MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802
SHA3-384 hash:	48a8b4f51c625e421e9600ac5ff868bc89bd7f3155bb52f4ff68aaa980d86a9ad47f1d43af87beb02f6af841e3bf458b
SHA1 hash:	134d721c87b544ea42fb7b93b3986f8c959666c7
MD5 hash:	5fd969fd263d2a9caa30f4f3a0656852
humanhash:	chicken-delta-maryland-enemy
File name:	shortage.db
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	712'192 bytes
First seen:	2022-09-28 17:47:07 UTC
Last seen:	2022-09-28 19:07:48 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	8f9af0fd00f491491f9ecd72ef59a9a6 (8 x Quakbot)
ssdeep	12288:nieL1vc1PdFjpmw5qS6xnGWvE/N285UT+QD1lNMA:i81IFnqnvEl5w9M
Threatray	1'418 similar samples on MalwareBazaar
TLSH	T1E6E49E26B3D08477C272263C9C3B97A8A8357D112F29594B3FE81E4D5F396813A76393
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	pr0xylife
Tags:	dll obama207 Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

407

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/314469/

Detection(s):

SecuriteInfo.com.BackDoor.Qbot.700.15398.9245.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Searching for synchronization primitives

Modifying an executable file

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/633488d590cb824e9d9fa226/reports/1b49571b-2cb4-493a-9e76-b545ac2f046c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d83597c0-5f10-47d7-9d71-a707cb98b2e1

Result

Threat name:

CryptOne, Qbot

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1079472

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-09-28 17:48:11 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jtuzxegmwkeyaj7wbjggqstttlbkuy4yz24k77yhjx5qbofraba._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

42ad1e843f44a725a6666d3d27f10caaa2252a05e1bc0b9c3c315496728f9f25

Quakbot

466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a

Quakbot

5e5c55c133d644de044f5bcb782b618fd188a1c6ca707298815ab23295fb43c1

Quakbot

7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0

Quakbot

b7e432ebcbff1842f6639e6cc8ba2cca6a7ebe6374d40fda88b9de0fa920b225

Quakbot

b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a

Quakbot

+ 1'408 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama207 campaign:1664363417 banker stealer trojan

Link:

https://tria.ge/reports/220928-wdfgcshhaj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Qakbot/Qbot

Malware Config

C2 Extraction:

217.165.146.158:993
41.97.179.58:443
86.132.13.49:2078
197.203.50.195:443
85.245.143.94:443
86.196.181.62:2222
102.190.190.242:995
105.184.133.198:995
179.111.23.186:32101
179.251.119.206:995
84.3.85.30:443
39.44.5.104:995
197.41.235.69:995
193.3.19.137:443
186.81.122.168:443
103.173.121.17:443
41.104.80.233:443
102.189.184.12:995
156.199.90.139:443
14.168.180.223:443
41.140.98.37:995
156.205.3.210:993
139.228.33.176:2222
134.35.12.0:443
49.205.197.13:443
131.100.40.13:995
73.252.27.208:995
82.217.55.20:443
176.177.136.35:443
180.232.159.9:443
41.68.209.102:995
186.90.144.235:2222
191.92.125.254:443
41.96.204.133:443
58.186.75.42:443
85.86.242.245:443
187.193.143.111:443
200.175.173.80:443
197.49.68.15:995
186.50.139.45:995
41.68.155.190:443
186.72.236.88:995
187.150.143.159:443
105.69.189.28:995
160.177.207.113:8443
41.102.97.28:443
193.254.32.156:443
88.168.84.62:443
156.218.169.48:995
41.105.159.42:443
186.53.115.151:995
186.48.206.63:995
151.231.60.200:2083
196.217.32.15:443
102.157.212.143:443
189.189.89.32:443
181.177.156.209:443
85.94.178.73:995
201.209.4.2:443
41.69.236.243:995
74.133.189.36:443
149.126.159.254:443
41.104.132.166:443
188.157.6.170:443
197.160.22.10:443
187.189.68.8:443
109.128.221.164:995
92.98.73.123:443
154.237.235.43:995
212.102.56.47:443
110.238.39.214:443
185.233.79.238:995
154.237.60.254:995
181.206.46.7:443
186.16.163.94:443
75.71.96.226:995
181.105.32.5:443
41.227.228.31:443
197.203.142.42:443
118.174.89.216:443
41.107.112.236:995
105.96.207.25:443
111.125.157.230:443
68.224.229.42:443
190.44.40.48:995
88.232.207.24:443
72.88.245.71:443
119.82.111.158:443
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
197.94.84.128:443
41.96.130.46:80
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
76.169.76.44:2222
68.53.110.74:995
41.69.103.179:995
194.166.205.204:995
89.211.223.138:2222
85.98.206.165:995
177.103.94.155:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
91.116.160.252:443
151.234.63.48:990
99.253.251.74:443
41.40.146.5:995

Unpacked files

SH256 hash:

bcf1ddb027e6146b19d0a9929daa3a6967ab76514d35cac3703bcd895f57ede0

MD5 hash:

21c5947375a9ca056bebb8d8518c396f

SHA1 hash:

288435c8261e1ca20cee3614260eb1eddfe3fd49

Link:

https://www.unpac.me/results/36262cd5-1632-4b17-bead-f637b290b444/

SH256 hash:

33702c6def37313bad1d94828bfe4c2915269caba72a4661033c5510bde06b81

MD5 hash:

050ce5fb25ffd3e907a5c81a6711fcea

SHA1 hash:

d5e6bb7a9eba0d785d8ffc06607b2557707a3ced

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/36262cd5-1632-4b17-bead-f637b290b444/

Parent samples :

466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a
7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0
ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802
64f351168466c20604dda4c4819012367ddafff36e4c3fd8e3cff844565cebc5
4ff872d196dbb0d23c4bc96311372f9b0cd9f8b9ea00fa4b5041fa9ea49a1442
799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81

SH256 hash:

ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802

MD5 hash:

5fd969fd263d2a9caa30f4f3a0656852

SHA1 hash:

134d721c87b544ea42fb7b93b3986f8c959666c7

Link:

https://www.unpac.me/results/36262cd5-1632-4b17-bead-f637b290b444/

Malware family:

QBot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ea674cdc8665/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.86

Link:

https://yomi.yoroi.company/submissions/ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314469/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample