MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e55a662e05fdc1e0c8570564bfcdb0d7cbec3bf5eca101ab12ac2997998c2aa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e55a662e05fdc1e0c8570564bfcdb0d7cbec3bf5eca101ab12ac2997998c2aa9
SHA3-384 hash: 5a29ab7cb45634a7d8b8bbfcb7504029a9bdddd832a00c07233e761f1627cd961b8123102cf056bd56608908d9cd008f
SHA1 hash: 9a60895c35e0b46c09ed778c697a3b8bae8b9680
MD5 hash: f0ed5abd066e73fbb0383ea70d1674d4
humanhash: cup-venus-autumn-music
File name:e55a662e05fdc1e0c8570564bfcdb0d7cbec3bf5eca101ab12ac2997998c2aa9
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'098'736 bytes
First seen:2022-02-15 06:03:56 UTC
Last seen:2022-02-15 07:55:07 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 220ea7972e993d1cdbf761cab8a71a9d (11 x Quakbot)
ssdeep 12288:Nt1RcM1gmtlMFHvP/AT0qUyF1XPPzXTwnUV1cQ47gZckpPWUyQVurP6lbuiw1rPw:duwgYKvPteX5lNEZYytP/411KQtg9FFy
Threatray 2 similar samples on MalwareBazaar
TLSH T100358E3271C1D5BFC4B23ABC9D6A71A588257D520D2CCC0EBBD84F4E0E7A691673225E
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:dll HOUSE 9A s.r.o Quakbot signed

