MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e
SHA3-384 hash: e3e5a45c2fc148859d48489be9446310e224040b5814b4f1cb49a7ab9c4f366e40f6765e45e67eede8a037dd9509e6ef
SHA1 hash: a2d1c597ef9d3853333ff1f22c89ae08b19ed410
MD5 hash: 524026917551622d6f915d4066638bfa
humanhash: winter-sad-happy-mockingbird
File name:db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e
Download: download sample
Signature Quakbot
Create hunting rule
File size:700'605 bytes
First seen:2022-05-17 12:31:06 UTC
Last seen:2022-05-17 13:42:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash df2c97204ed982b8b3e7393fd2a71059 (7 x Quakbot)
ssdeep 12288:ED25c7bMl3XyN6VqX1bFJf44pnlG2LniES2DY0HZyHHsPNQsifQu8:G8Aw3CowXrJf44pnw2Ln1jY0HwHHsPNK
Threatray 1'084 similar samples on MalwareBazaar
TLSH T10DE4AE22E3D04C77C1772A799C2B7768A839BE112D7899C72BE42D4C4F3568136362B7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:AA dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271592/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.33138.20506.13290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Modifying an executable file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware kbot keylogger overlay packed qakbot qbot
Link:
https://www.filescan.io/uploads/6283962d6c85fb24969aae4d/reports/7fa2e9df-2e07-4e35-b3dc-edc02796bb6f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c67074a-ce7c-48b9-b6ba-395ae8f0833f
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995806
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 628303 Sample: U0syVQuNHK Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected CryptOne packer 2->67 69 3 other signatures 2->69 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 77 2 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 49 C:\Users\user\Desktop\U0syVQuNHK.dll, PE32 16->49 dropped 51 Uses cmd line tools excessively to alter registry or file data 16->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 16->53 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        31 conhost.exe 20->31         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->55 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 3 other signatures 22->61 33 explorer.exe 8 2 22->33         started        signatures7 process8 signatures9 35 conhost.exe 26->35         started        79 Contains functionality to detect sleep reduction / modifications 28->79 37 WerFault.exe 20 9 28->37         started        39 explorer.exe 28->39         started        81 Uses cmd line tools excessively to alter registry or file data 33->81 41 reg.exe 1 1 33->41         started        43 conhost.exe 33->43         started        45 reg.exe 1 1 33->45         started        process10 process11 47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 11:25:43 UTC
File Type:
PE (Dll)
Extracted files:
62
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nqwqhf525sdo2griwp2x2ryuthk4sqorttquhfo5t6kloh4sfpa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
Quakbot
28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec
Quakbot
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
Quakbot
7b265f068c1485a453d3ab7ad30bc1709760d5162fa641fd4996947b4d642f96
Quakbot
811399465b79b10495080b65b9d6b797d394df034f44d3aadd18be86c0c19e0d
Quakbot
bebf4177fc27714844f0e5e506637115828de7805529680d8ca19915aa7a7ac8
Quakbot
+ 1'074 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1652433315 banker stealer trojan
Link:
https://tria.ge/reports/220517-pqlqksbgf9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
103.139.243.207:990
217.128.122.65:2222
40.134.246.185:995
172.114.160.81:995
186.90.153.162:2222
75.99.168.194:61201
