MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
SHA3-384 hash: c91abe191a324acc0735f2f57e117e3797c9f7290d7654c20112d9a237b71e508caee1171806fa85992fc44ff3e486a5
SHA1 hash: b589b0dee84e30e205f242a8d429b1e231b5ec5b
MD5 hash: bb17bf13123596ba3065efc74d625a3c
humanhash: diet-eight-blossom-yellow
File name:latin.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:967'909 bytes
First seen:2021-12-17 05:59:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e7612a813f039fbaabdb52fb0c18662 (1 x Quakbot)
ssdeep 6144:NLI3eP+dmQ3TW0NREgFiRZh4McUTubCApkw0AE:cHw0NJwHh4M7TubCA30
Threatray 462 similar samples on MalwareBazaar
TLSH T1E625A628DE25766CFA1374F34972228D0F85049B17E3BAEBE37C6A48A441707DE5B583
Reporter ankit_anubhav
Tags:cullinan exe qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214721/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Deleting a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2340/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay
Link:
https://www.filescan.io/uploads/61bc277e6daa353fa3b71cd3/reports/6c214cc7-f262-4f8f-a84e-49998e31a628/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d7cbd8e-22e9-4de5-b106-e36225b78d3a
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/908908
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 541386 Sample: latin.dll Startdate: 17/12/2021 Architecture: WINDOWS Score: 88 32 Found malware configuration 2->32 34 Yara detected Qbot 2->34 36 Machine Learning detection for sample 2->36 38 2 other signatures 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->48 50 Injects code into the Windows Explorer (explorer.exe) 8->50 52 Maps a DLL or memory area into another process 8->52 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 regsvr32.exe 8->16         started        18 explorer.exe 8->18         started        process5 signatures6 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->54 56 Injects code into the Windows Explorer (explorer.exe) 11->56 58 Writes to foreign memory regions 11->58 20 explorer.exe 8 1 11->20         started        23 rundll32.exe 14->23         started        60 Allocates memory in foreign processes 16->60 62 Maps a DLL or memory area into another process 16->62 26 explorer.exe 16->26         started        process7 file8 30 C:\Users\user\Desktop\latin.dll, MS-DOS 20->30 dropped 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->40 42 Injects code into the Windows Explorer (explorer.exe) 23->42 44 Writes to foreign memory regions 23->44 46 2 other signatures 23->46 28 explorer.exe 23->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 06:09:01 UTC
File Type:
PE (Dll)
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc
Quakbot
18d5151ff156139ee901d21abd933dbe3efb3630e30e1acf2b0cbf0a34f3d3ca
Quakbot
268cf4bdbb872b24825068cc75677e51941b67003a7a589963715808e9f4728a
Quakbot
a2a676d3c97975edce1e09d9f777287bc953b382962005030f7627d6da08b00a
Quakbot
e10c39b660a84f703700fb8d6bd19dc4f9bbab239b2e62f6d2817864154b0a85
Quakbot
e3bf20fa69644c0ca34c600feb3c43f70a1d51408534d1167825a2178a7b7073
Quakbot
f0b81104457bb65aa8d908ccc920e725da1485be7d8bfa8fbdb79cd06d8e9a7a
Quakbot
+ 452 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:cullinan campaign:1639333530 banker evasion stealer trojan
Link:
https://tria.ge/reports/211217-gqj8radhfk/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
65.100.174.110:443
173.21.10.71:2222
140.82.49.12:443
190.73.3.148:2222
76.25.142.196:443
71.74.12.34:443
31.215.98.160:443
93.48.80.198:995
45.9.20.200:2211
41.228.22.180:443
109.12.111.14:443
63.143.92.99:995
120.150.218.241:995
94.60.254.81:443
86.148.6.51:443
218.101.110.3:995
216.238.71.31:443
207.246.112.221:443
216.238.72.121:443
216.238.71.31:995
207.246.112.221:995
216.238.72.121:995
186.64.87.195:443
73.151.236.31:443
78.191.12.29:995
67.165.206.193:993
68.186.192.69:443
65.100.174.110:8443
89.137.52.44:443
75.188.35.168:995
105.198.236.99:995
182.176.180.73:443
103.142.10.177:443
136.232.34.70:443
68.204.7.158:443
27.223.92.142:995
102.65.38.67:443
189.175.200.244:80
100.1.119.41:443
73.140.38.124:443
73.171.4.177:443
89.101.97.139:443
24.229.150.54:995
72.252.201.34:995
39.49.44.85:995
2.222.167.138:443
96.37.113.36:993
117.248.109.38:21
39.43.130.50:995
75.169.58.229:32100
24.55.112.61:443
27.5.4.111:2222
197.89.144.207:443
73.5.119.219:443
136.143.11.232:443
86.98.36.211:443
106.220.76.130:443
129.208.139.229:995
45.46.53.140:2222
190.229.210.128:465
91.178.126.51:995
189.18.181.24:995
185.53.147.51:443
Unpacked files
SH256 hash:
09692204edb223356b5ce7cd7a8d73017df221eb09910c29e81ab5d4d9d1ffab
MD5 hash:
2985ec1ce4cf46b4b08b05825b01cbc8
SHA1 hash:
431509a6cb09932f01456b187962d9a743bae795
Link:
https://www.unpac.me/results/d876a701-121f-439f-914e-681dcf0e5ffd/
SH256 hash:
9385fd476103a349a4aef240b658d13017799a58935ee9ee24349606f874b823
MD5 hash:
342f08c9973ba9dddd67bd8b35806e75
SHA1 hash:
b5752bd55346e972c5e6c463fed59391b0fe31fc
Link:
https://www.unpac.me/results/d876a701-121f-439f-914e-681dcf0e5ffd/
SH256 hash:
d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
MD5 hash:
bb17bf13123596ba3065efc74d625a3c
SHA1 hash:
b589b0dee84e30e205f242a8d429b1e231b5ec5b
Link:
https://www.unpac.me/results/d876a701-121f-439f-914e-681dcf0e5ffd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Quakbot

Executable exe d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214721/

Comments