MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64
SHA3-384 hash: b67f430c16f2ee73b203cfdadc782bddbb409a5b24165b3eec3fd9dd5a7d562e1b69dc17724979df66762d51dcb382be
SHA1 hash: 3d18e4ab5c4fa395107c2e0beaea1f41e0e9ae5b
MD5 hash: 623ed266b8461a6650a3378864c14d95
humanhash: finch-oven-tennis-zebra
File name:HTMLSmugglingAgainAlltheRage.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:386'048 bytes
First seen:2022-06-28 15:38:20 UTC
Last seen:2022-06-28 16:44:08 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 542759eb26a6d2621a39e0d035549967 (14 x Quakbot)
ssdeep 6144:sNvGN1ukCO12CXxJjKmAv1G5WC1l6dDudjBIWpE2+:sNvGN1ukdRMv1Gh1gd6djGWpEN
Threatray 1'324 similar samples on MalwareBazaar
TLSH T1F7848D71A6CC471FC876F576FF2491F706D61805890C8B86D7C98BBC38EEA9ADD1021A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:dll obama195 Power Save Systems s.r.o. Quakbot signed

Code Signing Certificate

Organisation:Power Save Systems s.r.o.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-03-15T00:00:00Z
Valid to:2023-03-15T23:59:59Z
Serial number: 4728189fa0f57793484cdf764f5e283d
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 89ff94ac1c577eced3afc9a81689d30ca238a8472ad0f025f6bed57a98dbb273
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283980/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62bb2098197c837506cc6664/reports/63c904ac-d7de-40d6-8c5f-cb8444f17200/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fea83bfc-7889-4d79-8020-3adb7a2b6502
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1021348
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653844 Sample: HTMLSmugglingAgainAlltheRage.dll Startdate: 28/06/2022 Architecture: WINDOWS Score: 76 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Qbot 2->37 8 loaddll32.exe 1 2->8         started        process3 signatures4 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->39 41 Injects code into the Windows Explorer (explorer.exe) 8->41 43 Writes to foreign memory regions 8->43 45 2 other signatures 8->45 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 regsvr32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->47 49 Injects code into the Windows Explorer (explorer.exe) 11->49 51 Writes to foreign memory regions 11->51 20 explorer.exe 8 1 11->20         started        53 Allocates memory in foreign processes 14->53 55 Maps a DLL or memory area into another process 14->55 23 explorer.exe 14->23         started        25 explorer.exe 16->25         started        27 rundll32.exe 18->27         started        29 WerFault.exe 1 9 18->29         started        process7 file8 33 C:\Users\...\HTMLSmugglingAgainAlltheRage.dll, PE32 20->33 dropped 31 WerFault.exe 23 9 27->31         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 15:39:07 UTC
File Type:
PE (Dll)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ardmku73znydiecswesqiv4ehwogzh2pynn55zvzioju7sqzvsa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
Quakbot
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
Quakbot
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
Quakbot
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
Quakbot
+ 1'314 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama195 campaign:1656400725 banker stealer trojan
Link:
https://tria.ge/reports/220628-s3lswscbf6/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
74.14.5.179:2222
104.34.212.7:32103
142.186.49.224:2222
93.48.80.198:995
94.59.15.180:2222
217.128.122.65:2222
45.241.173.232:993
24.43.99.75:443
89.101.97.139:443
70.46.220.114:443
32.221.224.140:995
67.209.195.198:443
37.34.253.233:443
80.11.74.81:2222
81.214.215.234:443
67.165.206.193:993
173.174.216.62:443
186.90.153.162:2222
148.64.96.100:443
176.205.23.138:2222
63.143.92.99:995
86.200.151.188:2222
189.78.107.163:32101
69.14.172.24:443
41.228.22.180:443
208.107.221.224:443
172.115.177.204:2222
24.178.196.158:2222
197.89.12.102:443
129.208.158.180:995
120.150.218.241:995
38.70.253.226:2222
111.125.245.116:995
1.161.81.21:443
100.38.242.113:995
47.23.89.60:993
39.44.30.209:995
40.134.246.185:995
182.191.92.203:995
84.241.8.23:32103
217.165.84.103:993
117.248.109.38:21
86.97.10.91:443
121.7.223.45:2222
39.52.74.226:995
1.161.81.21:995
173.21.10.71:2222
39.41.101.74:995
174.69.215.101:443
187.172.164.12:443
76.25.142.196:443
45.46.53.140:2222
72.252.157.93:993
72.252.157.93:990
47.156.129.52:443
72.252.157.93:995
188.211.181.237:61202
177.45.18.42:32101
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
179.158.105.44:443
90.120.209.197:2078
70.51.133.230:2222
81.132.186.218:2078
196.203.37.215:80
39.49.3.84:995
217.164.119.69:1194
193.136.1.58:443
5.32.41.45:443
162.252.222.118:443
120.61.2.5:443
189.159.2.152:2222
191.112.29.39:443
101.50.67.7:995
39.57.60.246:995
184.97.29.26:443
190.252.242.69:443
210.246.4.69:995
193.253.44.249:2222
71.13.93.154:2222
108.60.213.141:443
2.34.12.8:443
187.250.202.2:443
94.36.193.176:2222
89.86.33.217:443
31.215.67.68:2222
187.208.115.219:443
191.250.120.152:443
49.128.172.7:2222
91.177.173.10:995
148.0.43.48:443
68.204.15.28:443
197.94.94.206:443
87.109.229.215:995
105.247.171.130:995
81.250.191.49:2222
83.110.94.105:443
201.176.6.24:995
175.145.235.37:443
41.84.249.56:995
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
41.38.167.179:995
98.50.153.207:443
185.56.243.146:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
60.15.135.203:2222
180.129.108.214:995
138.186.28.253:443
89.137.52.44:443
122.118.129.227:995
75.99.168.194:61201
Unpacked files
SH256 hash:
e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64
MD5 hash:
623ed266b8461a6650a3378864c14d95
SHA1 hash:
3d18e4ab5c4fa395107c2e0beaea1f41e0e9ae5b
Link:
https://www.unpac.me/results/4026df7d-9a6a-45d0-9910-5d3fba4072c0/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e022362a9fde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283980/

Comments