MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3
SHA3-384 hash: e841345eaffefa9c7d4e34f52cd68134f243619c49fd1c90e62a5ca98131ff13fac305765802ab60ee7d29a37ef8118a
SHA1 hash: 3f6c92e29b42b2863a3844016bbd06293a0cba57
MD5 hash: 4e7322d81ae3498efbd6ad8de4784788
humanhash: don-five-blossom-edward
File name:Umbrella LLC (12)
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'017'320 bytes
First seen:2020-10-06 08:20:28 UTC
Last seen:2020-10-06 09:14:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48c67d6a901541a84e7e8bc49cd63032 (21 x Quakbot)
ssdeep 6144:VgfRCEBsOYa5y3g0q+Z1Af61g8nC8StMkuNURdRoc0WKkm5v:eJCEyOYsqLjACi8C8vJZkm5v
Threatray 546 similar samples on MalwareBazaar
TLSH 8625D02FF737D840D3E82FF6458307A85977ACA9B922521729D63A1A7CF6BD03C22544
Reporter JAMESWT_WT
Tags:Qakbot Quakbot signed Umbrella LLC

Code Signing Certificate

Organisation:Umbrella LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Sep 4 00:00:00 2020 GMT
Valid to:Sep 4 23:59:59 2021 GMT
Serial number: 1249AA2ADA4967969B71CE63BF187C38
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: C139076033E8391C85BA05508C4017736A8A7D9C1350E6B5996DD94B374F403C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68539/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482594
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293738 Sample: Umbrella LLC (12) Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Detected unpacking (changes PE section rights) 2->36 38 6 other signatures 2->38 7 Umbrella LLC (12).exe 4 2->7         started        10 Umbrella LLC (12).exe 2->10         started        12 Umbrella LLC (12).exe 2->12         started        process3 file4 28 C:\Users\user\AppData\Roaming\...\ijiiu.exe, PE32 7->28 dropped 30 C:\Users\user\...\ijiiu.exe:Zone.Identifier, ASCII 7->30 dropped 14 ijiiu.exe 7->14         started        17 schtasks.exe 1 7->17         started        19 Umbrella LLC (12).exe 7->19         started        process5 signatures6 42 Antivirus detection for dropped file 14->42 44 Multi AV Scanner detection for dropped file 14->44 46 Detected unpacking (changes PE section rights) 14->46 48 6 other signatures 14->48 21 explorer.exe 1 14->21         started        24 ijiiu.exe 14->24         started        26 conhost.exe 17->26         started        process7 signatures8 40 Contains functionality to compare user and computer (likely to detect sandboxes) 21->40
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 04:38:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kh5stjsptgu4eih3rkawhafzpecjmekrnacaktnoejyjiw6p2zq._file
Verdict:
malicious
Similar samples:
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
Quakbot
45bd22771aeaab651a6ff5a3a23193446ffd305472082d06ad6612878fa2786e
Quakbot
70c7a48f3dfb41c0137b736bf5f3071bfd550eb8dee8fc6b3c5a075adbecbdbb
Quakbot
78749911faeac0032bb0c8562761fa6ee3fb85f37e099f5169d9dcc29c8024bd
Quakbot
92459aab5fc4c348f5a6a10fa7ce8bc734121a8e2d8d3c30e4337f74ae87017a
Quakbot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
Quakbot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
Quakbot
b92c0aafb4e9b0fc2b023dbb14d7e848249f29e02b0e4cd8624ce27e55c9ac4c
Quakbot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
Quakbot
e6e67623e24b8c95021d63966ac7f2ba20e7fbe9495b32290871fc9fa8fe4fe3
Quakbot
+ 536 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201006-w4yeyy1b6a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Malware Config
C2 Extraction:
199.116.241.147:443
71.187.170.235:443
71.126.139.251:443
2.50.159.48:2222
31.5.168.31:443
190.85.91.154:443
173.245.152.231:443
39.36.218.78:995
78.96.199.79:443
172.78.30.215:443
61.230.5.67:443
197.133.117.15:443
24.213.191.38:0
184.97.132.62:443
96.227.127.13:443
24.218.181.15:443
96.30.198.161:443
77.27.174.49:995
45.77.193.83:443
207.246.75.201:443
208.99.100.129:443
72.204.242.138:53
72.204.242.138:443
72.204.242.138:990
117.218.208.239:443
108.5.34.248:443
68.190.152.98:443
2.90.26.187:443
24.231.54.185:2222
103.238.231.40:443
217.162.149.212:443
71.19.217.23:443
24.122.0.90:443
207.255.161.8:995
184.180.157.203:2222
86.126.108.242:2222
