MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11
SHA3-384 hash: 1b10ce4e5dadf805bcb129a1372d2c28149166a79e58dbd2b1b37f5a8f604f6a227e989801ecbc2f03cd1c2a8fba1a5c
SHA1 hash: 854b7b23da76f583e6c157e643e1e0e50dd902e4
MD5 hash: 3adc41a38c53d9798e9be8d135ba47d8
humanhash: three-summer-arkansas-three
File name:44467.702902662.dat.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:768'512 bytes
First seen:2021-09-28 14:57:12 UTC
Last seen:2021-09-28 16:09:24 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 57775f1d5f7cb33885211ff521ef0102 (3 x Quakbot)
ssdeep 12288:oV75XRqXnVyGXpI7kFHpsqJtjA42je3kyS6wEB35c+C:DXnVyyZWIkBy3kySqBpp
Threatray 174 similar samples on MalwareBazaar
TLSH T1C4F42A007A54E414F6B91A758E6EE1E8061C7E449FB4A0CF79D03F8F6A3A9E2D931317
Reporter info_sec_ca
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192660/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Krypt.22925.18751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f7e9f11-a381-43e1-bba2-a3b93963fa9d
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859976
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492407 Sample: 44467.702902662.dat.dll Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Yara detected Qbot 2->71 73 Sigma detected: Execute DLL with spoofed extension 2->73 75 2 other signatures 2->75 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->77 79 Injects code into the Windows Explorer (explorer.exe) 9->79 81 Writes to foreign memory regions 9->81 83 2 other signatures 9->83 16 rundll32.exe 9->16         started        19 cmd.exe 1 9->19         started        21 rundll32.exe 9->21         started        27 2 other processes 9->27 23 regsvr32.exe 12->23         started        25 regsvr32.exe 14->25         started        process5 signatures6 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->59 61 Injects code into the Windows Explorer (explorer.exe) 16->61 63 Writes to foreign memory regions 16->63 29 explorer.exe 16->29         started        32 rundll32.exe 19->32         started        34 explorer.exe 21->34         started        65 Allocates memory in foreign processes 23->65 67 Maps a DLL or memory area into another process 23->67 36 explorer.exe 8 2 23->36         started        39 schtasks.exe 1 27->39         started        41 explorer.exe 27->41         started        process7 file8 85 Uses schtasks.exe or at.exe to add and modify task schedules 29->85 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->87 89 Injects code into the Windows Explorer (explorer.exe) 32->89 91 Writes to foreign memory regions 32->91 95 2 other signatures 32->95 43 explorer.exe 32->43         started        57 C:\Users\user\...\44467.702902662.dat.dll, PE32 36->57 dropped 93 Uses cmd line tools excessively to alter registry or file data 36->93 45 reg.exe 1 1 36->45         started        47 reg.exe 1 1 36->47         started        49 conhost.exe 36->49         started        51 conhost.exe 39->51         started        signatures9 process10 process11 53 conhost.exe 45->53         started        55 conhost.exe 47->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11/
Threat name:
Win32.Infostealer.QBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 15:40:19 UTC
AV detection:
2 of 45 (4.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
gozi
Create hunting rule
Similar samples:
125c904126d0e8449f95059bb3ef990cb8b663510813c4a1562ac11dfd27f993
Quakbot
2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9
Quakbot
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da
Quakbot
45e5bddd31db89802853edbb213d2b1bbd9837fc0a2c2fafc44293633726566b
Quakbot
507b876c0338193836078c588a6d0085ab63fe65848bbead2bdfb0391f615d3f
Quakbot
6b7ce26148fe55df48e887c1d18fa2c1bb12fa7d85d014dfaf4b801e345fd2cc
Quakbot
8d2418d362dfacdb5efdf08a6c3a7f5e8f279670633676333f0466ff8158e5ff
Quakbot
8d55a54993c00a00daccdf2c7bf69978dbc0222af5b2d024e4e2043695401040
Quakbot
901c1e9a4daf9000c13a6a17acfe5c4e703b8ecf505cf8681aaffd0fa2efe593
Quakbot
dd333db4f622d57ab029da1159bc4e803647429e942e48e437829009c83f79af
Quakbot
+ 164 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama105 campaign:1632821932 banker evasion stealer trojan
Link:
https://tria.ge/reports/210928-scjwlsccgm/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
120.151.47.189:443
41.228.22.180:443
39.52.241.3:995
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
196.217.156.63:995
120.150.218.241:995
95.77.223.148:443
185.250.148.74:443
181.118.183.94:443
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
76.25.142.196:443
75.66.88.33:443
45.46.53.140:2222
173.25.166.81:443
103.148.120.144:443
173.21.10.71:2222
186.18.205.199:995
71.74.12.34:443
67.165.206.193:993
47.40.196.233:2222
68.204.7.158:443
24.229.150.54:995
109.12.111.14:443
177.130.82.197:2222
72.252.201.69:443
24.55.112.61:443
24.139.72.117:443
187.156.138.172:443
71.80.168.245:443
82.77.137.101:995
173.234.155.233:443
75.188.35.168:443
5.238.149.235:61202
73.77.87.137:443
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
189.210.115.207:443
181.163.96.53:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
Unpacked files
SH256 hash:
a99664625efc5a0be1394625c2dbef830be75ceae2bc51680ea29731782ee076
MD5 hash:
77e5d4def948859f2aca9ee0d7ed6f1a
SHA1 hash:
f82310e55fc26817183eba8a1581f4d8c3d86613
Link:
https://www.unpac.me/results/4e844cc5-9858-4e82-badd-29724a9e21a5/
SH256 hash:
b16cc7dfd0d2a64fe4b91b0ef937cd1a5f16d9a41625b42abc5338ae7de3694b
MD5 hash:
f8aa4208054969f1504bf1233db126cd
SHA1 hash:
87f2d98b70408e6539644b8317cbfc28d30de06f
Link:
https://www.unpac.me/results/4e844cc5-9858-4e82-badd-29724a9e21a5/
SH256 hash:
cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11
MD5 hash:
3adc41a38c53d9798e9be8d135ba47d8
SHA1 hash:
854b7b23da76f583e6c157e643e1e0e50dd902e4
Link:
https://www.unpac.me/results/4e844cc5-9858-4e82-badd-29724a9e21a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192660/

Comments