MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5
SHA3-384 hash: 42aee0dd30b7540ffe92070f1f0403a48cd497b488c5698bd402917488f93d1f6d93fdd7ac3bd629365e85acc267dcae
SHA1 hash: 71578e1aabfe23b19fbec9091fce5c8ac1c601f1
MD5 hash: 4947a9eae6ed1531f6d3297120f104e5
humanhash: winner-echo-queen-sweet
File name:3415201png
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'090'544 bytes
First seen:2020-10-15 15:28:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep 6144:jRawthaHqZIMRD83d5kFICdy2cs1NbDEWZ31EylEgf9RItjKkuGInR+HlZzmr6Mh:jR2qZtOzxn2cZ+aKTrUhulLhJ9FCe
Threatray 610 similar samples on MalwareBazaar
TLSH 613512D3F9BC8471CAED287B8993523C9A9585E85D05D00B0778A9ADBDF3300FE9644B
Reporter JAMESWT_WT
Tags:Qakbot Quakbot SERVICE STREAM LIMITED signed

Code Signing Certificate

Organisation:SERVICE STREAM LIMITED
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 13 00:00:00 2020 GMT
Valid to:Oct 13 23:59:59 2021 GMT
Serial number: 016836311FC39FBB8E6F308BB03CC2B3
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: CAB373E2D4672BEACF4CA9C9BAF75A2182A106CCA5EA32F2FC2295848771A979
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71453/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.13628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492690
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298808 Sample: 3415201png Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Qbot 2->34 36 Machine Learning detection for sample 2->36 38 2 other signatures 2->38 7 3415201png.exe 4 2->7         started        11 3415201png.exe 2->11         started        13 3415201png.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Roaming\...\waucayj.exe, PE32 7->28 dropped 30 C:\Users\user\...\waucayj.exe:Zone.Identifier, ASCII 7->30 dropped 40 Detected unpacking (changes PE section rights) 7->40 42 Detected unpacking (overwrites its own PE header) 7->42 44 Contains functionality to detect virtual machines (IN, VMware) 7->44 46 Contains functionality to compare user and computer (likely to detect sandboxes) 7->46 15 waucayj.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 3415201png.exe 7->20         started        signatures5 process6 signatures7 48 Multi AV Scanner detection for dropped file 15->48 50 Detected unpacking (changes PE section rights) 15->50 52 Detected unpacking (overwrites its own PE header) 15->52 54 6 other signatures 15->54 22 waucayj.exe 15->22         started        24 explorer.exe 1 15->24         started        26 conhost.exe 18->26         started        process8
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 15:27:27 UTC
File Type:
PE (Exe)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpvjhuwsjl2pur67vhrvtjceklzrx73nmxyzjtdsa2cojcrmsd2q._file
Verdict:
malicious
Similar samples:
0d0d997a7c42c11b60cb1e265b015f2559719f640c2adf1c1bf8b85a434a0d0d
Quakbot
2a9ab4b103557c2e45afb9b59ae9243866209cf755fc3435f717439df0871488
Quakbot
3ca3e5b6d16a79254fc3a225630ba6ccce14af026d05a7d07d52035f556c2743
Quakbot
45493d88dd9d1670f48aee096d0ca99110337ffbd4d538dd39b2ef3a13cafa63
Quakbot
5e2d7b990c9f6667311a44f7fce078a5bd3e033965db4a31c177bb84b06e8540
Quakbot
78749911faeac0032bb0c8562761fa6ee3fb85f37e099f5169d9dcc29c8024bd
Quakbot
9eccb19815875eb6131325e0c29161a21df290881832ce3d36284e1c025e8cd7
Quakbot
a739a0a87d4fa6002cb29851f089a26cdd1df36e9d32dace7385bb31151a0732
Quakbot
af7c0b516a039a084e5b074c2971e053c9ca3c2690a06e200570e61d58ae9095
Quakbot
b92c0aafb4e9b0fc2b023dbb14d7e848249f29e02b0e4cd8624ce27e55c9ac4c