98.26.50.62:995
75.136.26.147:443
72.66.47.70:443
93.113.177.152:443
74.109.219.145:443
45.32.154.10:443
134.228.24.29:443
203.106.195.67:443
175.211.225.118:443
24.139.132.70:443
66.215.32.224:443
70.174.20.7:443
103.206.112.234:443
174.110.39.220:443
86.97.161.201:443
95.77.223.148:443
190.220.8.10:443
2.51.221.138:995
72.204.242.138:50001
199.247.16.80:443
75.136.40.155:443
95.179.247.224:443
207.255.161.8:443
100.4.173.223:443
61.1.206.212:443
59.96.58.48:443
86.177.171.45:2222
71.220.200.82:2222
207.237.1.152:443
5.12.255.109:443
89.137.211.72:443
59.26.204.144:443
93.149.253.201:2222
2.50.57.36:443
141.158.47.123:443
85.186.140.248:995
2.7.65.32:2222
80.195.103.146:2222
66.26.160.37:443
77.30.32.191:995
2.50.131.64:443
66.222.88.126:995
216.201.162.158:443
50.244.112.106:443
184.98.103.204:995
96.18.240.158:443
35.134.202.234:443
213.31.203.109:2222
72.204.242.138:20
94.52.68.72:443
84.247.55.190:443
24.234.86.201:995
67.60.113.253:2222
190.30.185.80:443
71.80.66.107:443
67.170.137.8:443
94.52.160.116:443
109.93.11.111:995
173.22.125.129:2222
81.133.234.36:2222
80.14.209.42:2222
71.12.214.209:2222
86.121.121.14:2222
23.240.70.80:443
68.46.142.48:995
90.175.88.99:2222
148.240.52.146:443
80.240.26.178:443
185.246.9.69:995
68.225.60.77:443
47.44.217.98:443
203.198.96.200:443
207.255.161.8:993
2.88.63.101:995
24.43.22.220:993
69.11.247.242:443
173.21.10.71:2222
65.131.72.17:995
31.5.21.66:443
103.76.160.110:443
188.27.178.166:443
77.31.120.194:995
73.228.1.246:443
69.123.179.70:443
67.165.206.193:993
89.42.142.35:443
45.32.155.12:443
199.247.22.145:443
5.12.218.57:2222
72.241.205.69:443
50.96.234.132:995
108.30.125.94:443
47.138.201.136:443
173.173.1.164:443
178.138.96.166:443
70.124.29.226:443
95.76.109.181:443
96.237.141.134:995
67.250.30.121:2222
24.28.183.107:995
69.47.239.10:443
73.225.67.0:443
24.40.173.134:443
74.129.24.163:443
5.193.181.221:2078
45.46.53.140:2222
76.111.128.194:443
71.197.126.250:443
71.199.99.229:995
187.155.68.90:443
24.128.117.95:443
207.255.18.67:443
174.101.142.231:443
Unpacked files
SH256 hash:
361231aa8a213f60ea73be0fa534bf3e7c3855c6ae0b9940b71771c7f07414ad
MD5 hash:
bf7ebad66bd4316cd18058c06b4e28f1
SHA1 hash:
5ad652b73077bef68509b344dde1c61e40e6e8c3
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a61242f1-0dea-4ee5-8172-9d08f37f3296/
Parent samples :
1d14f161830af09dbdfca9bbfa554cd9724f8af548495866b29bddf8b4d73a31
da9694c6c6f520b9068714b76a3cfce6f4609072f8777be7efb4e1878a6c4feb
bda34889cc38db9ca6ff923907e9d1081c81cdf53e62ed5c0991ec9a3e74eef0
1ba4eff0ed556a21a26581b4a59961e33513f5321e5f0310e6d606d5ec95e99e
4b96a68d53022f8246c8e798433f266fdafbbc8902a96713e50eb66548ac3c8a
8ff931fa10085fa391e62db803ee3adc136d0601c1752f685c0951a461ff809f
34a8bdd80f0d5bb6f2f38716cf2d9bf1d0358d1c3778c83c8b7b7bc742b858e8
35b85458c2b654476280aef26c1bde35bbb7a48465a618ae589b9f2e6e305ea8
259b98411afd13efe4d06e088b7d2af806e98d923700237716208e018354e550
acacfdd7a0da6ee94b8c1bff2d71bf406d01a422959f23731d63a485acedf982
b0d5100e6d6af0bff8c9e282989d74930a2878a08410ae27ff2daa96132e3896
e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3
fdde58beb1ddc17ee64524912a0db54e7b4bf2ae57cce64eedb01e56c856f582
0dc710737c12ea1c1215fbd39e00347649fff1fb0e512287c86873f66a9f0a35
5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1
034c86795739f7edeec14f4b982b017ecea1c9476bfa304a05de10ebbbdbe425
c520e5788c6cdec1d819803bc214f04a2006ebf0dd3ebfbd56dc5b3a91b38c8b
f0329494b1a9a26aac06e2606c95e31167035d8f576ed8773664d7578913cf36
7601edb9feedd3052966f1988a603ff7019ec4e7db98571b48a1de61483f21e2
SH256 hash:
09f4b4ecbd22523e6f28669f388817bce7f946225ecc90f013d67623896bd592
MD5 hash:
03a29364532ca428646224f265007b69
SHA1 hash:
3c31a11fda862aaa2b6e9eefb9af8d0e00f36255
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a61242f1-0dea-4ee5-8172-9d08f37f3296/
SH256 hash:
e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3
MD5 hash:
4e7322d81ae3498efbd6ad8de4784788
SHA1 hash:
3f6c92e29b42b2863a3844016bbd06293a0cba57
Link:
https://www.unpac.me/results/a61242f1-0dea-4ee5-8172-9d08f37f3296/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68539/

Comments