206.1.212.194:443
14.54.83.15:443
103.156.237.170:443
190.206.95.220:2222
181.168.145.94:443
139.190.173.215:443
188.236.139.240:3389
62.11.227.146:443
216.106.216.209:443
207.204.120.40:443
41.103.173.10:443
197.145.137.210:995
102.185.86.69:995
85.100.25.99:443
14.246.151.175:443
41.105.5.123:443
72.88.245.71:443
41.228.249.243:995
Unpacked files
SH256 hash:
575b4d2089a0741279a29108a47668dd4394c0b6cda33cb07664d37c0177048a
MD5 hash:
ffc1c9307c4bd1fabc97c38f9d9c97fc
SHA1 hash:
bd49c18aaed18cf57932eac743137c87c358ae30
Link:
https://www.unpac.me/results/03ddebec-e800-4083-8eed-53dfcbb20e56/
SH256 hash:
58c338a6cf4f444185340e94ba66c66053b75b562ca29835bb54a157c01a8016
MD5 hash:
332721a69138186b78eaf5230e551461
SHA1 hash:
7b5aca056a13ec5263e2685447a74f54ecf53698
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/03ddebec-e800-4083-8eed-53dfcbb20e56/
SH256 hash:
c729f364bc952590a87aa014b4e4289716ca0f2b8be27965194ce58d174087f2
MD5 hash:
78f012242702c5065db960e0b5056072
SHA1 hash:
d4e60d214ec848b31d770feb683a1a83adb3579d
Link:
https://www.unpac.me/results/03ddebec-e800-4083-8eed-53dfcbb20e56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c729f364bc952590a87aa014b4e4289716ca0f2b8be27965194ce58d174087f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323478/

Comments