MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45
SHA3-384 hash: 7777965ac92a857399103c35e039a417b795a2b26a57cf7cb24c19b7c60ef819ed780870a65b9b87f53be8370b8e91f6
SHA1 hash: 3c95b16e88c5edc3a7f24c0b7c78bf4312a82599
MD5 hash: d704da175248d59c068d9251f96deeb2
humanhash: avocado-edward-leopard-jupiter
File name:mingled.db
Download: download sample
Signature Quakbot
Create hunting rule
File size:402'944 bytes
First seen:2022-09-30 12:08:06 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5258e65ea568c264cf3e536d81339bf5 (4 x Quakbot)
ssdeep 6144:P57WEjEaG/tptUcHme85N6w0ZmXp8jwkGU99WOUN2LAOh:IEj7QPw5cwimXujH33
Threatray 1'428 similar samples on MalwareBazaar
TLSH T19F84BF00B596C0B2D5BE15303479EB656A7DBC610B945EEB67D83E7A4E303C29E30E36
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:1664437404 BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315156/
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6336dc5fd089a0c15dd2ecc7/reports/1ff3ebc5-a743-4281-af2e-38b12a07b9ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ba713c7-fb13-4534-8411-f750cf3d3f9a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1080858
Signature
Allocates memory in foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 713415 Sample: mingled.db.dll Startdate: 30/09/2022 Architecture: WINDOWS Score: 68 31 Multi AV Scanner detection for submitted file 2->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->33 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        15 regsvr32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 19 rundll32.exe 10->19         started        43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->43 45 Writes to foreign memory regions 12->45 47 Allocates memory in foreign processes 12->47 22 wermgr.exe 12->22         started        49 Maps a DLL or memory area into another process 15->49 24 wermgr.exe 15->24         started        process6 signatures7 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->35 37 Writes to foreign memory regions 19->37 39 Allocates memory in foreign processes 19->39 41 Maps a DLL or memory area into another process 19->41 26 wermgr.exe 8 1 19->26         started        process8 file9 29 C:\Users\user\Desktop\mingled.db.dll, PE32 26->29 dropped
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 12:09:08 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2et6bsafx2kp55yiyr5nmibxxi4ebv5r3njtbxxkfpcacycqd5cq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f
Quakbot
0b353412e79686c5185dfdf185747e856f379c863ff41d82ce0ef4b69b31b747
Quakbot
42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25
Quakbot
5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1
Quakbot
+ 1'418 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb campaign:1664437404 banker stealer trojan
Link:
https://tria.ge/reports/220930-pbfk1sdeb4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
113.180.55.111:443
58.186.75.42:443
105.184.56.118:995
196.206.133.114:995
80.253.189.55:443
193.3.19.137:443
41.104.80.233:443
49.205.197.13:443
186.81.122.168:443
216.238.83.82:443
216.238.83.82:995
39.44.5.104:995
196.207.146.151:443
216.238.108.61:995
139.84.167.18:995
139.84.167.18:443
216.238.108.61:443
149.28.38.16:995
134.35.12.30:443
131.100.40.13:995
102.189.184.12:995
103.173.121.17:443
102.190.190.242:995
85.86.242.245:443
73.252.27.208:995
41.99.57.148:443
197.120.66.183:995
186.90.144.235:2222
197.49.45.244:995
186.50.137.148:995
181.177.156.209:443
177.45.78.52:993
86.196.181.62:2222
197.203.50.195:443
89.187.169.77:443
Unpacked files
SH256 hash:
afe38a07c081dfc061697ae174663d635321ce3ab20ca64ea97da25daba25143
MD5 hash:
c82a3b8a1e8340f1ef39ba1490974479
SHA1 hash:
903787992032926575cc0d9769124ce467d0cc3a
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d250bb2-b77e-4784-bb9f-545a1ac09bda/
Parent samples :
af1692ced38f5fda305b35be66774822900a0b9617102db4b3da5f7c97f70e3e
e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef
d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45
SH256 hash:
d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45
MD5 hash:
d704da175248d59c068d9251f96deeb2
SHA1 hash:
3c95b16e88c5edc3a7f24c0b7c78bf4312a82599
Link:
https://www.unpac.me/results/3d250bb2-b77e-4784-bb9f-545a1ac09bda/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d127e0c805be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/315156/

Comments