MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a
SHA3-384 hash: 5020cb764a16acfc0e39fab6e52a85cfe8ec8e9f6edee7cdb7a3ee954c473714e78b0f6591adfc567156c454deaf2829
SHA1 hash: f159e85749783f0821ba72adf8132eba089d78c2
MD5 hash: 1f2c8300ae48a7036b2ad045399a9784
humanhash: neptune-mango-equal-delaware
File name:alsoAndWell.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:424'448 bytes
First seen:2022-06-27 19:05:07 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f141a6deaab9652cc7e298abde5708ad (8 x Quakbot)
ssdeep 6144:ZUpGOKUXcSjtM0vsC2g2uJ8yBW8RCtswtoMfLYzY8EI4zADpxTKX:zODMSjtfX2VyWkUtoeLYk8EHMjTO
Threatray 1'316 similar samples on MalwareBazaar
TLSH T1DF948ED0E137C0E0DC8D9FBC31283D795B6D262698ACEC7A5AB828545DF2347146CEDA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cyberswat4
Tags:dll Quakbot signed

Code Signing Certificate

Organisation:FLY BETTER s.r.o.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-02-18T00:00:00Z
Valid to:2023-02-18T23:59:59Z
Serial number: 24e4a2b3db6be1007b9ddc91995bc0c8
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 005af6c8e9f06a2258c2df70785a5622c8d10d982fdc7f4dbe2f53af6e860359
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283690/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed qbot
Link:
https://www.filescan.io/uploads/62b9ffdba80f69eaf3473de5/reports/bdb1f150-2a00-437f-86aa-29846e8ec9bc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5efd8a6-f44a-4278-98e2-7874ff5d5dc8
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1020732
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653228 Sample: alsoAndWell.dll Startdate: 27/06/2022 Architecture: WINDOWS Score: 80 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Qbot 2->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->52 54 Injects code into the Windows Explorer (explorer.exe) 8->54 56 Writes to foreign memory regions 8->56 58 2 other signatures 8->58 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 file6 21 rundll32.exe 11->21         started        60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->60 62 Injects code into the Windows Explorer (explorer.exe) 13->62 64 Writes to foreign memory regions 13->64 24 explorer.exe 13->24         started        66 Allocates memory in foreign processes 16->66 68 Maps a DLL or memory area into another process 16->68 26 explorer.exe 16->26         started        36 C:\Users\user\Desktop\alsoAndWell.dll, PE32 18->36 dropped 28 WerFault.exe 23 9 18->28         started        30 WerFault.exe 2 9 18->30         started        32 explorer.exe 18->32         started        signatures7 process8 signatures9 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->44 46 Injects code into the Windows Explorer (explorer.exe) 21->46 48 Writes to foreign memory regions 21->48 50 2 other signatures 21->50 34 explorer.exe 21->34         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 19:06:08 UTC
File Type:
PE (Dll)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hyxffs62kmxdbiqbba3n4pt5imeftulcdvo6svv7g6wjdmhqqva._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0d0529680e00980cb7df589e9dd9c1529aa80302958525b29833ee58b0054cf2
Quakbot
24c073082ab88e2f95a7b60cc74f5b65f002c6960f5db61601de7ef7eee6980d
Quakbot
380fafae824b48724591be9bd4460fd3c1e77f4cb28c80b2c2c1ee76dc94bf7b
Quakbot
38a12269557615ff1a79f306e3d2de1aefc320522ff97de42d2020d0dbda95ae
Quakbot
3e7dcb69c0778930b9f60816444d1eb03c34655504e8666196b7dbb8b3f2f3e0
Quakbot
5b52efa55271c8749766de24a3b89105e809a4438a35fdc492e9c364ec274a7a
Quakbot
5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d
