MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2
SHA3-384 hash: 1f14e2134daabb04cf20919a8ca69d787f38bf4cd0b88421fee10fe2edac7e1568be26d466914d9ee6bc1e86dae7a2f5
SHA1 hash: fd0d969841ec7654b1b969d8c296031c3575d63c
MD5 hash: 7e7bdad13f25974c9bd07b0591d2773e
humanhash: sodium-double-fanta-purple
File name:contaminative.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'632'072 bytes
First seen:2022-10-31 17:30:06 UTC
Last seen:2022-10-31 20:13:43 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d7ce16ef29cd3ae5d899da15f45284cd (4 x Quakbot)
ssdeep 24576:hdOBKJGDcYOGm+FpvC04Rl3ZC499TlgxE29S3GrOk8YdSkQh:hs9dm+n60YZCZY3+R8Ydkh
Threatray 1'625 similar samples on MalwareBazaar
TLSH T16A758E22F2D1C437E472177C9C7BA399982A7D512E28884B7FE54F4C4F3A6413E29297
TrID 28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
12.9% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:dat dll Qakbot qbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
507
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326513/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.15565.4300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger overlay packed qakbot
Link:
https://www.filescan.io/uploads/636006579eb103bc04e51ec0/reports/8bd4ea81-d1bc-4999-aa1a-418445505cc4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78e6f9c5-5b4a-4acc-8a97-1bf9a19e87d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 15:55:19 UTC
File Type:
PE (Dll)
Extracted files:
70
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5htfiutejt3rxxn5hizeyfyrc7b56im2mqv4uyed5ztznxctmxba._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
Quakbot
49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f
Quakbot
540033fa84f80fb1e31c73139d2a043790a980191c5c5e4416bcfa51d4394a4f
Quakbot
62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76
Quakbot
9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06
Quakbot
aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4
Quakbot
e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
Quakbot
+ 1'615 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb05 campaign:1667208557 banker stealer trojan
Link:
https://tria.ge/reports/221031-v3pwnabeh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
174.77.209.5:443
187.0.1.74:23795
24.206.27.39:443
1.156.220.169:30723
156.216.39.119:995
58.186.75.42:443
1.156.197.160:30467
187.1.1.190:4844
186.18.210.16:443
1.181.56.171:771
90.165.109.4:2222
187.0.1.186:39742
87.57.13.215:443
187.0.1.207:52344
227.26.3.227:1
98.207.190.55:443
187.0.1.197:7017
188.49.56.189:443
102.156.160.115:443
187.0.1.24:17751
70.51.139.148:2222
187.0.1.109:34115
14.164.18.210:443
187.0.1.97:30597
205.161.22.189:443
187.0.1.151:54711
196.217.63.248:443
187.0.1.160:45243
66.37.239.222:443
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993
Unpacked files
SH256 hash:
e14accb675e83df00fe0ecc95ea8e70ab873efb1cd5d321310aade8e804579f1
MD5 hash:
2ad9636507a1496ed71edc42ea7f1b66
SHA1 hash:
d7f2f6d3da2226d68a631257ff1024802fbc2054
Link:
https://www.unpac.me/results/7b7775f8-1d76-4671-9b5a-53efd7fe0cf6/
SH256 hash:
daa3557a9a632d9f897a8d7c1ef0e40a5715f0badc424f57f5ea50525fdd7122
MD5 hash:
66a0741f8f43b584e387459b367097c1
SHA1 hash:
3794e128ba8d8b29404d036423493a722d521b6b
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b7775f8-1d76-4671-9b5a-53efd7fe0cf6/
Parent samples :
24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2
SH256 hash:
e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2
MD5 hash:
7e7bdad13f25974c9bd07b0591d2773e
SHA1 hash:
fd0d969841ec7654b1b969d8c296031c3575d63c
Link:
https://www.unpac.me/results/7b7775f8-1d76-4671-9b5a-53efd7fe0cf6/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9e65452644c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326513/

Comments