124.40.244.118:2222
86.98.208.214:2222
2.34.12.8:443
46.107.48.202:443
46.103.186.43:995
103.246.242.202:443
76.70.9.169:2222
72.76.94.99:443
102.65.16.245:443
45.63.1.12:443
45.76.167.26:443
144.202.3.39:995
140.82.63.183:443
144.202.2.175:995
144.202.2.175:443
140.82.63.183:995
45.63.1.12:995
149.28.238.199:443
45.76.167.26:995
144.202.3.39:443
149.28.238.199:995
173.22.32.101:443
39.44.178.7:995
197.89.17.146:443
81.129.112.49:2078
202.134.152.2:2222
189.26.55.114:443
1.161.66.82:995
183.82.103.213:443
172.115.177.204:2222
70.46.220.114:443
1.161.66.82:443
37.186.54.254:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
146.66.139.14:443
201.42.3.27:32101
217.165.147.77:993
188.55.249.231:995
148.0.57.85:443
93.48.80.198:995
89.101.97.139:443
82.152.39.39:443
186.90.13.85:2222
108.60.213.141:443
187.207.131.50:61202
67.209.195.198:443
196.203.37.215:80
92.132.172.197:2222
47.23.89.60:993
37.210.156.191:2222
120.150.218.241:995
103.107.113.84:443
74.14.7.71:2222
182.182.228.80:995
32.221.224.140:995
70.51.137.64:2222
38.70.253.226:2222
90.120.65.153:2078
39.44.66.76:995
80.11.74.81:2222
31.215.102.193:2078
79.129.121.68:995
85.246.82.244:443
41.228.22.180:443
75.99.168.194:443
148.64.96.100:443
208.107.221.224:443
2.50.4.57:443
78.183.159.152:443
140.82.49.12:443
203.122.46.130:443
121.74.167.191:995
122.118.154.106:995
109.12.111.14:443
115.164.63.113:443
189.146.87.77:443
39.52.105.156:995
182.191.92.203:995
86.97.247.101:2222
67.165.206.193:993
174.69.215.101:443
76.25.142.196:443
173.21.10.71:2222
45.46.53.140:2222
187.172.191.97:443
190.252.242.69:443
82.41.63.217:443
187.208.122.239:443
181.208.248.227:443
73.151.236.31:443
72.252.157.172:990
72.252.157.172:995
187.251.132.144:22
201.142.133.198:443
100.1.108.246:443
201.1.202.82:32101
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
191.99.191.28:443
201.172.23.68:2222
47.157.227.70:443
179.158.105.44:443
37.34.253.233:443
41.84.226.103:995
186.105.98.35:443
217.164.119.236:1194
41.84.248.225:443
189.253.214.159:443
86.195.158.178:2222
94.36.195.102:2222
45.241.145.155:993
86.190.159.132:443
39.49.48.82:995
89.86.33.217:443
69.14.172.24:443
106.51.48.170:50001
86.97.8.200:443
197.162.117.38:995
102.182.232.3:995
83.110.93.158:443
118.172.251.136:443
37.208.145.168:6883
120.61.3.164:443
191.251.134.129:443
173.174.216.62:443
84.241.8.23:32103
41.38.167.179:995
5.32.41.45:443
63.143.92.99:995
121.7.223.59:2222
58.105.167.36:50000
128.106.123.187:443
103.157.122.130:21
101.50.67.212:995
109.228.220.196:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.165.129:995
197.205.106.232:443
Unpacked files
SH256 hash:
c6cb45ddad7fad4d2f057313081d2790213e26a6e3ced0021553bb17bf1dc1df
MD5 hash:
ea5d83578d5398ce2467ed3521ab54d0
SHA1 hash:
0d881cbf8e2c9970ac9d2e45e5daa7952edbfd39
Link:
https://www.unpac.me/results/e3b2b64f-516a-4b91-a088-8c532e4f35d1/
SH256 hash:
000988f755db01d13601630bfae235b86a338eb780300c1e0898825084f854ae
MD5 hash:
2f17bd9f4b9edd91a7fd80ef32981f70
SHA1 hash:
ee82f6f12a69e70861ed80a6e59d0c2524869151
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3b2b64f-516a-4b91-a088-8c532e4f35d1/
Parent samples :
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
811399465b79b10495080b65b9d6b797d394df034f44d3aadd18be86c0c19e0d
28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec
db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e
SH256 hash:
db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e
MD5 hash:
524026917551622d6f915d4066638bfa
SHA1 hash:
a2d1c597ef9d3853333ff1f22c89ae08b19ed410
Link:
https://www.unpac.me/results/e3b2b64f-516a-4b91-a088-8c532e4f35d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271592/

Comments