Quakbot
+ 600 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201015-4y1ay3z2qx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Malware Config
C2 Extraction:
2.89.121.99:995
89.42.142.35:443
81.133.234.36:2222
71.163.222.203:443
75.136.40.155:443
93.149.253.201:2222
71.187.170.235:443
185.19.190.81:443
196.221.61.242:443
72.28.255.159:995
45.32.162.253:443
45.32.155.12:443
45.32.155.12:2222
199.247.16.80:443
134.0.196.46:995
24.27.82.216:2222
117.218.208.239:443
68.225.60.77:443
217.162.149.212:443
71.19.217.23:443
86.123.19.94:443
86.150.215.163:2222
72.204.242.138:20
213.31.203.109:2222
72.66.47.70:443
2.50.131.64:443
86.121.121.14:2222
188.26.132.214:443
24.218.181.15:443
96.30.198.161:443
207.246.70.216:443
45.32.155.12:995
140.82.27.132:443
45.63.104.123:443
45.32.165.134:443
187.155.58.60:443
166.62.183.139:2078
103.206.112.234:443
86.126.108.242:2222
96.247.181.229:443
76.167.240.21:443
119.153.110.160:443
81.98.133.106:443
41.97.108.97:443
65.131.47.228:995
78.97.41.175:995
203.106.195.67:443
72.36.59.46:2222
117.199.5.181:443
189.231.212.189:443
5.193.181.221:2078
2.7.65.32:2222
92.14.198.173:2222
98.16.204.189:995
59.26.204.144:443
46.53.18.242:443
36.77.151.211:443
73.200.219.143:443
216.201.162.158:443
103.238.231.35:443
184.21.136.237:443
185.246.9.69:995
2.88.42.65:995
100.4.179.64:443
31.215.98.218:443
207.246.75.201:443
174.104.31.209:443
45.77.193.83:443
24.122.0.90:443
118.168.233.119:443
175.142.189.201:443
178.222.13.77:995
24.205.42.241:443
208.99.100.129:443
80.14.209.42:2222
108.5.33.110:443
71.12.214.209:2222
165.0.182.63:995
78.96.199.79:443
45.32.154.10:443
80.240.26.178:443
199.247.22.145:443
81.97.154.100:443
86.176.25.92:2222
72.204.242.138:995
47.44.217.98:443
203.198.96.200:443
41.227.84.56:443
63.155.8.102:995
108.31.15.10:995
47.138.201.136:443
184.55.32.182:443
95.179.247.224:443
173.21.10.71:2222
86.98.89.172:2222
108.30.125.94:443
99.195.113.83:443
31.5.21.66:443
95.76.27.6:443
5.12.216.111:2222
174.30.165.242:2222
144.139.47.206:443
69.47.26.41:443
66.25.168.167:2222
24.40.173.134:443
69.123.116.167:2222
184.90.50.79:995
45.47.65.191:443
65.102.136.20:995
71.221.92.98:443
68.104.6.221:443
68.46.142.48:995
24.128.117.95:443
73.104.218.229:0
75.182.220.196:2222
74.222.204.82:443
47.147.20.231:443
71.197.126.250:443
74.195.88.59:995
71.217.125.53:2222
68.235.155.202:443
74.109.219.145:443
67.6.55.77:443
75.189.159.193:443
24.28.183.107:995
74.137.189.78:443
98.240.24.57:443
69.47.239.10:443
71.74.12.34:443
75.136.26.147:443
36.236.230.210:443
66.215.32.224:443
72.186.1.237:443
76.106.47.186:443
66.208.105.6:443
72.29.181.78:2222
73.90.4.146:443
205.178.7.90:443
50.96.234.132:995
24.231.54.185:2222
73.32.115.251:443
90.175.88.99:2222
68.14.210.246:22
148.101.74.12:443
73.225.67.0:443
80.195.103.146:2222
200.75.136.78:443
67.165.206.193:993
35.134.202.234:443
190.63.182.214:443
Unpacked files
SH256 hash:
cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5
MD5 hash:
4947a9eae6ed1531f6d3297120f104e5
SHA1 hash:
71578e1aabfe23b19fbec9091fce5c8ac1c601f1
Link:
https://www.unpac.me/results/a04d2f83-f462-43fb-985c-814411338317/
SH256 hash:
b2245e70317ec7dcf7eeec79ce69303c70c9e8ce0e735f58be4a3cbd9a1aa32f
MD5 hash:
1cdef31263a0d2d690a3234795b357da
SHA1 hash:
6d9987126a98e89d72cc6ffbdf62065b3a319abe
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a04d2f83-f462-43fb-985c-814411338317/
Parent samples :
3ca3e5b6d16a79254fc3a225630ba6ccce14af026d05a7d07d52035f556c2743
cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5
ce42bacf0b5fc43144e33f10aeb9de744de818f85dc44da62b05e64204c42580
73d8eec4558786e302ac9d8d4252a60eebdf4f66eec9925b58d437dbaa5d826e
96e21a6d02770fdff74ac912154f8c7c7a934d7236360485920c8550fa0050a1
18c4314cf758c6745a883c8281c46307e0101974e1d3604fb59b0e806725e5d0
74e832a79ffdd9830db4eb1acc11150a3be94d1ea3665138c9454bd066dd0f95
198f84cee0dae79cda9db5518ba28e2b23000f2fb5735b0dad188bc5972a5afd
ff996f55536de7a67bd73ad8bc3d79a2b39fbacf097c4c506fc7ec0093892588
279a8de5e39df1db685c2c3f3a7ef24ce3a080f485ef4258f3af544ba3f0a170
4dece4f8f1843e688841d1af9c4bf04ae4750c45ab6ab1aee6c8e584882fa6e1
3ce99c8cb67713268cb97548c173ebbd2e9a78b8d2e2a313aafdf84fb1bb109f
3a170ddf4a5187f7bdb2ebe0d2bb50f1628efe9aa17cb79691fdc7b639c20983
f807aeb37f1d5ae92f3c526b1671f6de8ee9071a6b095f1578d535574445d935
80409175a0c0b823892302d5fe864b8cf8e7adcf7c3224cdfc42d3440089f56c
d1ae43466c5c168ce5f6b08a8b1cebed1c50c4e830f5d4d8edb3b0a1707637ba
48a5c7982d3a0aad3a316d391be806bf4518a3914e6304ca23791b1a96f7a696
333e420c622641ce1d0e90836e2d6de9512a8668f36b29bcee286d0dc0362ad4
c648cdade25de484dd01fb660e5b6a0b5c04ce2f8e39fc3003d66f7ceecf8ba3
55b595b2b235716148d0d97ec9e206b5236ef4eb50fc319076d7dfe12e9f31f8
3889e86218b5cd959cc18ea5c14d669b72abf79e16553c250f783f0570da5325
c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4
e765e101f19ac53b1ac1796e8df871a3317c139d2cf9963f0b9ce4877c6a34b4
18e515b87f2113e0cb01aee82cde91912f49ef2bae35a25370d4450f760f4c8d
e7ee18860de04ba320ca073bc31af13d7ad12243b6e50ee56e203e082d4fe2bd
d09d81afbfbf62c6c9ec7deb3c05c699b909c4272698eee14fa21fc09b13c747
efaf18151dcff71f99c514983e1422c7a55db5bdaaac3c01577154f7602f8394
a3326f70eec68273df75df9e431840627ac8c1c4f04be69e6765389effa3170c
2ce0e3f6bcfd706d3b2776301557a2dc3848a2327ad7466f84d8001f15004690
ac7b9830f90d43ca657e76d9d61fd9efbee50ebe1ad5862e35ffdecb7562ebf9
80d310a88b41d69098d4ad67bd64724933bde084e7a55ebde5e3c73664e49e5e
3657746febac3e11b3a87644b383881675bc2059157a82023d4b5b1cd0b09e3c
d67dd0956d44061123dd00a1146c932dde86ccf903912f96c5bec30a2f9c831f
e911a974637256342c4378618b9e0e62f1d77566520977f9f06d03a9f77c94dd
81d9bb47df5527528498454b8e3c657e799a9b253a14e73071bd4a00806456f6
1d4a1f599a48fa710927daeef32a4e509000d2c13cad1bc0b078be9ac0fa2fa1
d1398bbc8382f2b58a852161106c3a1af471ba4df0afe4f8043bd6d711e3abef
ba8b76fe44cfecb234e2ea47adc293fb4e8a7c62119776aab010c2c87500871f
88d2abc1412d8534cf237378933598cd02179225691a298c65e871e77a12de25
36332a5fe3b04f637b3a281c848df93631b6ffe81a969350a5ec73de4d442831
224a2648a7943386f7b3b6b9f22d87d8c7fec9466cffe24a77f17d7a621b8a79
12a33b4cbaa8523b49fbf03ce5ac773e1846660662a0ca67b7dae618606e6ae4
b47d309f16f635798176c9d24035d0bc145b580512adb81191f0ce8684b8b9d5
8d6d8351848925338ce65b442b5bc69872ee467c67e77692645549587eca04d7
43ba9c85b598b5cfcd1fdff00351fe461ab214b1a2b00efcf45f429b5893b0a1
7e0e9f3a1f1bae034cd67784a804dd40375c5b738f7083c9e337197a296425ef
d87d94fd2a6dc33fa5a443f18dc996b513d565d0edd88a88bb322c53f9111aca
SH256 hash:
8ba2aa9471e9aa9e071fa80be061b16593902a9e3f8df56ab7f7bfbce974f88f
MD5 hash:
a4d92dbcda0402ecc95689d8d5a14643
SHA1 hash:
6989b8e171479c05565014b75487bcba04dcf0a7
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a04d2f83-f462-43fb-985c-814411338317/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_qakbot
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_qakbot_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_qakbot_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71453/

Comments