MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff
SHA3-384 hash:	662927dcf927bc5980b5cdb2b9f06c73f67748c4a09ca22f6370ef6b58c7ea330523762ff6a4450139a0911bb2ca5c6e
SHA1 hash:	c699b16ce036b50997a52114280a080d16bf5599
MD5 hash:	c519f8bd60844e7ea776e67a4b724e53
humanhash:	bulldog-fourteen-september-lemon
File name:	tainted.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	550'400 bytes
First seen:	2022-10-03 18:48:23 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	c55a71db2a0604f1aa6e10d072ecdaf3 (6 x Quakbot)
ssdeep	12288:P9hOiDHnsfkmEsrq1ZBr0fvpdgJvLrG3q8/UxPVN:lPT1HsuPr+hdIO3kVN
TLSH	T118C48D06F712C021CAA811B16C76FBE181ACAC359EB41AD7B7801F7789711F77A69F12
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	malwarelabnet
Tags:	dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316214/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.12906.30470.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Modifying an executable file

Creating a window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/633b2e9e0d3d21420cca4a6f/reports/0da8cf00-536a-46f0-9f0e-a65c77113395/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d37a30b0-1b1f-4e00-92e5-fa405e8616b7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-03 18:15:27 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 40 (52.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5epuebpi7ikkzgwnjnwptjkof6ulhea6mgpbrm72eimi54o55l7q._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/221003-xgbs1sbdeq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Qakbot/Qbot

Malware Config

C2 Extraction:

99.221.33.122:35602
29.202.180.222:51620
23.94.40.182:4331
34.19.16.166:1288
241.163.135.223:50051
32.107.156.85:19172
228.49.142.11:64889
196.202.140.31:7400
110.114.87.194:23019
217.188.119.28:9613
29.44.169.79:27952
169.83.63.109:46511
47.65.80.200:49855
50.140.194.100:14738
152.64.159.219:41214
12.255.117.222:36282
199.246.11.177:40851
81.180.116.241:1057
87.3.215.226:21496
247.44.83.206:32161
110.141.155.115:21355
126.7.15.81:38878
246.166.147.15:42079
71.118.48.68:16876
240.237.58.79:52135
228.135.88.101:8170
37.13.235.189:18671
187.156.210.204:4243
146.54.170.64:61188
240.132.30.162:19966
23.207.217.71:260
125.250.215.162:30167
242.193.131.8:56589
188.7.186.109:6729
80.147.52.103:32403
232.222.181.12:36938
165.107.195.136:37237
193.129.246.98:0
162.224.55.111:30915
17.105.54.14:63284
149.253.253.235:19955
148.219.182.10:5489
56.214.171.2:7637
171.182.161.115:60821
175.2.110.61:49611
99.130.91.79:29604
136.197.36.254:0

Unpacked files

SH256 hash:

643430a83eecf318375f3922e03cfe757eced1eb12861c2744e6c8b98957faa7

MD5 hash:

5e01d9ad0aa5a2d224baa0b36f008561

SHA1 hash:

c74b547dccfd6af5bebba1029f7371c73fdac163

Link:

https://www.unpac.me/results/2e6d3420-0c43-4e02-9200-a1c150e212e6/

SH256 hash:

45b06b4ea4f9e69bfd93baf5ed1da9059ce91a6faf0c27a586d1960d1f7c709d

MD5 hash:

0e77f14378f61ce84bebb92e0797fbd8

SHA1 hash:

431ebcc88a23fa53d806dfba3f511dc8ec513438

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/2e6d3420-0c43-4e02-9200-a1c150e212e6/

Parent samples :

1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff

SH256 hash:

d018e9758a6bb88ed8593b269e918c5879626e9a66eb3ae41b0151f295f0db39

MD5 hash:

d862d2627536528d832d1476cbe303a1

SHA1 hash:

d2dc8d08b6604c2d50630500d3aae343e4300f98

Link:

https://www.unpac.me/results/2e6d3420-0c43-4e02-9200-a1c150e212e6/

SH256 hash:

e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff

MD5 hash:

c519f8bd60844e7ea776e67a4b724e53

SHA1 hash:

c699b16ce036b50997a52114280a080d16bf5599

Link:

https://www.unpac.me/results/2e6d3420-0c43-4e02-9200-a1c150e212e6/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e91f4205e8fa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e91f4205e8fa14ac9acd4b6cf9a54e2fa8b3901e619e18b3fa22188ef1ddeaff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/316214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample