MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94
SHA3-384 hash: 67c1779ebfb10f8237a3f793b3e137d61f237667f85a313c3b7f1906064b1b48a92c382438d38ece37ce62cd322a6014
SHA1 hash: 214820c2efa1c5eff4100a1625fb82b5bd3ad6d2
MD5 hash: 6409bf89045984b10d036f8efc8079c6
humanhash: mexico-earth-eight-virginia
File name:d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'240'146 bytes
First seen:2022-02-28 13:04:16 UTC
Last seen:2022-02-28 13:16:42 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 84687bd7bcf9c6a61feea037640c3685 (20 x Quakbot)
ssdeep 24576:qvX1yuIdR7er92iaov9wxPqgSG3Sul9ObCAekHEtZuvtua3lS:B2H7v9wtAUSuPc0kktZuvtuK
Threatray 52 similar samples on MalwareBazaar
TLSH T19A45F6AEB1E06ECCF5F139BC3D5463A80F9A5EB60F7E607AB403088606711FD1C55A5A
Reporter JAMESWT_WT
Tags:dll PUSH BANK LIMITED Qakbot Quakbot

Intelligence

File Origin
# of uploads :
3
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245346/
Detection(s):
Win.Packed.Lazy-9940222-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/621cc85bb94fb38cb42483c0/reports/011c3f8a-8178-41c0-8403-3f225050a3b3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3d4d745-ea85-452b-87a4-495dcb3f180b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/947379
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 579857 Sample: Xw2oqkhLOs Startdate: 28/02/2022 Architecture: WINDOWS Score: 52 20 store-images.s-microsoft.com 2->20 22 prda.aadg.msidentity.com 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Sigma detected: Suspicious Call by Ordinal 2->26 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        14 rundll32.exe 8->14         started        16 2 other processes 8->16 process6 18 rundll32.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 15:13:11 UTC
File Type:
PE (Dll)
Extracted files:
65
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
036c25ca8f8bfd424dc22bdacdfc1b1b101afd51fa60391253a757c075b62964
Quakbot
532f5a32f685a1acdb7c0982bb4fd721852af1e9fb278bf5d0faa82a6741f3c8
Quakbot
5f2eabaaf2ee1da8c6e329fe6d8d14961b89dfdad0c8675bbf743cbfe2332cc6
Quakbot
67486db1b558b02235a0a8edaa7183ab707c3c8d12ec87231cd12445856e2398
Quakbot
790951787b259b98ea0f3b7face9c805643bd5e36b2d8a9d92d6d20a7107971b
Quakbot
af9ff6ecb351b6b63446c24677070b767b8f77b0a53feccdfde2c42c1205c258
Quakbot
c1c8bacb9d1cbcef187da4adfde7761c91543e84223a37385fd5c25803e1d16f
Quakbot
ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79
Quakbot
f2bd4c95a2c6850d4f00438069a65dd740871dc56eee4e523f819a814104a9f6
Quakbot
+ 42 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1645202931 banker stealer trojan
Link:
https://tria.ge/reports/220228-qbmj1aece4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
217.128.122.65:2222
39.49.75.245:995
217.165.146.122:32101
173.174.216.62:443
208.107.221.224:443
92.177.45.46:2078
119.158.116.122:995
67.209.195.198:443
32.221.231.1:443
89.211.179.202:2222
109.12.111.14:443
70.45.27.254:443
173.220.98.101:443
75.156.151.34:443
103.87.95.131:2222
190.206.211.182:443
2.50.41.69:61200
82.152.39.39:443
89.101.97.139:443
176.45.252.83:995
75.99.168.194:61201
74.15.2.252:2222
139.64.34.193:995
217.164.115.166:2222
102.47.31.216:995
149.135.101.20:443
197.92.132.79:443
41.232.210.78:443
105.184.190.206:995
190.73.3.148:2222
96.21.251.127:2222
176.67.56.94:443
66.230.104.103:443
206.217.0.154:995
186.64.87.194:443
70.51.137.204:2222
47.180.172.159:443
209.210.95.228:32100
75.99.168.194:443
180.233.150.134:995
140.82.49.12:443
190.189.33.6:443
173.21.10.71:2222
47.180.172.159:50010
41.84.246.64:995
86.98.11.110:443
5.89.175.136:443
111.125.245.116:995
196.74.177.152:443
24.178.196.158:2222
100.1.108.246:443
196.203.37.215:80
72.252.201.34:990
114.79.148.170:443
120.150.218.241:995
105.184.116.32:995
31.35.28.29:443
78.96.235.245:443
72.252.201.34:995
102.65.38.67:443
144.202.2.175:995
136.232.34.70:443
69.14.172.24:443
136.143.11.232:443
103.139.242.30:990
71.74.12.34:443
217.164.117.243:2222
116.74.119.75:443
103.142.10.177:443
39.44.150.120:995
182.191.92.203:995
46.176.197.48:995
1.161.88.84:995
217.164.117.243:1194
180.183.99.37:2222
103.17.101.139:995
78.180.172.122:995
175.137.153.178:443
41.84.234.250:443
128.106.122.39:443
39.52.94.159:995
89.137.52.44:443
81.213.206.182:443
78.101.202.183:443
86.98.55.231:995
45.46.53.140:2222
203.99.177.128:443
73.151.236.31:443
76.25.142.196:443
189.146.51.56:443
37.211.176.26:61202
67.165.206.193:993
86.198.170.170:2222
108.4.67.252:443
177.204.115.148:443
217.128.171.34:2222
41.230.62.211:993
200.104.16.99:993
181.98.246.214:443
139.64.13.189:443
217.165.109.191:993
197.89.21.163:443
41.238.52.249:3389
31.215.206.13:443
45.241.208.225:995
39.52.202.55:995
188.210.148.245:443
185.113.58.135:443
39.53.173.222:995
124.41.193.166:443
120.61.1.152:443
39.52.21.207:993
1.161.88.84:443
75.188.35.168:443
72.66.116.235:995
184.149.30.83:2222
41.228.22.180:443
45.9.20.200:443
24.231.158.110:995
24.152.219.253:995
96.246.158.154:995
86.108.123.52:443
107.171.241.236:2222
89.86.33.217:443
5.48.205.15:443
86.98.151.68:995
103.116.178.85:443
182.176.180.73:443
102.132.145.147:443
47.180.172.159:993
177.205.182.145:443
24.53.49.240:443
72.12.115.90:22
72.12.115.90:995
72.12.115.90:2083
72.12.115.90:990
161.142.53.137:443
72.12.115.90:993
72.12.115.90:2078
72.12.115.90:465
72.12.115.90:3389
72.12.115.90:443
41.205.12.24:443
68.204.7.158:443
Unpacked files
SH256 hash:
d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94
MD5 hash:
6409bf89045984b10d036f8efc8079c6
SHA1 hash:
214820c2efa1c5eff4100a1625fb82b5bd3ad6d2
Link:
https://www.unpac.me/results/80e680da-1baf-4a5f-bc54-12fb6e03d249/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d246fc41b6237d49b76bc5e9be5646698558a9b5bcb117e0daf48642d4015b94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/245346/

Comments