MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc086ee1b89257508aa4393d264b131e13e71a0ff3f8275bf1fb810b890ce133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc086ee1b89257508aa4393d264b131e13e71a0ff3f8275bf1fb810b890ce133
SHA3-384 hash: a30ea78475ff54eac2b487c1f08fa3c0ba34bce2ed135a00d2d8b489b0912a2b8b92817495415e6f0e41211dcdec6da2
SHA1 hash: 401ba6d3200a2daaa36c51c4e645757e949c591c
MD5 hash: 99153d6d91228309aea90ff693b805d7
humanhash: iowa-florida-music-sweet
File name:cc086ee1b89257508aa4393d264b131e13e71a0ff3f8275bf1fb810b890ce133
Download: download sample
Signature Quakbot
Create hunting rule
File size:512'833 bytes
First seen:2022-04-14 12:18:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash cc2c95b842cf453a10e40489eddeb9ee (10 x Quakbot)
ssdeep 12288:2VLOLbYx29jcKY/1Yj70xFqSgzHkuyEFDOwK:Syy2K120/bgzEuyEFC
Threatray 472 similar samples on MalwareBazaar
TLSH T17DB4AFB87600ACE2E57F567BCAA5ADED037A2B224DC798CD506477C709633B1EE12C05
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:dll Quakbot VALENTE SP Z O O

