MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
SHA3-384 hash: e53cfbfdc06c9399d8da460ee363135acf52367549a598a3d900731e84afa2895728b977f0d2fa97e0771fb756874522
SHA1 hash: 22365a8553f3772a6a9ca890f182626b9c596c65
MD5 hash: 59264478b1f47c3c5ae623e2432ac0e5
humanhash: south-muppet-cup-bluebird
File name:cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
Download: download sample
Signature Quakbot
Create hunting rule
File size:954'272 bytes
First seen:2022-05-11 11:01:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2ef056f13cabaad369bfc8142f741822 (3 x Quakbot)
ssdeep 12288:SQiqrqqTZ4nAQxe/k4XZdAxz6s8I1rm9JDGQkk3CDv+3wMLDUTVScZvHsvZRzIBj:HT+Hn3Ezc6NIUXHCDv+3woAJ3+ZRMBj
Threatray 1'046 similar samples on MalwareBazaar
TLSH T1B3158E32F3E18437D1732A3C9D7B7759982A7D102D78A88A6BE50D4C0F396427D292E7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269667/
Detection(s):
Win.Malware.Qbot-9943460-0
Create hunting rule

Win.Malware.Qbot-9950034-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/627b97d2d4bfd83491c703ed/reports/69a9b0ce-7b57-4922-ba8f-dea7e0262635/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f341f77d-9873-4af6-9482-b6b3739a9756
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991774
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624270 Sample: zXL0XuOoU2 Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Yara detected CryptOne packer 2->67 69 4 other signatures 2->69 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 77 2 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 49 C:\Users\user\Desktop\zXL0XuOoU2.dll, PE32 16->49 dropped 51 Uses cmd line tools excessively to alter registry or file data 16->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 16->53 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->55 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 2 other signatures 22->61 30 explorer.exe 8 2 22->30         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        35 WerFault.exe 20 9 28->35         started        37 explorer.exe 28->37         started        79 Uses cmd line tools excessively to alter registry or file data 30->79 39 reg.exe 1 1 30->39         started        41 reg.exe 1 1 30->41         started        43 conhost.exe 30->43         started        process10 process11 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 11:02:09 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpm2i4xzlcfcau4qu3xfm4rpcwvo72bwjpgp5thxvdfajmxma7iq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
Quakbot
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
Quakbot
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
Quakbot
d52343262162d81a5c2651aa871ae1315f4bd4f35ceecde414d4445664e4f9e4
Quakbot
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
Quakbot
+ 1'036 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1651732978 banker stealer trojan
Link:
https://tria.ge/reports/220511-m44r7sbafq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
24.178.196.158:2222
91.177.173.10:995
181.208.248.227:443
103.107.113.120:443
80.11.74.81:2222
2.50.17.128:2222
148.0.57.85:443
179.179.162.9:993
37.186.54.254:995
120.150.218.241:995
176.67.56.94:443
108.60.213.141:443
208.107.221.224:443
113.53.151.59:443
58.105.167.36:50000
141.237.86.114:995
70.46.220.114:443
74.14.7.71:2222
172.115.177.204:2222
189.146.78.175:443
194.36.28.102:443
32.221.224.140:995
113.110.253.185:995
24.152.219.253:995
197.83.230.61:443
104.34.212.7:32103
47.23.89.62:993
38.70.253.226:2222
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
2.50.4.57:443
118.161.34.21:995
67.209.195.198:443
187.207.47.198:61202
140.82.49.12:443
203.122.46.130:443
217.128.122.65:2222
118.161.34.21:443
83.110.218.155:993
5.32.41.45:443
72.76.94.99:443
76.70.9.169:2222
2.34.12.8:443
92.132.172.197:2222
75.99.168.194:61201
46.107.48.202:443
103.139.243.207:990
103.87.95.133:2222
63.143.92.99:995
173.174.216.62:443
174.69.215.101:443
86.98.208.214:2222
76.25.142.196:443
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
45.76.167.26:995
149.28.238.199:995
140.82.63.183:995
144.202.2.175:995
45.63.1.12:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
173.21.10.71:2222
73.151.236.31:443
67.165.206.193:993
45.46.53.140:2222
191.99.191.28:443
180.129.20.164:995
85.246.82.244:443
149.135.101.20:443
31.35.28.29:443
187.208.0.99:443
201.142.133.198:443
82.41.63.217:443
201.172.23.68:2222
72.252.157.172:990
190.252.242.69:443
70.51.152.61:2222
90.120.65.153:2078
217.118.46.41:2222
72.252.157.172:995
39.33.170.57:995
177.102.2.175:32101
40.134.246.185:995
5.193.104.246:2222
100.1.108.246:443
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
69.14.172.24:443
94.36.195.102:2222
89.101.97.139:443
47.156.191.217:443
179.158.105.44:443
2.191.231.178:443
37.34.253.233:443
109.12.111.14:443
41.215.148.115:995
103.157.122.130:21
93.48.80.198:995
86.195.158.178:2222
105.99.204.185:443
96.37.113.36:993
86.132.13.91:2078
183.82.103.213:443
196.203.37.215:80
89.86.33.217:443
186.64.67.8:443
67.69.166.79:2222
103.233.141.208:2222
121.74.167.191:995
190.36.233.41:2222
68.204.7.158:443
197.94.84.67:443
79.129.121.68:995
106.51.48.170:50001
72.66.116.235:995
82.152.39.39:443
72.12.115.78:22
103.139.243.207:993
89.137.52.44:443
103.246.242.202:443
191.34.199.46:443
120.61.0.220:443
98.50.191.202:443
96.45.66.216:61202
102.182.232.3:995
89.211.182.31:2222
84.241.8.23:32103
172.114.160.81:995
217.164.117.87:1194
45.9.20.200:443
47.23.89.62:995
187.172.191.97:443
24.43.99.75:443
103.88.226.30:443
182.191.92.203:995
39.44.144.64:995
45.241.254.110:993
39.57.56.19:995
121.7.223.59:2222
94.140.8.55:2222
172.114.160.81:443
39.49.69.112:995
102.65.23.65:443
103.116.178.85:995
Unpacked files
SH256 hash:
8ece4939aa614bbe96eb34360e83d5d9b211976575f06ba555675d3e9bc03a6b
MD5 hash:
23a45ed7bb72cd05ecd10abaebdd8645
SHA1 hash:
4e449040c71982a9f612b318ee47dc7c15b94a9f
Link:
https://www.unpac.me/results/eae0c9cd-7693-4650-a7c8-3848a580942e/
SH256 hash:
d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
MD5 hash:
e110303afe7c390d9130805818e3bf76
SHA1 hash:
83cd9be98486c753da2dfe8972123caf4b655785
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/eae0c9cd-7693-4650-a7c8-3848a580942e/
Parent samples :
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
1a5dbff80ba1a6061196db8b27033a38c154d1822f6de2f9affc0631bf8e82ee
d52343262162d81a5c2651aa871ae1315f4bd4f35ceecde414d4445664e4f9e4
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
SH256 hash:
cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
MD5 hash:
59264478b1f47c3c5ae623e2432ac0e5
SHA1 hash:
22365a8553f3772a6a9ca890f182626b9c596c65
Link:
https://www.unpac.me/results/eae0c9cd-7693-4650-a7c8-3848a580942e/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbd9a472f958/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269667/

Comments