Code Signing Certificate

Organisation:HOUSE 9A s.r.o
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-12-30T00:00:00Z
Valid to:2022-12-30T23:59:59Z
Serial number: d3aee8abb9948844a3ac1c04cc7e6bdf
Intelligence: 10 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: e386450257e170981513b7001a82fb029f0931e5c2f11c6d9b86660da0b89a66
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241536/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25927.29064.7173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed qbot
Link:
https://www.filescan.io/uploads/620b4256875593a3ccce1936/reports/67d2fdbc-f73f-471e-abb5-0b0821606dc9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc6808ae-de29-48ae-96b7-53f97515d4cc
Result
Threat name:
CryptOne Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939911
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572389 Sample: AO1EMmFFse Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected CryptOne packer 2->47 49 5 other signatures 2->49 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->51 53 Injects code into the Windows Explorer (explorer.exe) 8->53 55 Writes to foreign memory regions 8->55 57 2 other signatures 8->57 15 explorer.exe 8 1 8->15         started        19 cmd.exe 1 8->19         started        21 WerFault.exe 3 9 8->21         started        23 regsvr32.exe 11->23         started        25 regsvr32.exe 13->25         started        process5 file6 39 C:\Users\user\Desktop\AO1EMmFFse.dll, PE32 15->39 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 15->41 27 schtasks.exe 1 15->27         started        29 rundll32.exe 19->29         started        31 WerFault.exe 20 9 23->31         started        33 WerFault.exe 2 9 25->33         started        signatures7 process8 process9 35 conhost.exe 27->35         started        37 WerFault.exe 20 9 29->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e55a662e05fdc1e0c8570564bfcdb0d7cbec3bf5eca101ab12ac2997998c2aa9/
Threat name:
Win32.Infostealer.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 06:04:10 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
224b3d58500a108f6e4eaaf685bfe9c7d01e4a7e6d29cd271938ef2471ea963a
Quakbot
aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec
Quakbot
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama155 campaign:1644841339 banker evasion stealer trojan
Link:
https://tria.ge/reports/220215-gsqtbachhp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Loads dropped DLL
Qakbot/Qbot
Suspicious use of NtCreateProcessExOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
120.150.218.241:995
32.221.231.1:443
75.67.73.144:443
82.152.39.39:443
41.230.62.211:993
1.161.70.155:443
139.64.13.189:443
31.215.116.182:2222
76.23.237.163:995
39.44.150.120:995
67.209.195.198:443
37.210.157.12:2222
39.49.98.233:995
89.101.97.139:443
45.9.20.200:443
75.156.151.34:443
42.235.144.180:2222
2.50.41.69:61200
31.35.28.29:443
86.98.156.45:993
212.34.15.205:443
103.17.101.139:995
217.164.115.166:2222
96.246.158.154:995
217.128.171.34:2222
190.73.3.148:2222
41.143.153.235:443
41.228.22.180:443
86.98.49.16:443
182.191.92.203:995
220.255.25.1:2222
180.233.150.134:995
129.208.11.149:995
102.65.38.67:443
78.96.235.245:443
24.53.49.240:443
78.87.41.5:995
136.143.11.232:443
140.82.49.12:443
111.125.245.116:995
82.41.63.217:443
24.178.196.158:2222
38.70.253.226:2222
74.15.2.252:2222
92.177.45.46:2078
209.210.95.228:32100
37.211.176.26:61202
149.135.101.20:443
24.222.20.254:443
96.21.251.127:2222
80.14.196.176:2222
176.67.56.94:443
1.161.70.155:995
76.25.142.196:443
86.97.161.184:443
103.142.10.177:443
128.106.122.39:443
86.98.156.82:32101
89.137.52.44:443
86.98.148.144:995
75.188.35.168:443
31.215.185.99:1194
173.21.10.71:2222
71.74.12.34:443
45.46.53.140:2222
73.151.236.31:443
67.165.206.193:993
96.37.113.36:993
95.14.105.51:995
184.100.174.73:443
109.12.111.14:443
217.165.139.33:995
161.142.62.76:443
68.204.7.158:443
87.71.79.81:443
218.101.110.3:995
94.60.254.81:443
114.79.148.170:443
70.51.137.204:2222
31.215.206.13:443
24.152.219.253:995
101.50.120.112:995
69.14.172.24:443
117.248.109.38:21
78.101.202.183:443
37.177.81.142:995
64.231.96.211:2222
103.139.242.30:990
72.252.201.34:990
201.172.31.135:80
100.1.108.246:443
72.252.201.34:995
190.206.211.182:443
40.134.247.125:995
108.4.67.252:443
70.45.27.254:443
197.89.20.13:443
113.28.253.9:995
41.86.42.158:995
5.32.41.46:443
78.164.40.62:995
105.184.195.32:995
217.128.93.27:2222
80.6.192.58:443
136.232.34.70:443
182.176.180.73:443
39.52.239.221:995
103.139.242.30:993
75.169.34.158:443
31.215.29.238:443
89.86.33.217:443
173.26.188.246:443
41.84.238.71:443
23.82.128.108:443
24.95.61.62:443
144.86.6.161:443
113.211.127.95:443
86.198.170.170:2222
70.163.1.219:443
31.215.23.29:2222
37.203.225.248:443
193.251.59.245:2222
73.59.201.174:443
73.136.32.202:443
86.178.220.77:443
31.215.142.105:2078
73.67.152.98:2222
43.231.252.200:443
41.209.126.246:443
37.186.54.25:995
181.118.183.28:443
162.210.220.137:2222
188.50.206.1:995
103.123.225.38:6881
70.50.147.95:2222
72.66.116.235:995
187.191.33.158:443
165.255.54.11:995
31.166.23.80:443
65.100.174.110:8443
65.100.174.110:443
Unpacked files
SH256 hash:
6ab264886d29cd6c13be53187bc87accc537cf3a1e77b484faa6c888afbc6533
MD5 hash:
6d874388398d228bb67f960d0c630801
SHA1 hash:
b9102f054b9d94f323bb001ef86d1d3f4ce61b40
Link:
https://www.unpac.me/results/395ff9bf-0f63-4f23-a1b7-9440ccc68caa/
SH256 hash:
1c5f40c16bbb664c4256a99f30dfbbca7934317475f20733f7ea404cc048fada
MD5 hash:
54e3f20f74c1089e89841798ffaac084
SHA1 hash:
87721806d1cc52417522b03228de32e33fd4835c
Link:
https://www.unpac.me/results/395ff9bf-0f63-4f23-a1b7-9440ccc68caa/
SH256 hash:
e55a662e05fdc1e0c8570564bfcdb0d7cbec3bf5eca101ab12ac2997998c2aa9
MD5 hash:
f0ed5abd066e73fbb0383ea70d1674d4
SHA1 hash:
9a60895c35e0b46c09ed778c697a3b8bae8b9680
Link:
https://www.unpac.me/results/395ff9bf-0f63-4f23-a1b7-9440ccc68caa/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e55a662e05fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e55a662e05fdc1e0c8570564bfcdb0d7cbec3bf5eca101ab12ac2997998c2aa9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241536/

Comments