MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
SHA3-384 hash: 25071e811b8328481961a05da229edd262bb166ed127c6684b38f7759f8e65625fce533fc949e30413ad3c505ee83b91
SHA1 hash: 7ab203290205c355bc2f9d9115b7dfc0c6a0f5d4
MD5 hash: dbc516d8d0cb70974b85cc4b8d9553f9
humanhash: leopard-aspen-ink-september
File name:111112.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'070'568 bytes
First seen:2020-10-21 19:12:48 UTC
Last seen:2020-10-21 20:09:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 82c23e1ee79c35a4b779a3040d232a07 (54 x QuakBot)
ssdeep 3072:qU2P4gYgzuBeXRTZnDNNlJ06KEzGZV8uv793SVHrgCuo2zh2kB3dCrMOr3HhYvL0:qJ2gzwETZnl1Kj0sSwo2zzOxmvLVqqM
TLSH F535D0D0E3A07C09E9633AB18771C6710C797C6BC570EA9F147A3316E5B32416B92B6B
Reporter Anonymous
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74292/
Detection(s):
SecuriteInfo.com.Trojan.QakBot.11.21870.18343.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506453
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302328 Sample: 111112.png Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Qbot 2->37 39 4 other signatures 2->39 7 111112.exe 4 2->7         started        11 111112.exe 2->11         started        13 111112.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\...\yjnszqm.exe, PE32 7->29 dropped 31 C:\Users\user\...\yjnszqm.exe:Zone.Identifier, ASCII 7->31 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Detected unpacking (overwrites its own PE header) 7->45 47 Contains functionality to detect virtual machines (IN, VMware) 7->47 49 Contains functionality to compare user and computer (likely to detect sandboxes) 7->49 15 yjnszqm.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 111112.exe 7->20         started        signatures5 process6 signatures7 51 Antivirus detection for dropped file 15->51 53 Multi AV Scanner detection for dropped file 15->53 55 Detected unpacking (changes PE section rights) 15->55 57 7 other signatures 15->57 22 explorer.exe 1 15->22         started        25 yjnszqm.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 41 Contains functionality to compare user and computer (likely to detect sandboxes) 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 19:36:45 UTC
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vobshyidudni2cg6463jwchyoqi3ivfc63q5yiz6jmgymeoxuoq._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201021-x4847vmmpn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Malware Config
C2 Extraction:
5.193.181.221:2078
50.104.68.223:443
82.210.157.185:443
81.98.133.106:443
134.0.196.46:995
24.27.82.216:2222
24.234.86.201:995
86.126.108.242:2222
188.26.132.214:443
68.225.60.77:443
100.1.239.189:443
72.204.242.138:20
2.7.65.32:2222
85.204.189.105:443
2.50.131.64:443
140.82.27.132:443
207.246.70.216:443
45.32.155.12:995
96.30.198.161:443
45.32.165.134:443
45.63.104.123:443
77.27.174.49:995
65.131.47.228:995
187.155.58.60:443
93.86.1.140:995
84.78.128.76:2222
73.228.1.246:443
80.14.209.42:2222
86.164.27.59:2222
134.228.24.29:443
76.167.240.21:443
72.28.255.159:995
146.200.250.36:2222
74.73.27.35:443
78.97.3.6:443
98.38.47.1:443
47.138.201.136:443
197.57.63.131:443
72.36.59.46:2222
24.55.66.125:443
141.158.47.123:443
72.204.242.138:32102
92.99.20.249:8443
117.199.10.174:443
189.231.212.189:443
217.165.96.127:990
74.75.237.11:443
79.112.18.199:443
203.198.96.200:443
47.28.131.209:443
72.16.56.171:443
108.46.145.30:443
31.215.98.218:443
81.133.234.36:2222
50.96.234.132:995
188.27.178.166:443
75.137.239.211:443
71.19.217.23:443
216.201.162.158:443
41.228.8.163:443
45.77.193.83:443
207.246.75.201:443
5.12.216.111:2222
114.43.133.96:443
24.231.54.185:2222
98.115.243.237:443
100.4.179.64:443
24.122.0.90:443
172.78.30.215:443
24.43.22.220:993
72.204.242.138:443
80.195.103.146:2222
68.190.152.98:443
86.121.121.14:2222
68.235.155.202:443
208.99.100.129:443
5.202.227.32:995
72.66.47.70:443
151.73.115.246:443
24.201.79.208:2078
108.5.33.110:443
71.221.92.98:443
