MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e
SHA3-384 hash: 4dec70f47c678efcf7e854c6a19394175fac64f3cb370315c485084b5b99545b339f4534579cc1ae71fc086a87951c55
SHA1 hash: b199ccfdf888560cbbb6db3bd84877c255a3f3eb
MD5 hash: 72cd44d9ecb4fdc3e692b46e47150ad8
humanhash: one-saturn-solar-muppet
File name:entertainingly.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'632'072 bytes
First seen:2022-10-31 17:54:10 UTC
Last seen:2022-10-31 20:13:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d7ce16ef29cd3ae5d899da15f45284cd (4 x Quakbot)
ssdeep 24576:GdOBKJGDcYOGm+FpvC04Rl3ZC499TlgxE29S3GCyk8YdukW4:Gs9dm+n60YZCZY37d8Ydm4
Threatray 1'627 similar samples on MalwareBazaar
TLSH T187758E22F2D1C437E472177C9C7BA399982A7D512E28884B7FE54F4C4F3A6413E29297
TrID 28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
12.9% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll obama219 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
451
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326522/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.5113.7672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/63600bf8a5db8d309cbc0fef/reports/fe6bbde7-eeaa-4692-88ef-84a20c19e1a6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c40521a3-b44f-424c-9d6a-185be8176c6f
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1101929
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 734590 Sample: entertainingly.dat.dll Startdate: 31/10/2022 Architecture: WINDOWS Score: 96 25 Snort IDS alert for network traffic 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Qbot 2->29 31 2 other signatures 2->31 8 loaddll32.exe 1 2->8         started        process3 signatures4 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->35 37 Writes to foreign memory regions 8->37 39 Allocates memory in foreign processes 8->39 41 2 other signatures 8->41 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        23 C:\Users\user\...\entertainingly.dat.dll, PE32 13->23 dropped process7 signatures8 33 Contains functionality to detect sleep reduction / modifications 18->33 21 WerFault.exe 23 9 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 17:55:10 UTC
File Type:
PE (Dll)
Extracted files:
70
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mkcfwyzyss5u4frc2j7atjqbeul5fpbnkxnumq3n7wkgmzrwipa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
24aec370771ad1208aeb54721067c9e3b139a368f13ab6b131dc7d6c13da5127
Quakbot
49961eee6f4b22b2985586d4ccafdcf81f34c1a33aa1eb19430b0f6fe8c1e34f
Quakbot
68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
Quakbot
9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06
Quakbot
aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4
Quakbot
e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
Quakbot
e9e65452644cf71bddbd3a324c171117c3df219a642bca6083ee6796dc5365c2
Quakbot
+ 1'617 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama219 campaign:1667198792 banker stealer trojan
Link:
https://tria.ge/reports/221031-whfypabfc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
84.35.26.14:995
24.206.27.39:443
1.175.205.2:13825
187.1.1.58:63347
144.202.15.58:443
1.156.216.39:30467
186.18.210.16:443
1.181.56.171:771
187.1.1.112:36280
206.1.251.127:2087
187.0.1.167:15088
190.207.196.66:2222
187.0.1.41:25933
102.156.43.188:443
187.0.1.93:40032
156.220.245.93:993
187.1.1.188:12600
189.148.124.243:2222
24.69.87.61:443
187.0.1.78:45959
85.241.180.94:443
45.35.97.45:443
187.0.1.27:27923
41.250.136.196:443
187.0.1.72:22773
92.185.204.18:2078
75.166.39.70:443
187.0.1.24:2524
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993
Unpacked files
SH256 hash:
b0b333123eadb116f41e51df99d723d54431dad350e8100b7e66d6d62a911638
MD5 hash:
bf1e09126ac70d712bb5d9a322a9fede
SHA1 hash:
37841871966b4c4a8de122cf345b39aad4dfa8a3
Link:
https://www.unpac.me/results/65d72f07-0824-4988-ace2-60f6093cdd80/
SH256 hash:
e0d35c06970ef8979600e362d6d619b6ef27217a130d4120f38abe1f66f67f12
MD5 hash:
822afe926c4bc0049b7ed912f3732d96
SHA1 hash:
658d7d6935f0c5f06adf460d614b64fea0b822d1
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/65d72f07-0824-4988-ace2-60f6093cdd80/
Parent samples :
eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e
3673e67108d268144a56740412a8df09d18f7e1e3565738df4ee299ca89f9928
SH256 hash:
eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e
MD5 hash:
72cd44d9ecb4fdc3e692b46e47150ad8
SHA1 hash:
b199ccfdf888560cbbb6db3bd84877c255a3f3eb
Link:
https://www.unpac.me/results/65d72f07-0824-4988-ace2-60f6093cdd80/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb1422db19c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/eb1422db19c4a5da70b11693f04d300928be95e16aaeda321b6feca33331b21e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326522/

Comments