MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
SHA3-384 hash: ef100e2b06c87c3ed409291ce057d1d6086ef235d00f1c1776d4cbd2980dc61e6b72ec5b360d8631f4226b93be30fbbc
SHA1 hash: 39d5290e4b7a8aa117652c585581ed0908e0dbd9
MD5 hash: 2b9b0bfbf52742dff63a21cfd9fc496e
humanhash: dakota-august-illinois-three
File name:cueing.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:643'400 bytes
First seen:2022-10-27 12:05:23 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 34d094cea0fc040405cd0327eba81d57 (7 x Quakbot)
ssdeep 12288:Dx8IFmbH8yS5XXUrIVcxxYnZIOT2LY/O9PBoC//0:+6y8bRZAKZI/LoO9PBoC/8
Threatray 1'595 similar samples on MalwareBazaar
TLSH T131D49E22B2E8C037D13266F99C3B46A8587BFD0139299C096FD51F4D4F35A413B6A3A7
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:1666863975 dll Qakbot Quakbot RIWQRMKSGCVXTNIIYV signed

Code Signing Certificate

Organisation:RIWQRMKSGCVXTNIIYV
Issuer:RIWQRMKSGCVXTNIIYV
Algorithm:sha1WithRSA
Valid from:2022-10-25T05:18:50Z
Valid to:2039-12-31T23:59:59Z
Serial number: 028b4a1fe90aa2994ef5c1cf9facb19d
Thumbprint Algorithm:SHA256
Thumbprint: c1ad7096af626d9d952cae71c64e215e6db6b201f2a85b1b1d97abb09a77b844
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324876/
Detection(s):
SecuriteInfo.com.Win32.DangerousSig.19108.14799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Sending a custom TCP request
Modifying an executable file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b960365c-e8d5-4afd-88c4-76b70028ea28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 12:14:51 UTC
File Type:
PE (Dll)
Extracted files:
40
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jeppiol2nu2eeiygrte7kafwse4qyiobwnx7jigyoq7zcbn2myq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
290634e84d2e79107f8abf4b6943c6e900fc7efda85f3a1e83a9ac420d160d75
Quakbot
45f0b7dbf4fc33f560b353591c93af28472c6691f8f9f93eb01749bc0876350b
Quakbot
4df936e24707cbb9332c99488a20f5fa0f9e0ac5cc3a2ea4d509f3539ea79200
Quakbot
77f9342fe09395b0d5bec271006bb46fa1b92e998794116730875ce2ecd1350c
Quakbot
97bb01022eaa46e69d39cbddd770c5d5312b806d0b94836f96d026db1d54bf03
Quakbot
+ 1'585 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221027-n9rkhacbbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
54a8680e368f3ef58be31a0dabbb163dca6331b34ee0243bb766c0de4bc45429
MD5 hash:
51b40c347a7e1c5486bb2a8c086e1a4f
SHA1 hash:
06b62dc7172225bb4a61d5297ada9ff880152c2b
Link:
https://www.unpac.me/results/fa8a32e8-5245-4d6b-a270-152d30186adb/
SH256 hash:
ee1a401be2134b757ffabff69f7951cddc08c9e572d84271a6d8102e69b01b67
MD5 hash:
be50a63a44a02624817ed84beb5e98c7
SHA1 hash:
2229390a4c7e661a4609f4cc94c45174f6f35bb9
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/fa8a32e8-5245-4d6b-a270-152d30186adb/
SH256 hash:
e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
MD5 hash:
2b9b0bfbf52742dff63a21cfd9fc496e
SHA1 hash:
39d5290e4b7a8aa117652c585581ed0908e0dbd9
Link:
https://www.unpac.me/results/fa8a32e8-5245-4d6b-a270-152d30186adb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324876/

Comments