MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 decd8b842ced585d7afef3521ecce4456283f3f548bdbf6f02db9c43947446c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: decd8b842ced585d7afef3521ecce4456283f3f548bdbf6f02db9c43947446c1
SHA3-384 hash: f7643b22e7d81c65887cd6d305860e6988657be07752a451757380fe7181706520c8d801f04bd7295c6b2e6e8729fdd4
SHA1 hash: e2d593456dd70484ff1ca419d8e9c43143c19293
MD5 hash: 190c3ac616b717feaa2f8c37077badec
humanhash: table-green-seven-idaho
File name:206.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:2'516'347 bytes
First seen:2022-06-28 11:33:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d88346af0525575cf7efc51d122a520e (4 x Quakbot)
ssdeep 12288:s8Q7ZcA0SdiGfYT6KD92WdSSsTVq/pkYAM5EujP6jBQlOk+8kw7YoS0VvKRzKR0s:OyA0SdiGwWLV6Ln7m0otec
Threatray 4 similar samples on MalwareBazaar
TLSH T1E8C5EDAAEE52C04ADC8B08F3E061CDF8A89C5CB56BDE418B1F457DE772346C01E658E5
TrID 74.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 7955554d55556971 (4 x Quakbot, 1 x Matanbuchus)
Reporter proxylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283924/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bae76da17f249ae3e364b1/reports/b72bbb00-89a7-40ee-8412-7da14e7c882d/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33d7da1a-b602-4d16-b6f9-812f501ae09e
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1021147
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653641 Sample: 206.dll Startdate: 28/06/2022 Architecture: WINDOWS Score: 80 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Qbot 2->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->48 8 loaddll32.exe 1 2->8         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Injects code into the Windows Explorer (explorer.exe) 8->52 54 Writes to foreign memory regions 8->54 56 2 other signatures 8->56 11 regsvr32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->58 60 Injects code into the Windows Explorer (explorer.exe) 11->60 62 Writes to foreign memory regions 11->62 20 explorer.exe 8 1 11->20         started        64 Allocates memory in foreign processes 14->64 66 Maps a DLL or memory area into another process 14->66 23 explorer.exe 14->23         started        25 WerFault.exe 14->25         started        27 WerFault.exe 14->27         started        29 explorer.exe 16->29         started        31 rundll32.exe 18->31         started        34 WerFault.exe 23 9 18->34         started        36 WerFault.exe 18->36         started        38 explorer.exe 18->38         started        process7 file8 42 C:\Users\user\Desktop\206.dll, PE32 20->42 dropped 68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->68 70 Injects code into the Windows Explorer (explorer.exe) 31->70 72 Maps a DLL or memory area into another process 31->72 40 explorer.exe 31->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/decd8b842ced585d7afef3521ecce4456283f3f548bdbf6f02db9c43947446c1/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 13:00:34 UTC
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33gyxbbm5vmf26x66njb5theivrih47vjc6363yc3ooehfdui3aq._file
Verdict:
unknown
Similar samples:
1398420ff22398bfbd5dd3a9b0732d01de5d61eae73d9eecf3219487ec735332
Quakbot
1f098e58b66d5ba1dedb5f4beccbb84620db5c64575c1aac2a304ced5d428824
Quakbot
80b90884283a2fec755d89591baf45cedf263dc46bae2996ccfc1ca99019f1d9
Quakbot
b4f4be5b4b73abf5c57e7b140f268f0ee7b7e18eda23d68d060a160e565669f8
Quakbot
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1656310631 banker stealer trojan
Link:
https://tria.ge/reports/220628-npe1zabaa2/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
41.228.22.180:443
