MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7a3193a0b4d514eca3ced93cec1b94d4f71c8f7d3b0693640d22c4d60ca8301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c7a3193a0b4d514eca3ced93cec1b94d4f71c8f7d3b0693640d22c4d60ca8301
SHA3-384 hash:	e889154d6a92a1c8e75970e8d1b9b015415ddaf5d57d8ee3e5c3796909c38ae9f8cad1c37821ecc300b2e68e963bce03
SHA1 hash:	446a0d68ce49735dd1e187f0da61363a58a56305
MD5 hash:	e691c330ebbcecd460c662a4db77ff41
humanhash:	california-kitten-eleven-tennessee
File name:	rvr3.dll
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'351'189 bytes
First seen:	2022-03-14 16:39:43 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	668719cad512f49975304f502740133b (3 x Quakbot)
ssdeep	24576:FN8rO02p5N7Fwxkp43ahrADjlIzZGgwILKbfRR0zYl1sVp:Tz1K9T/cYl1sV
Threatray	232 similar samples on MalwareBazaar
TLSH	T161558D22F3D1C97AC5761B3C9E6B729584B939111D28F4DA7AD40E8C1A379432A3E3D3
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	k3dg3___
Tags:	dll qbot Quakbot ta577

k3dg3

dropped by https://bazaar.abuse.ch/sample/8742bfb1f9bcbc03abea6dbc42ed00404b0ed10aa5851c2061236ff0427cadca/

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/250276/

Detection(s):

Win.Malware.Qakbot-9940971-1

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed qakbot

Link:

https://www.filescan.io/uploads/622f6fe90cd58dbd9297b462/reports/9dac3aef-de3a-4e6e-92ac-2aaebe978499/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14b0293f-8e18-43ae-a03c-eb59254fa69b

Result

Threat name:

CryptOne Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/956320

Signature

Allocates memory in foreign processes

Found malware configuration

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Suspicious Call by Ordinal

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7a3193a0b4d514eca3ced93cec1b94d4f71c8f7d3b0693640d22c4d60ca8301/

Threat name:

Win32.Trojan.BotX

Status:

Malicious

First seen:

2022-03-14 16:40:12 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y6rrsoqljviu5sr45wj45qnzjvhxdshx2oygsnsa2iwe2ygkqmaq._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:aa campaign:1646990106 banker stealer trojan

Link:

https://tria.ge/reports/220314-t6j9xahgh8/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

