MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef
SHA3-384 hash: 847d0db036fce71f8103304b5df8f9a54df11ec5b52c0cba2227bd7024aeaef9da29e323520721a13f4656ea4439ff40
SHA1 hash: f2bbce952c21e72c979cb9115a588a3dd22396cb
MD5 hash: d436df7179db1a851d7a74b68ae072b4
humanhash: johnny-low-video-nineteen
File name:houseful.db
Download: download sample
Signature Quakbot
Create hunting rule
File size:344'576 bytes
First seen:2022-09-30 11:46:11 UTC
Last seen:2022-09-30 16:03:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5258e65ea568c264cf3e536d81339bf5 (4 x Quakbot)
ssdeep 6144:Ss07Ns6Fpqn3Kn/NjAOyme85N6w0ZmXp8jwkGU99WOUNeliVNYK:0Ns6LjjAw5cwimXujHxiVNYK
TLSH T11D74CF00B492C476EABD15300469EBB5597EB8610F949EEF67D85D7E4F302C2AA30E37
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:1664437404 BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315150/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6336d737d089a0c15dd2eb8b/reports/556e090b-4c58-4516-b67b-80cf8aa0049c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ee0c90a-8a5b-46c0-9350-6f920a77bcdc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1080846
Signature
Allocates memory in foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 713402 Sample: houseful.db.dll Startdate: 30/09/2022 Architecture: WINDOWS Score: 68 31 Multi AV Scanner detection for submitted file 2->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->33 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 19 rundll32.exe 10->19         started        43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->43 45 Writes to foreign memory regions 12->45 47 Allocates memory in foreign processes 12->47 22 wermgr.exe 12->22         started        49 Maps a DLL or memory area into another process 15->49 24 wermgr.exe 15->24         started        process6 signatures7 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->35 37 Writes to foreign memory regions 19->37 39 Allocates memory in foreign processes 19->39 41 Maps a DLL or memory area into another process 19->41 26 wermgr.exe 8 1 19->26         started        process8 file9 29 C:\Users\user\Desktop\houseful.db.dll, PE32 26->29 dropped
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef/
Threat name:
Win32.Infostealer.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 11:38:03 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4b7y55gn22lahjhmfiqvesysgzzezli7hxksplpats63joolotxq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb campaign:1664437404 banker stealer trojan
Link:
https://tria.ge/reports/220930-nxv26aedbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
113.180.55.111:443
58.186.75.42:443
105.184.56.118:995
196.206.133.114:995
80.253.189.55:443
193.3.19.137:443
41.104.80.233:443
49.205.197.13:443
186.81.122.168:443
216.238.83.82:443
216.238.83.82:995
39.44.5.104:995
196.207.146.151:443
216.238.108.61:995
139.84.167.18:995
139.84.167.18:443
216.238.108.61:443
149.28.38.16:995
134.35.12.30:443
131.100.40.13:995
102.189.184.12:995
103.173.121.17:443
102.190.190.242:995
85.86.242.245:443
73.252.27.208:995
41.99.57.148:443
197.120.66.183:995
186.90.144.235:2222
197.49.45.244:995
186.50.137.148:995
181.177.156.209:443
177.45.78.52:993
86.196.181.62:2222
197.203.50.195:443
89.187.169.77:443
Unpacked files
SH256 hash:
afe38a07c081dfc061697ae174663d635321ce3ab20ca64ea97da25daba25143
MD5 hash:
c82a3b8a1e8340f1ef39ba1490974479
SHA1 hash:
903787992032926575cc0d9769124ce467d0cc3a
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/37fc5e1b-eacf-4211-a2ae-1508d129a76c/
Parent samples :
af1692ced38f5fda305b35be66774822900a0b9617102db4b3da5f7c97f70e3e
e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef
d127e0c805be94fef708c47ad62037ba3840d7b1db5330deea2bc40160501f45
SH256 hash:
e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef
MD5 hash:
d436df7179db1a851d7a74b68ae072b4
SHA1 hash:
f2bbce952c21e72c979cb9115a588a3dd22396cb
Link:
https://www.unpac.me/results/37fc5e1b-eacf-4211-a2ae-1508d129a76c/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e07f8ef4cdd6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e07f8ef4cdd69603a4ec2a21524b1236724cad1f3dd527ade09cbdb4b9cb74ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/315150/

Comments