Quakbot
+ 1'306 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama194 campaign:1656313665 banker stealer trojan
Link:
https://tria.ge/reports/220627-xr3pgsefg2/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
70.46.220.114:443
32.221.224.140:995
67.209.195.198:443
186.90.153.162:2222
148.64.96.100:443
67.165.206.193:993
86.200.151.188:2222
80.11.74.81:2222
173.174.216.62:443
45.241.173.232:993
41.228.22.180:443
1.161.81.21:995
24.178.196.158:2222
37.34.253.233:443
93.48.80.198:995
129.208.158.180:995
120.150.218.241:995
38.70.253.226:2222
111.125.245.116:995
47.23.89.60:993
40.134.246.185:995
197.87.144.50:443
217.164.119.69:1194
86.97.10.91:443
39.44.30.209:995
74.14.5.179:2222
182.191.92.203:995
117.248.109.38:21
217.165.97.237:993
84.241.8.23:32103
1.161.81.21:443
24.43.99.75:443
94.59.15.180:2222
121.7.223.45:2222
217.128.122.65:2222
39.41.80.91:995
173.21.10.71:2222
174.69.215.101:443
208.107.221.224:443
45.46.53.140:2222
76.25.142.196:443
81.193.30.90:443
5.32.41.45:443
89.101.97.139:443
109.12.111.14:443
217.164.119.69:2222
69.14.172.24:443
162.252.222.118:443
120.61.2.5:443
90.120.209.197:2078
189.159.2.152:2222
191.112.29.39:443
189.78.107.163:32101
101.50.67.7:995
70.51.132.161:2222
179.158.105.44:443
39.57.60.246:995
184.97.29.26:443
63.143.92.99:995
72.252.157.93:995
190.252.242.69:443
177.45.64.254:32101
24.139.72.117:443
72.252.157.93:993
81.132.186.218:2078
24.55.67.176:443
104.34.212.7:32103
196.203.37.215:80
88.241.122.55:443
39.49.71.64:995
210.246.4.69:995
39.52.114.251:995
193.253.44.249:2222
47.156.129.52:443
72.252.157.93:990
100.38.242.113:995
71.13.93.154:2222
108.60.213.141:443
2.34.12.8:443
187.250.202.2:443
94.36.193.176:2222
89.86.33.217:443
31.215.67.68:2222
188.136.218.225:61202
187.208.115.219:443
191.250.120.152:443
49.128.172.7:2222
91.177.173.10:995
148.0.43.48:443
172.115.177.204:2222
68.204.15.28:443
197.94.94.206:443
87.109.229.215:995
105.247.171.130:995
81.250.191.49:2222
83.110.94.105:443
201.176.6.24:995
175.145.235.37:443
187.172.164.12:443
41.84.249.56:995
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
41.38.167.179:995
98.50.191.202:443
185.56.243.146:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.133.168:443
113.5.8.153:2222
180.129.108.214:995
138.186.28.253:443
89.137.52.44:443
122.118.129.227:995
75.99.168.194:61201
103.91.182.114:2222
Unpacked files
SH256 hash:
d04caa7719610bd0aa0dd1cda75fe73365479b059968b75cf3a9e3fd41ad5ef7
MD5 hash:
4ca7ff9ea5d5518479d8a2d5e06f3b0e
SHA1 hash:
d83d333893962698edb9a5a963312cf40815d406
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e4899122-2d2d-4f74-8ddc-c1b0ac53f122/
Parent samples :
3e7dcb69c0778930b9f60816444d1eb03c34655504e8666196b7dbb8b3f2f3e0
5e4a3797638a62a4ec71a3bccc611dfbe13ff53cfed0e8167d4065e613fa755d
e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a
7d436b6200af103cb2fba472e95972dfb5475feb65d485720d0c547ca00c2547
5fe5acb2467c0b99e0bc07c7c661af29ab23da9388e356b0c6fb64037debe7a4
4dce74faffdd55d04b9efd59e74cac4263da0276ae5a6eeb1bb5eae8162a2099
2d68755335776e3de28fcd1757b7dcc07688b31c37205ce2324d92c2f419c6f0
d04caa7719610bd0aa0dd1cda75fe73365479b059968b75cf3a9e3fd41ad5ef7
SH256 hash:
e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a
MD5 hash:
1f2c8300ae48a7036b2ad045399a9784
SHA1 hash:
f159e85749783f0821ba72adf8132eba089d78c2
Link:
https://www.unpac.me/results/e4899122-2d2d-4f74-8ddc-c1b0ac53f122/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9f172965ed2997185100841b6f1f3ea1842ce8b10eaef4ab5f9bd648d87842a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/283690/

Comments