MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d
SHA3-384 hash: 1c3a01c929a655a0598c6fb0eef544be55c3ce11c8fbbb2c805376fb9dd65dfddd5f4d99da284649ffc1e9bec790a6b0
SHA1 hash: fa9094b16d6da6dccb99841515c338def0efdc7a
MD5 hash: 8181a8c772fa03a4375e3173f3a37405
humanhash: thirteen-december-west-fix
File name:totten.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:495'104 bytes
First seen:2022-11-02 10:51:43 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e7dcd6fa677aaf88189f9519be3de2ee (2 x Quakbot)
ssdeep 12288:mIQG2dEYsv2gJEXE1DMv9/rsGPDp7OAk4:9s0pMVtPD17
TLSH T1DEB4BE03B111E232F5BA047504BD46654B2CBD2107664CEBB3C47A7A5EF16D2BE32BA7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Uxtal
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327103/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
Creating a window
Sending a custom TCP request
Forced system process termination
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware hacktool
Link:
https://www.filescan.io/uploads/63624bd3ce1f43143c2a6f21/reports/2520f353-1b5c-4482-8e67-b4a58bd60720/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5309ba4-0358-4435-89f3-e897a7424d7f
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1103163
Signature
Allocates memory in foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735832 Sample: totten.dat.dll Startdate: 02/11/2022 Architecture: WINDOWS Score: 84 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Qbot 2->46 48 Sigma detected: Execute DLL with spoofed extension 2->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->50 8 loaddll32.exe 1 2->8         started        process3 signatures4 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Maps a DLL or memory area into another process 8->66 11 cmd.exe 1 8->11         started        13 regsvr32.exe 8->13         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->68 70 Writes to foreign memory regions 13->70 72 Allocates memory in foreign processes 13->72 23 wermgr.exe 13->23         started        74 Maps a DLL or memory area into another process 16->74 25 wermgr.exe 16->25         started        27 WerFault.exe 23 9 18->27         started        process7 dnsIp8 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->52 54 Writes to foreign memory regions 20->54 56 Allocates memory in foreign processes 20->56 58 Maps a DLL or memory area into another process 20->58 30 wermgr.exe 8 15 20->30         started        36 192.168.2.1 unknown unknown 27->36 signatures9 process10 dnsIp11 38 45.49.137.80, 443, 49700 TWC-20001-PACWESTUS United States 30->38 40 cisco.com 72.163.4.185, 443, 49698 CISCOSYSTEMSUS United States 30->40 42 www.cisco.com 30->42 34 C:\Users\user\Desktop\totten.dat.dll, PE32 30->34 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 10:52:08 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55ytx5jrghqw6nnzjlgl4jke4w2zngsbpjwsun6yqcitmno62ggq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb05 campaign:1667208499 banker stealer trojan
Link:
https://tria.ge/reports/221102-mydzlacabp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
174.77.209.5:443
187.0.1.74:23795
24.206.27.39:443
1.156.220.169:30723
156.216.39.119:995
58.186.75.42:443
1.156.197.160:30467
187.1.1.190:4844
186.18.210.16:443
1.181.56.171:771
90.165.109.4:2222
187.0.1.186:39742
87.57.13.215:443
187.0.1.207:52344
227.26.3.227:1
98.207.190.55:443
187.0.1.197:7017
188.49.56.189:443
102.156.160.115:443
187.0.1.24:17751
70.51.139.148:2222
187.0.1.109:34115
14.164.18.210:443
187.0.1.97:30597
205.161.22.189:443
187.0.1.151:54711
196.217.63.248:443
187.0.1.160:45243
66.37.239.222:443
24.207.97.40:443
187.0.1.59:24056
68.62.199.70:443
45.230.169.132:993
Unpacked files
SH256 hash:
f5cd3f4b8d04fa3c4ec0c883d8cde4aa0c6b3652b252e49615639fb84d4f372c
MD5 hash:
67d9debb630575727c70aa48107e453a
SHA1 hash:
d59fd64c1e9c666e1bf984e43b0d6927db449d29
Link:
https://www.unpac.me/results/a2bc339f-b07d-49f0-a585-9df23ebbd5d6/
SH256 hash:
7dd35d2f86620c4a1647e4c68e51f81b4f761b1c724bfe5414d99d5ca6e61f6f
MD5 hash:
8ff61c8e441b947f3b89c1ff4f8a914a
SHA1 hash:
d4bfe4a2a8a1d856f447896518c52838d20cee26
Link:
https://www.unpac.me/results/a2bc339f-b07d-49f0-a585-9df23ebbd5d6/
SH256 hash:
a5305db652ac56a64d3462fef3ca8d6d617d59d50cb59109137837c32c1197ef
MD5 hash:
214e2c86eaeef0b2145fc0ff1788c4fe
SHA1 hash:
a3b600f97148fa379f45c8649d13dce27ab9eda1
Link:
https://www.unpac.me/results/a2bc339f-b07d-49f0-a585-9df23ebbd5d6/
SH256 hash:
7fe3748859c1d1e26fdefa94348a1b0384371956d37dcb443cc41fe089ac0980
MD5 hash:
4422b69dfee21253d9a0d3ae931b2498
SHA1 hash:
d5849a933708338e68d64aa25e6ec03501db2737
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2bc339f-b07d-49f0-a585-9df23ebbd5d6/
Parent samples :
68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270
bd66c4bda4b8314636c017ea7743a3c731723f4128d0679e438ab6883f143a27
ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d
SH256 hash:
ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d
MD5 hash:
8181a8c772fa03a4375e3173f3a37405
SHA1 hash:
fa9094b16d6da6dccb99841515c338def0efdc7a
Link:
https://www.unpac.me/results/a2bc339f-b07d-49f0-a585-9df23ebbd5d6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef713bf53131/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef713bf53131e16f35b94accbe2544e5b5969a417a6d2a37d880913635ded18d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/327103/

Comments