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263731/
Detection(s):
Win.Packed.Qbot-9943616-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
DNS request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/62581153482f2f41caadecb4/reports/f4adcf64-8c13-4baa-92a0-49a694e1edf0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4199417d-d5c9-46fd-9e09-3c3d7243308e
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/976834
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609320 Sample: qJcb4lVrGz Startdate: 14/04/2022 Architecture: WINDOWS Score: 92 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Qbot 2->39 41 2 other signatures 2->41 8 loaddll32.exe 1 2->8         started        process3 signatures4 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->43 45 Injects code into the Windows Explorer (explorer.exe) 8->45 47 Writes to foreign memory regions 8->47 49 2 other signatures 8->49 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->51 53 Injects code into the Windows Explorer (explorer.exe) 11->53 55 Writes to foreign memory regions 11->55 57 2 other signatures 11->57 20 explorer.exe 8 1 11->20         started        22 rundll32.exe 14->22         started        24 WerFault.exe 2 9 16->24         started        27 WerFault.exe 9 18->27         started        29 WerFault.exe 9 18->29         started        process7 dnsIp8 31 WerFault.exe 23 9 22->31         started        33 192.168.2.1 unknown unknown 24->33 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc086ee1b89257508aa4393d264b131e13e71a0ff3f8275bf1fb810b890ce133/
Threat name:
Win32.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 00:08:30 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0a38dfc9dc429b49449a95b7358b3c35f1245728df55adc72c57baa79b708bb3
Quakbot
10fef78aae388d689a89def6829a43bb262b889f8a19e311ab9a264884b49e47
Quakbot
35ee73317411bafbf39ffd556524a369c5e5311113c05acd30116c3252e34601
Quakbot
446352954cb68160dec6f871334286d749f9581df27673a0d30dc0f5d786161c
Quakbot
644f00812319bdb00411294b2ddb4e9f86bf0797f825543ea0fe16db1e1aea4e
Quakbot
740ddb58bbbcbaee867adb4448694b4ef4da6c319d587f8b3269326c558097dc
Quakbot
7432507857291e71388dd79097cfd5b68425e894dd56db0818b6893cfb36b7e8
Quakbot
7a227df10f82dc2e11822716aa04e91797e9a3011976a4e5884deb704bf0134a
Quakbot
8535a5a3595009a9270abff1eeacfb7fa530d692f4ef91d6be25612e3f6b4211
Quakbot
8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f
Quakbot
+ 462 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1648020400 banker stealer trojan
Link:
https://tria.ge/reports/220414-pg6dmagbcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
120.150.218.241:995
79.52.204.9:50001
161.142.56.8:443
93.48.80.198:995
81.60.216.223:995
1.161.80.99:443
2.34.12.8:443
113.11.89.170:995
74.15.2.252:2222
209.180.70.25:443
86.98.208.214:2222
189.146.51.56:443
203.122.46.130:443
190.73.3.148:2222
197.167.50.74:993
76.70.9.169:2222
75.99.168.194:443
76.69.155.202:2222
176.88.238.122:995
89.137.52.44:443
76.169.147.192:32103
108.60.213.141:443
176.67.56.94:443
148.64.96.100:443
47.180.172.159:443
208.107.221.224:443
140.82.49.12:443
96.21.251.127:2222
70.51.135.39:2222
2.42.176.91:443
92.177.45.46:2078
105.186.127.127:995
78.87.36.171:995
83.110.85.209:443
31.35.28.29:443
120.61.2.249:443
206.217.0.154:995
78.188.76.167:443
24.43.99.75:443
37.186.54.166:995
5.32.41.45:443
201.172.231.204:443
47.23.89.62:993
72.76.94.99:443
47.180.172.159:50010
86.98.27.253:443
75.99.168.194:61201
197.89.109.60:443
45.9.20.200:443
173.174.216.62:443
121.74.182.236:995
140.82.63.183:995
45.63.1.12:443
45.76.167.26:995
45.63.1.12:995
144.202.2.175:995
144.202.2.175:443
45.76.167.26:443
144.202.3.39:995
149.28.238.199:443
149.28.238.199:995
140.82.63.183:443
144.202.3.39:443
129.208.61.75:995
71.13.93.154:2222
91.177.173.10:995
83.110.85.209:995
47.23.89.62:995
70.57.207.83:443
1.161.80.99:995
207.170.238.231:443
175.145.235.37:443
190.206.211.182:443
32.221.225.247:995
217.164.118.117:1194
69.159.200.138:2222
180.233.150.134:995
103.87.95.131:2222
70.46.220.114:443
172.115.177.204:2222
31.215.69.127:443
172.114.160.81:995
67.209.195.198:443
75.159.9.236:443
24.178.196.158:2222
41.228.22.180:443
217.165.85.224:993
37.152.80.105:443
217.128.122.65:2222
24.152.219.253:995
195.32.57.18:80
103.88.226.82:443
173.21.10.71:2222
73.151.236.31:443
197.92.138.54:443
102.140.70.236:443
174.69.215.101:443
71.74.12.34:443
47.156.191.217:443
191.99.191.28:443
148.64.96.100:993
201.145.226.223:443
189.237.6.251:443
201.170.181.247:443
201.103.6.221:443
72.252.201.34:990
72.252.201.34:995
100.1.108.246:443
72.12.115.90:22
109.12.111.14:443
40.134.246.185:995
24.55.67.176:443
63.143.92.99:995
24.229.150.54:995
105.225.175.168:995
89.101.97.139:443
179.178.78.112:443
143.0.34.185:443
108.4.67.252:443
81.132.186.248:2078
114.79.148.170:443
200.100.246.85:32101
217.164.118.117:2222
45.46.53.140:2222
82.152.39.39:443
186.105.118.4:443
67.165.206.193:993
196.203.37.215:80
197.238.216.127:443
39.44.151.33:995
75.188.35.168:443
80.11.74.81:2222
5.95.58.211:2087
182.191.92.203:995
180.129.26.139:995
186.10.247.110:443
111.125.245.118:995
217.165.85.73:32101
177.134.208.155:995
197.162.105.58:995
124.41.193.166:443
118.173.98.236:443
117.248.109.38:21
103.233.141.26:2222
110.143.139.163:443
98.22.244.189:443
76.25.142.196:443
38.70.253.226:2222
76.119.110.181:443
173.22.32.101:443
Unpacked files
SH256 hash:
cc086ee1b89257508aa4393d264b131e13e71a0ff3f8275bf1fb810b890ce133
MD5 hash:
99153d6d91228309aea90ff693b805d7
SHA1 hash:
401ba6d3200a2daaa36c51c4e645757e949c591c
Link:
https://www.unpac.me/results/fc9f4fa4-2f37-4787-9da7-9ebf6587da41/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc086ee1b892/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc086ee1b89257508aa4393d264b131e13e71a0ff3f8275bf1fb810b890ce133

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263731/

Comments