1.161.81.21:995
24.178.196.158:2222
37.34.253.233:443
93.48.80.198:995
129.208.158.180:995
120.150.218.241:995
38.70.253.226:2222
111.125.245.116:995
47.23.89.60:993
40.134.246.185:995
197.87.144.50:443
217.164.119.69:1194
86.97.10.91:443
39.44.30.209:995
74.14.5.179:2222
182.191.92.203:995
117.248.109.38:21
217.165.97.237:993
84.241.8.23:32103
1.161.81.21:443
24.43.99.75:443
94.59.15.180:2222
121.7.223.45:2222
217.128.122.65:2222
70.46.220.114:443
32.221.224.140:995
67.209.195.198:443
67.165.206.193:993
186.90.153.162:2222
148.64.96.100:443
39.41.59.211:995
173.21.10.71:2222
174.69.215.101:443
208.107.221.224:443
45.46.53.140:2222
76.25.142.196:443
81.193.30.90:443
5.32.41.45:443
89.101.97.139:443
173.174.216.62:443
109.12.111.14:443
217.164.119.69:2222
69.14.172.24:443
197.161.135.169:993
162.252.222.118:443
120.61.2.5:443
90.120.209.197:2078
189.159.2.152:2222
191.112.29.39:443
189.78.107.163:32101
101.50.67.7:995
70.51.132.161:2222
179.158.105.44:443
39.57.60.246:995
184.97.29.26:443
63.143.92.99:995
72.252.157.93:995
190.252.242.69:443
177.45.64.254:32101
24.139.72.117:443
72.252.157.93:993
81.132.186.218:2078
24.55.67.176:443
104.34.212.7:32103
196.203.37.215:80
80.11.74.81:2222
88.241.122.55:443
39.49.71.64:995
210.246.4.69:995
86.200.151.188:2222
39.52.114.251:995
193.253.44.249:2222
47.156.129.52:443
72.252.157.93:990
100.38.242.113:995
71.13.93.154:2222
108.60.213.141:443
2.34.12.8:443
187.250.202.2:443
94.36.193.176:2222
89.86.33.217:443
31.215.67.68:2222
188.136.218.225:61202
187.208.115.219:443
191.250.120.152:443
49.128.172.7:2222
91.177.173.10:995
148.0.43.48:443
172.115.177.204:2222
68.204.15.28:443
197.94.94.206:443
87.109.229.215:995
105.247.171.130:995
81.250.191.49:2222
83.110.94.105:443
201.176.6.24:995
175.145.235.37:443
187.172.164.12:443
41.84.249.56:995
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
41.38.167.179:995
98.50.191.202:443
185.56.243.146:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
113.8.18.249:2222
180.129.108.214:995
138.186.28.253:443
89.137.52.44:443
122.118.129.227:995
75.99.168.194:61201
103.91.182.114:2222
Unpacked files
SH256 hash:
a62c69400eb966856e337ccb1de4a36223ac2f2a8cc8499cafd90e49e00f5128
MD5 hash:
dd5d72169b1a7efeb17612b9b0354341
SHA1 hash:
3de492f845c52c47747805ca9eba57f63b2cb88d
Link:
https://www.unpac.me/results/ff434a24-d19f-478c-82a9-781364b346db/
SH256 hash:
6e7a5d780e5afa49d3404ef437fadc12a0a0de95094cbfa2c0f5644bf97a6113
MD5 hash:
27fcee3b63f6a6399589cc230712256a
SHA1 hash:
06494425db87709b8d743261d124835a969d2b02
Link:
https://www.unpac.me/results/ff434a24-d19f-478c-82a9-781364b346db/
SH256 hash:
f6b75bd2fe2cdc331157765e5423c5e60e952e508d8e9dd4c4f93b6fe0d4035e
MD5 hash:
916c292117cd5cc18b66800898f50d09
SHA1 hash:
1c52ff9cdb476d75b4c26b0a435f8ec45a09af12
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff434a24-d19f-478c-82a9-781364b346db/
Parent samples :
7284dbccfd2327ead9ea433fe75a1e164723abf9fd5fbad4b363e7e0311da83a
dcb01277bf2d496b06fcc0e8f34f6a1cab5d890bc9cc117421d4e92c968c70dc
1398420ff22398bfbd5dd3a9b0732d01de5d61eae73d9eecf3219487ec735332
80b90884283a2fec755d89591baf45cedf263dc46bae2996ccfc1ca99019f1d9
decd8b842ced585d7afef3521ecce4456283f3f548bdbf6f02db9c43947446c1
SH256 hash:
decd8b842ced585d7afef3521ecce4456283f3f548bdbf6f02db9c43947446c1
MD5 hash:
190c3ac616b717feaa2f8c37077badec
SHA1 hash:
e2d593456dd70484ff1ca419d8e9c43143c19293
Link:
https://www.unpac.me/results/ff434a24-d19f-478c-82a9-781364b346db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/decd8b842ced585d7afef3521ecce4456283f3f548bdbf6f02db9c43947446c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283924/

Comments