MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4
SHA3-384 hash: c18bcfbe397031feb0700135e7c03a8daa5224887313b124b208ea8fd752b4544fa59cb19679a3eb4559655d4e763883
SHA1 hash: 138ad810a0dfc8216ea5f71b1d2e00f667dc3b16
MD5 hash: 296474dfc42b6c053f354be7e1be151e
humanhash: vermont-high-thirteen-leopard
File name:296474dfc42b6c053f354be7e1be151e.exe
Download: download sample
Signature Quakbot
Create hunting rule
File size:335'184 bytes
First seen:2021-09-28 15:09:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 834bc3b20cb6ffaf57116eb1b62c459b (1 x Quakbot)
ssdeep 6144:R60vBQcV0PPspp3Ke/QVCY9/Ob9ho+JVxfTPAKxu9755fu2v4ibqXtWXC1:R7A8TJPNPp84NibIt1
Threatray 61 similar samples on MalwareBazaar
TLSH T1B564CFF6F4D7C336D4FE45FD744A87F2AD0FB8BAA0111C4BA78B2381249C58161A5D2A
Reporter abuse_ch
Tags:exe Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
296474dfc42b6c053f354be7e1be151e.exe
Verdict:
No threats detected
Analysis date:
2021-09-28 15:20:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9fa3859a-1379-4f96-9e7c-b8eaa53d8bd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192663/
Detection(s):
SecuriteInfo.com.Win32.Qbot.DF.26357.31159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/015a90f6-0109-4341-84fe-fd80559b7edc
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/859973
Signature
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492404 Sample: gVSJ5tTkrb.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 92 65 Yara detected Qbot 2->65 67 Sigma detected: Schedule system process 2->67 69 Machine Learning detection for sample 2->69 71 2 other signatures 2->71 9 loaddll32.exe 1 2->9         started        11 regsvr32.exe 2->11         started        process3 process4 13 rundll32.exe 9->13         started        16 rundll32.exe 9->16         started        18 cmd.exe 1 9->18         started        22 4 other processes 9->22 20 regsvr32.exe 11->20         started        signatures5 85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->85 87 Injects code into the Windows Explorer (explorer.exe) 13->87 89 Writes to foreign memory regions 13->89 24 explorer.exe 13->24         started        27 explorer.exe 16->27         started        29 rundll32.exe 18->29         started        91 Maps a DLL or memory area into another process 20->91 31 explorer.exe 20->31         started        34 iexplore.exe 22->34         started        37 explorer.exe 22->37         started        39 explorer.exe 22->39         started        process6 dnsIp7 73 Uses cmd line tools excessively to alter registry or file data 24->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 24->75 41 schtasks.exe 27->41         started        77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->77 79 Injects code into the Windows Explorer (explorer.exe) 29->79 81 Writes to foreign memory regions 29->81 83 Maps a DLL or memory area into another process 29->83 43 explorer.exe 29->43         started        57 C:\Users\user\Desktop\gVSJ5tTkrb.dll, MS-DOS 31->57 dropped 45 reg.exe 31->45         started        47 reg.exe 31->47         started        49 conhost.exe 31->49         started        59 geolocation.onetrust.com 104.20.184.68, 443, 49762, 49763 CLOUDFLARENETUS United States 34->59 61 btloader.com 172.67.70.134, 443, 49777, 49778 CLOUDFLARENETUS United States 34->61 63 7 other IPs or domains 34->63 file8 signatures9 process10 process11 51 conhost.exe 41->51         started        53 conhost.exe 45->53         started        55 conhost.exe 47->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 16:01:36 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
125c904126d0e8449f95059bb3ef990cb8b663510813c4a1562ac11dfd27f993
Quakbot
2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9
Quakbot
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da
Quakbot
45e5bddd31db89802853edbb213d2b1bbd9837fc0a2c2fafc44293633726566b
Quakbot
4ec6c63395dab6cb37cf16a6445f9ec3d31df0def1c47811563141653d0f3495
Quakbot
507b876c0338193836078c588a6d0085ab63fe65848bbead2bdfb0391f615d3f
Quakbot
6b7ce26148fe55df48e887c1d18fa2c1bb12fa7d85d014dfaf4b801e345fd2cc
Quakbot
8d55a54993c00a00daccdf2c7bf69978dbc0222af5b2d024e4e2043695401040
Quakbot
901c1e9a4daf9000c13a6a17acfe5c4e703b8ecf505cf8681aaffd0fa2efe593
Quakbot
dd333db4f622d57ab029da1159bc4e803647429e942e48e437829009c83f79af
Quakbot
+ 51 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1632730751 banker evasion stealer trojan
Link:
https://tria.ge/reports/210928-sj9qlscbf7/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
Unpacked files
SH256 hash:
49d57cbb31ae6bce8dd07ba90d79a94e1b0812b42f4ed99c9bf36e513ea23d6d
MD5 hash:
bb76a2169d4094c702db3f03b6ad6985
SHA1 hash:
5130c01c395ee8ce555dd59fc2c87d79912090e4
Link:
https://www.unpac.me/results/7b4e5ceb-3adb-4fad-bcc2-49977c43c454/
SH256 hash:
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4
MD5 hash:
296474dfc42b6c053f354be7e1be151e
SHA1 hash:
138ad810a0dfc8216ea5f71b1d2e00f667dc3b16
Link:
https://www.unpac.me/results/7b4e5ceb-3adb-4fad-bcc2-49977c43c454/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cf2652dc2a84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646657/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192663/

Comments