31.35.28.29:443
75.159.9.236:443
92.177.45.46:2078
91.177.173.10:995
188.55.223.134:995
41.205.12.24:443
86.97.209.134:2222
76.169.147.192:32103
67.209.195.198:443
76.70.9.169:2222
217.128.122.65:2222
103.157.122.130:21
108.4.67.252:443
82.152.39.39:443
203.212.24.90:995
89.101.97.139:443
103.139.242.30:993
92.99.229.158:2222
78.100.194.196:6883
89.211.187.132:2222
177.207.67.234:993
5.32.41.45:443
1.161.97.158:443
197.89.108.75:443
217.128.93.27:2222
187.199.203.159:443
103.87.95.131:2222
63.153.150.20:443
190.73.3.148:2222
72.76.94.99:443
139.228.65.100:2222
208.107.221.224:443
83.110.218.135:32101
172.114.160.81:995
2.50.27.78:443
209.210.95.228:32100
86.195.158.178:2222
74.15.2.252:2222
80.14.188.219:2222
207.170.238.231:443
217.165.85.106:993
86.98.11.110:443
180.183.125.141:2222
39.44.188.102:995
5.95.58.211:2087
41.143.155.161:443
76.69.155.202:2222
45.63.1.12:995
90.74.16.2:6881
176.67.56.94:443
124.41.193.166:443
182.191.92.203:995
93.48.80.198:995
140.82.49.12:443
47.180.172.159:443
80.11.74.81:2222
108.60.213.141:443
75.99.168.194:443
86.184.85.199:443
196.203.37.215:80
47.23.89.58:993
24.43.99.75:443
217.165.79.31:443
24.178.196.158:2222
70.51.139.58:2222
31.215.70.127:443
149.28.238.199:995
140.82.63.183:995
45.63.1.12:443
140.82.63.183:443
144.202.3.39:995
144.202.3.39:443
45.76.167.26:995
149.28.238.199:443
45.76.167.26:443
173.174.216.62:443
47.23.89.58:995
175.145.235.37:443
144.202.2.175:995
144.202.2.175:443
32.221.225.247:995
186.10.247.110:443
71.13.93.154:2222
75.99.168.194:61201
217.165.79.31:995
70.57.207.83:443
69.159.200.138:2222
83.110.153.238:61200
139.64.13.51:995
70.46.220.114:443
102.184.187.50:995
105.186.127.127:995
79.167.199.210:995
76.25.142.196:443
128.106.122.181:443
86.97.209.134:1194
197.237.74.185:995
58.105.167.35:50000
1.161.97.158:995
102.65.38.77:443
121.74.187.191:995
71.74.12.34:443
173.21.10.71:2222
82.205.15.91:995
68.204.7.158:443
191.99.191.28:443
47.156.131.10:443
189.146.51.56:443
189.253.32.61:995
47.156.191.217:443
73.151.236.31:443
201.170.181.247:443
47.180.172.159:50010
120.150.218.241:995
96.21.251.127:2222
38.70.253.226:2222
96.246.158.154:995
187.170.7.81:443
41.228.22.180:443
45.9.20.200:443
206.217.0.154:995
85.1.164.37:2222
63.143.92.99:995
72.12.115.90:22
177.207.67.234:995
100.1.108.246:443
75.188.35.168:443
201.42.65.3:995
72.252.201.34:995
40.134.247.125:995
208.101.87.135:443
201.145.160.158:443
86.198.170.170:2222
201.40.225.216:443
24.55.67.176:443
81.229.130.188:443
209.59.248.140:443
105.224.105.97:995
109.12.111.14:443
67.165.206.193:993
191.112.19.94:443
103.51.26.157:995
114.79.148.170:443
197.162.123.214:993
86.97.9.241:443
183.82.103.213:443
136.143.11.232:443
120.61.2.100:443
45.241.221.190:995
186.64.87.236:443

Unpacked files

SH256 hash:

20e74876a42bf710192e4e4add90d8f4a3db892e4ed8f786060a75ef917c0912

MD5 hash:

e4fef8f6457cf47d20ebd0927a1d32e2

SHA1 hash:

6976549d217015e0c012d9eaae0baa741d1189d4

Link:

https://www.unpac.me/results/cf9c35d9-4200-4a2c-9e0e-fb50ebc47562/

SH256 hash:

d985fbab66e1761b39bf425923f8e28041bd75663cea32e1cad7b5ef91da2672

MD5 hash:

215e60133e38a89b430d242d3a8b658e

SHA1 hash:

fc458e7629c900e151ba46790bd6c07a7b99e5cd

Link:

https://www.unpac.me/results/cf9c35d9-4200-4a2c-9e0e-fb50ebc47562/

SH256 hash:

c7a3193a0b4d514eca3ced93cec1b94d4f71c8f7d3b0693640d22c4d60ca8301

MD5 hash:

e691c330ebbcecd460c662a4db77ff41

SHA1 hash:

446a0d68ce49735dd1e187f0da61363a58a56305

Link:

https://www.unpac.me/results/cf9c35d9-4200-4a2c-9e0e-fb50ebc47562/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c7a3193a0b4d514eca3ced93cec1b94d4f71c8f7d3b0693640d22c4d60ca8301

File information

The table below shows additional information about this malware sample such as delivery method and external references.

27623bca3e0d24a03df309672bff84e3bc9771e420cc51e77d40e0bdd93da90d

Quakbot

DLL dll c7a3193a0b4d514eca3ced93cec1b94d4f71c8f7d3b0693640d22c4d60ca8301

(this sample)

Dropped by

SHA256 27623bca3e0d24a03df309672bff84e3bc9771e420cc51e77d40e0bdd93da90d

Cape

https://www.capesandbox.com/analysis/250276/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample