MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
SHA3-384 hash: c5d4e268be7af45227346d35f5662c3d3e1e0186b0162d4b2d8f94b7b658aa40bdd20a35194880ebf5f04435af04033e
SHA1 hash: 1e63b4bb6aef3e4b53ecb5e36fcce47ef6f243fb
MD5 hash: bedcbb549c905487bf67885edc93f9e3
humanhash: sodium-stream-beryllium-edward
File name:analysts.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:761'344 bytes
First seen:2022-10-05 18:18:08 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9fc5700f82859d524c68c279be8dc005 (11 x Quakbot)
ssdeep 12288:zxnt9hlMvNICAY0KEkAOl7G798EXjGOyw3MW:tt9+JFEkAmG5j26M
Threatray 1'468 similar samples on MalwareBazaar
TLSH T1F4F4AF33A2E14877D1621A7CDD3B636C94267D003B2CE94B7FE41D4D9F3A680366A297
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter Anonymous
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317002/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
DNS request
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/633dca97d089a0c15dd55b4c/reports/561f0f60-2b21-4371-84c6-70803380d65e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/547b57d4-5c09-49d3-adac-f5103a3c8f85
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084360
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716921 Sample: analysts.dat.dll Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Yara detected CryptOne packer 2->27 29 Yara detected Qbot 2->29 31 3 other signatures 2->31 8 loaddll32.exe 1 2->8         started        process3 signatures4 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->35 37 Writes to foreign memory regions 8->37 39 Allocates memory in foreign processes 8->39 41 2 other signatures 8->41 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        23 C:\Users\user\Desktop\analysts.dat.dll, PE32 13->23 dropped process7 signatures8 33 Contains functionality to detect sleep reduction / modifications 18->33 21 WerFault.exe 23 9 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 18:19:09 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57mmokorcdrdot23irovaelc7ogxtbqrv73smchix6do7lyjesda._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
27fbfb86936343fc18bb61811401c96c052ecdff080da3bdb403545d55cf2b2a
Quakbot
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
595161418d4eae727175da894f9b6f3ec849834b79bc0162106943044fa01135
Quakbot
5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959
Quakbot
9e51a1d3598dfbd7ad11f96be2947550e64fe2e1c3a31ebf4b3bc79b9e85f86b
Quakbot
cb786f48cda7665e5dd07e80672e0c5facb6b6300335561327b95e58029ea376
Quakbot
e59e68973ee13a5a7525e73e48d6837ab85c9c3b129fb8df9b9519c6b3eba472
Quakbot
ea28be72dc6fda30d9e33a1a805d3dd95b88904804cb806dc39b5129e1bbd3a2
Quakbot
+ 1'458 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221005-wx6gwsfbc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
15.114.17.14:1442
56.9.100.20:53368
88.117.146.12:40265
200.215.143.195:52771
134.133.152.217:5132
227.189.195.57:42370
76.219.151.168:17454
17.1.24.235:65225
217.27.142.33:46036
13.16.220.0:0
156.36.22.250:12263
73.225.210.175:40922
19.138.81.187:38748
191.101.43.136:10968
145.20.244.169:39814
74.30.254.35:15530
138.94.26.23:49965
218.175.98.133:15428
181.245.40.43:1982
24.10.174.212:30807
253.219.195.173:1546
51.182.7.163:21304
191.68.117.56:28754
246.29.132.217:16625
149.181.112.217:33637
136.20.21.112:41199
80.65.15.199:35765
0.222.227.111:63041
209.240.1.52:53226
66.57.60.202:19263
204.187.37.185:59783
177.172.2.9:36791
98.78.50.99:11939
11.5.197.37:32044
75.234.214.212:7741
49.66.110.196:42474
97.107.137.246:58239
0.141.208.192:39992
185.156.9.78:29812
219.151.188.60:3622
28.86.80.9:6038
138.226.185.49:25801
99.128.65.72:12277
90.175.231.93:54035
198.125.102.127:36652
148.215.17.55:16834
211.255.222.125:38939
198.140.91.23:0
Unpacked files
SH256 hash:
d7acf348906ff2c99c0aece101ae5a584c976a807c6eb7eee9895211a3342b1e
MD5 hash:
d844605cc0854b06a1e14f41d0ec4f85
SHA1 hash:
ea3c6ddc54d03ab7feddef4e1d3fd198008b0a28
Link:
https://www.unpac.me/results/892ed49b-ac98-49e6-8c55-e4eb61cee541/
SH256 hash:
37ee19eaf0a3e1dee88152c3ba0673c6994e14648e381aba725e40e94337da86
MD5 hash:
0237cae59e3d959378452902faa2ccf8
SHA1 hash:
66ef4362f632fa43ac9d00107c5563b073bf9b03
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/892ed49b-ac98-49e6-8c55-e4eb61cee541/
Parent samples :
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
305a3a87057732de16ae881a69182e79a84d5c5054d038e1c1cab3de4518c25c
7d9d70bdc53de103086dfc901004cfa2dc93fb25fb5c40109b63ba071107e40a
3342af99da4de649883731204304827d019dcb215a150d090c7f6dfef7bf4b91
83cff7b2be5afc02e034ba8bd454b50796d17bca904256821511413d3e67dc43
a4fc56488ac87078bc117c3ece094d50807f307033f1ae2af582e2b8f36c329e
SH256 hash:
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
MD5 hash:
bedcbb549c905487bf67885edc93f9e3
SHA1 hash:
1e63b4bb6aef3e4b53ecb5e36fcce47ef6f243fb
Link:
https://www.unpac.me/results/892ed49b-ac98-49e6-8c55-e4eb61cee541/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efd8c729d110/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317002/

Comments