MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e
SHA3-384 hash: 7adbfccd94c36d0fb2860a8ec2987a136a2773f21f352b77dbfb20ebefec4f841748c42d53f881b0287bd869dea738f8
SHA1 hash: e1b42fcce91e2dad6ebea6a25563a39d77f031e7
MD5 hash: 2e504995ae2b91cf9d5fbf3f250fef44
humanhash: zulu-autumn-butter-ohio
File name:a3.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:537'928 bytes
First seen:2022-09-08 13:52:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3fc9f28b98c9ee1f8738e04f332dd4d2 (3 x Quakbot)
ssdeep 12288:pWghjfsaHKisYUVJAEvyxNEUDpyujPt5ABJXT+g/:gijHHKH53vUEUF1D4XTj
Threatray 1'349 similar samples on MalwareBazaar
TLSH T126B49F22F6D04437D377263C9C5B6A64A839BED03B2958662BF81D8C9F393813579393
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll Qakbot Quakbot snow01

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/308795/
Detection(s):
SecuriteInfo.com.W32.Qbot.HH.gen.Eldorado.28985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/6319f3a8d836d6918483ffa6/reports/4f491022-deee-49a1-aa45-1b047fb0e4ff/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3493aaad-d20d-4e1c-8864-00ca6e2d5518
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067166
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699698 Sample: a3.png.dll Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Yara detected CryptOne packer 2->39 41 Yara detected Qbot 2->41 43 3 other signatures 2->43 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->45 47 Injects code into the Windows Explorer (explorer.exe) 8->47 49 Writes to foreign memory regions 8->49 51 3 other signatures 8->51 11 cmd.exe 1 8->11         started        13 explorer.exe 6 1 8->13         started        process5 file6 16 rundll32.exe 11->16         started        27 C:\Users\user\Desktop\a3.png.dll, PE32 13->27 dropped 19 WerFault.exe 19 9 13->19         started        21 WerFault.exe 13->21         started        process7 signatures8 29 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->29 31 Injects code into the Windows Explorer (explorer.exe) 16->31 33 Writes to foreign memory regions 16->33 35 Maps a DLL or memory area into another process 16->35 23 WerFault.exe 23 9 16->23         started        25 explorer.exe 16->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cwmwrah34eoyeb34lifaf5d6ozxiwoapbhz722ov5ibek743aha._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
3c22164592cbe28cb0d2634ac1aa9752635308813db5fabd913ac84450e6f6d4
Quakbot
4f13d35180b85261aa49bd280ae52c6ff501fcc224ecd8ff729697337e14ce14
Quakbot
5fe5acb2467c0b99e0bc07c7c661af29ab23da9388e356b0c6fb64037debe7a4
Quakbot
73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876
Quakbot
7d436b6200af103cb2fba472e95972dfb5475feb65d485720d0c547ca00c2547
Quakbot
a5a163e436995c01536396d65e775a72250b63e4c16ea59283e04fb609d248b1
Quakbot
dcd14c38adfeaf976dbf3aacce00d5e664e007fd3ad4b3d4f6d603be8ae4d92d
Quakbot
e022362a9fde5b81a08295892822bc21ece364fa7e1adef735ca1c9a7e50cd64
Quakbot
+ 1'339 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:snow01 campaign:1662453469 banker stealer trojan
Link:
https://tria.ge/reports/220908-q6zg2sefh4/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
200.161.62.126:32101
217.165.68.122:993
99.232.140.205:2222
81.131.161.131:2078
89.211.179.14:2222
186.64.87.202:443
197.94.210.133:443
193.3.19.37:443
37.210.148.30:995
200.100.55.252:32101
70.51.153.182:2222
120.150.218.241:995
173.189.167.21:995
24.139.72.117:443
104.34.212.7:32103
47.23.89.61:995
24.55.67.176:443
172.115.177.204:2222
217.165.77.134:995
24.178.196.158:2222
67.209.195.198:443
111.125.245.116:995
39.49.67.4:995
78.101.202.75:50010
37.34.253.233:443
217.165.77.134:443
46.107.48.202:443
70.46.220.114:443
63.143.92.99:995
93.48.80.198:995
179.158.103.236:443
47.180.172.159:443
47.23.89.61:993
72.252.157.93:995
182.191.92.203:995
187.172.230.151:443
72.252.157.93:990
24.158.23.166:995
32.221.224.140:995
41.84.238.19:443
41.228.22.180:443
197.167.27.20:993
45.46.53.140:2222
47.156.129.52:443
148.64.96.100:443
63.143.92.99:443
173.21.10.71:2222
66.230.104.103:443
76.25.142.196:443
100.38.242.113:995
208.107.221.224:443
197.89.12.179:443
39.44.34.119:995
196.203.37.215:80
39.57.40.50:995
117.248.109.38:21
121.7.223.38:2222
85.104.122.231:443
118.172.249.102:443
1.161.70.129:443
39.52.28.146:995
188.136.218.20:61202
212.70.96.76:995
1.161.70.129:995
174.69.215.101:443
69.14.172.24:443
86.213.191.206:2078
176.45.233.14:995
82.41.63.217:443
67.69.166.79:2222
217.164.237.54:2222
217.164.121.130:1194
39.41.114.133:995
100.38.242.113:443
120.61.3.17:443
101.50.120.124:995
217.128.122.65:2222
217.128.122.65:443
88.227.46.238:443
223.229.136.61:443
72.252.157.93:993
76.185.151.214:443
2.34.12.8:443
157.51.47.233:50001
Unpacked files
SH256 hash:
72f2a567df73c586fabe32ad0c08b95ce6f84ebcdf925382a35f4756e7e58234
MD5 hash:
00a6751240f584b00b4565414b5828a6
SHA1 hash:
a06799fd60885f155696fc636a66618f13888384
Link:
https://www.unpac.me/results/fdcf9483-1276-4d15-8dbd-74f4f1e650c7/
SH256 hash:
23d77f1405b6abc69458d6953c8376650ffeca26f7f95ef32db9a58271fd2bd3
MD5 hash:
3e86ac10b4e7d818e0f410130bb7f237
SHA1 hash:
8977a9178b40819a53df36bc37be64f1b1ae1105
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/fdcf9483-1276-4d15-8dbd-74f4f1e650c7/
Parent samples :
4f13d35180b85261aa49bd280ae52c6ff501fcc224ecd8ff729697337e14ce14
73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876
e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e
SH256 hash:
e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e
MD5 hash:
2e504995ae2b91cf9d5fbf3f250fef44
SHA1 hash:
e1b42fcce91e2dad6ebea6a25563a39d77f031e7
Link:
https://www.unpac.me/results/fdcf9483-1276-4d15-8dbd-74f4f1e650c7/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0accb4407df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308795/

Comments