MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079
SHA3-384 hash: 351c1d0897a713f2f05254b4ca6bc268395baa7eda79beb9707497b68ab40eb4697aab625babe6ecdfc6b4f63c0bbcc9
SHA1 hash: f83def6d33225057b831a25ebb60c8f44379bc4a
MD5 hash: 6ce0985b954146ab0939ac0f69ba21e9
humanhash: alanine-sodium-yankee-eleven
File name:spit.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:666'112 bytes
First seen:2022-10-05 18:28:16 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c55a71db2a0604f1aa6e10d072ecdaf3 (6 x Quakbot)
ssdeep 12288:e04qh9jnmGxBGex5ikJdspJRtsdi21LcVUK:ayjn5PyVWdR1L/K
Threatray 1'470 similar samples on MalwareBazaar
TLSH T170E44B05B657C030DA6851B32869BBB592BCBC35D6780FDB77D04F26DA111EB3828F29
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter martinbayard
Tags:dll obama208 qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317004/
Detection(s):
SecuriteInfo.com.BackDoor.Qbot.702.6911.8576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/633dccf00d3d21420cca9af0/reports/fd6626d2-6a4f-488e-b3d2-6a166e19f364/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/874e9eff-b8b4-41c0-8519-7ea03a1f2dc2
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1084376
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716941 Sample: spit.dat.dll Startdate: 05/10/2022 Architecture: WINDOWS Score: 96 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 3 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 Maps a DLL or memory area into another process 8->56 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 process5 file6 21 rundll32.exe 11->21         started        58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->58 60 Writes to foreign memory regions 13->60 62 Allocates memory in foreign processes 13->62 24 wermgr.exe 13->24         started        64 Maps a DLL or memory area into another process 16->64 26 wermgr.exe 16->26         started        32 C:\Users\user\Desktop\spit.dat.dll, PE32 18->32 dropped 28 WerFault.exe 23 9 18->28         started        signatures7 process8 signatures9 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->42 44 Writes to foreign memory regions 21->44 46 Allocates memory in foreign processes 21->46 48 Maps a DLL or memory area into another process 21->48 30 wermgr.exe 21->30         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 18:29:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7dp54zxkttigqn2hsi4nyovnho2crtmcx5ozkj7qdzolb63wb4q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Quakbot
1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
Quakbot
27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a
Quakbot
5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959
Quakbot
e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Quakbot
+ 1'460 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221005-w4ww2afbd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
78.116.204.249:27334
32.26.157.231:2190
18.196.211.168:48835
20.143.207.39:26614
129.117.41.161:7982
209.203.201.219:44632
174.59.186.115:33072
88.239.235.151:45186
130.10.116.149:14433
232.176.128.0:0
70.238.223.142:65113
108.212.133.125:43749
91.204.181.165:28980
227.138.255.213:57594
252.124.102.160:59802
84.56.235.30:702
40.12.38.164:4225
163.55.16.87:6230
235.167.221.218:44172
113.34.86.36:44766
3.198.145.208:34010
194.217.45.198:36220
198.194.188.181:22851
149.133.92.184:61270
135.120.183.211:3151
45.206.222.245:43045
246.179.112.12:64397
88.106.24.76:30867
140.20.244.190:8098
218.91.78.249:2943
110.89.234.27:52593
233.62.189.160:62061
93.214.137.155:32352
92.78.239.242:55631
19.141.217.252:49599
215.33.231.196:64020
102.27.14.119:35457
234.211.168.138:25561
247.37.222.37:38694
156.214.152.71:3158
253.253.176.112:1886
190.202.24.117:42564
26.158.22.4:63550
22.123.250.159:36265
121.252.196.62:49429
220.79.21.161:11114
76.149.82.36:432
170.22.170.33:0
Unpacked files
SH256 hash:
e9e75c4c91a428c9cb60a7b0e643c6b3f94fe4323f2f7c891fc4313231c6eb85
MD5 hash:
1b1637b5fb51bc1749e7f29eb21df647
SHA1 hash:
66da543a11af21582612a9cbfc8198d346c5ab4b
Link:
https://www.unpac.me/results/05b8d0a7-e4df-4789-9460-05f7054a7622/
SH256 hash:
397e13eb715eb52f54c25907dc843ba4815af82d58b359e641b1e0c42dfcaf94
MD5 hash:
ac2aa567c9e4d6b77cbc06bdb0c7f167
SHA1 hash:
539c21d58295b9b1bc89e96815b670e6fa8decda
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/05b8d0a7-e4df-4789-9460-05f7054a7622/
Parent samples :
8336fd87d8f73297e6cf420ad1d3cbb980c0d238b10e08da07edb5ae43585274
ca28afeff6dbf19c01cfda321ebebaaee91861a29202d9a1c15809cb398326ed
cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079
SH256 hash:
0cc7fc169ec638fd933dbb0ed18e9de551d4019d3ec54d45c9952a315715dc40
MD5 hash:
1129bb094b16307c396812b97e60c975
SHA1 hash:
dc7238044391df145d872a3908598de9cbb12daf
Link:
https://www.unpac.me/results/05b8d0a7-e4df-4789-9460-05f7054a7622/
SH256 hash:
cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079
MD5 hash:
6ce0985b954146ab0939ac0f69ba21e9
SHA1 hash:
f83def6d33225057b831a25ebb60c8f44379bc4a
Link:
https://www.unpac.me/results/05b8d0a7-e4df-4789-9460-05f7054a7622/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfc6fef33754e68341ba3c91c6e1d569dda1466c15faeca93f80f2e587dbb079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317004/

Comments