45.32.154.10:443
199.247.22.145:443
80.240.26.178:443
108.31.15.10:995
174.101.35.214:443
86.176.25.92:2222
173.245.152.231:443
47.44.217.98:443
103.238.231.35:443
68.46.142.48:995
72.204.242.138:995
75.136.40.155:443
85.121.42.12:995
217.162.149.212:443
203.106.195.67:443
93.149.253.201:2222
68.14.210.246:22
71.187.170.235:443
72.241.205.69:443
72.214.55.195:995
50.244.112.10:995
89.32.218.148:443
144.139.47.206:443
212.54.116.210:443
59.26.204.144:443
24.205.42.241:443
41.225.231.43:443
5.14.124.35:443
45.32.155.12:2222
45.32.155.12:443
45.32.162.253:443
95.179.247.224:443
46.53.20.52:443
41.225.13.128:8443
199.247.16.80:443
71.163.222.203:443
41.98.120.105:443
86.125.47.110:443
78.97.110.47:443
213.31.203.109:2222
78.96.199.79:443
95.77.223.148:443
73.200.219.143:443
84.247.55.190:443
197.210.96.222:995
188.27.173.144:443
188.247.252.243:443
203.45.104.33:443
173.21.10.71:2222
73.90.4.146:443
81.97.154.100:443
24.28.183.107:995
31.5.21.66:443
95.76.27.6:443
108.30.125.94:443
5.13.84.191:443
67.6.55.77:443
69.47.26.41:443
65.102.136.20:995
74.222.204.82:443
24.40.173.134:443
36.77.151.211:443
173.173.1.164:443
74.195.88.59:995
69.123.116.167:2222
66.215.32.224:443
Unpacked files
SH256 hash:
d6eda9ddc88a84736a0b2bec35226ea14276f0fd97067ac8201c32d17375f1be
MD5 hash:
ff7b4eeb28456ee7f74c1273fa66588b
SHA1 hash:
0132c40f652fe9e9de98fa26075b898de0224b1b
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a14f9153-db2e-4a30-9e51-a0c37b482e24/
SH256 hash:
bf6f3e04249cf4a34f7556636c679ff1c78e2414fd37868eef6d100cb7282fae
MD5 hash:
df598a3910b9f05031cdf890b7f46d13
SHA1 hash:
0cf9d9322c4f984cbf917b6e58afde58721f6ff7
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a14f9153-db2e-4a30-9e51-a0c37b482e24/
Parent samples :
c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e
2dc8c6d4a258da90c8264ed93eea388c46f2e0206604a62d1325ed0c80eae78d
9d3d2f050b18db0f64de13e177451eafe444a0efae7ca187a8e19fada9bab69a
3ad143fe091e2398207ac89ed82cc31f5bee574def93abd938e001b35898fbbc
aaa0da1c0fb9454c515f728a3f1f96522acbec7e19af77d4b29dbcb429989b06
664772bd38ffaf9acb17b9485747ba706d7ddf1d8374f8fd6594251d1df85be9
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
0d933e515644aa66a7966a9b130c0dfea79387519ffece98c9b532beb465c0f6
27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7
e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
d3d383c69c158752996ccacaa56ddbdb43622ae9c09881a5748619127081550d
235568c5852d8e14ba67dc20a3ec55ea149102a31e91de23e9a0195694b4a023
e7f59c4c54d50daafd2a75a679887f45353de0ffec9b01bebdb3c07bf99ee648
2bdf1c126de8c061c5f06b07848f4a8cd739d65775b15523689d3640c5782cbe
0c2785c84f3b4698ce6b2b45293c04b108d89c224d65aac5fe17a41aeaa3370b
6d591e0b8cadc9b48c8dd2d10b71d5ef71807c2a209d00dbebbc92ee86d5c3b3
1dbca928e5e4c046ed38226be564a4f9d42954105d59fa5e126d9027fe0071e8
31fab81e147c18646273b5ae04cefbccfab355800e6b247de513cb494e0cfd26
a1797622ac302556748e768a266c38a661c64fa4dc5644c5b671e075f6d60b07
ff04c2946ed2b1a35e2df86e483046e7789c89d024fb1bfed62aa008ff83801d
b91a1b6bebb18aeb5f8be1f1d68041b370de1c5e081786f283698932ed6ae1af
608eb9fb00e7ca6e5e892af6ef0186c1bcd21238284e7dfe217e178b1dcc9a26
c7d441730268513a93810fb4249f534259fd9d330ea7605ffc6c6b20ff528a73
4501f4605ab99f013c75de4c2ee39bba7632479ab28733de38bc5c7ad78dfac0
e3a9d373d1b1702563c2d233f45ecd5a6c04af88bb950b5d273ac75374c1b4d6
308c0bc34011d739fe7546bbef874c6267e77a7e1bea698380bd9602971e00b8
bc42b5ac4bd1c089c3db960be4011cb25e170573236444df0e6861eab87b4243
676c897d933e6d0123b54f1be67690aa7a02a93622a29bc77e2cfc0d34ade3bd
39aece13ac26b4bbe6fda8a7338482f28bede5d089dfb5ab0d0e3803d878d36d
0b759c4168882c3fdf101507c2a5cb246244f792eb478b5a5195433a0a8eae69
SH256 hash:
e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
MD5 hash:
dbc516d8d0cb70974b85cc4b8d9553f9
SHA1 hash:
7ab203290205c355bc2f9d9115b7dfc0c6a0f5d4
Link:
https://www.unpac.me/results/a14f9153-db2e-4a30-9e51-a0c37b482e24/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/74292/

Comments