MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
SHA3-384 hash: ccc1926f7463ff29769c874d6c64179c3afcd74dea30d4ffcb0ce7d68b05a52a90d792afa444e350eb397cbb0b5674a1
SHA1 hash: 0b1762842b1db2944c1dc0ef1ed59ecf5ccef408
MD5 hash: e22148ada163240fc242c83e2faabc9a
humanhash: seventeen-november-hawaii-nevada
File name:f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'339'640 bytes
First seen:2022-05-24 12:24:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash be3e8fca69eebc486ff414f59d27d2a2 (6 x Quakbot)
ssdeep 24576:aYvblaVJ3Spoz7MgJtZmRf4sMckd4Xz9QA7iJb:Rzo7hzZ9s/ThWJ
Threatray 1'120 similar samples on MalwareBazaar
TLSH T174557D22B2C1843BC5731B7C9D6BB29999357E142E3C944A7BE41E4C0F3A6417A363E3
TrID 28.8% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
12.9% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 293 x GCleaner, 137 x ArkeiStealer)
Reporter proxylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274065/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed replace.exe
Link:
https://www.filescan.io/uploads/628ccea2370bb1455cc2e84a/reports/a4ecaa3a-4478-450c-8bdc-e6faca7df921/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42d19a9b-cf6a-4285-959a-b83af7d086ff
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000607
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633102 Sample: MU3t9Bo6ui Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Yara detected CryptOne packer 2->65 67 Yara detected Qbot 2->67 69 3 other signatures 2->69 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 77 2 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 49 C:\Users\user\Desktop\MU3t9Bo6ui.dll, PE32 16->49 dropped 51 Uses cmd line tools excessively to alter registry or file data 16->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 16->53 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->55 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 3 other signatures 22->61 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        79 Contains functionality to detect sleep reduction / modifications 28->79 35 WerFault.exe 23 9 28->35         started        37 explorer.exe 28->37         started        81 Uses cmd line tools excessively to alter registry or file data 31->81 39 reg.exe 1 1 31->39         started        41 reg.exe 1 1 31->41         started        43 conhost.exe 31->43         started        process10 process11 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 12:25:10 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ugmovxpspbrjvztyzkclrnevw4yie6yc5ugpnn37sved7afwb7q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0
Quakbot
22c107e74ac92a9269c28b9184cc718d772be469f590ad6c069ffcc53dc2cca3
Quakbot
35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
Quakbot
69700dfbcbe60d5b9085ca551ca1fe25556b9e78db8bca5125380bf6aba6a690
Quakbot
ed67b3bed0f3b27b49bcd90d7786901ffc9e31e687aa2ddc5155e1fd319236b0
Quakbot
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
Quakbot
+ 1'110 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1653295661 banker stealer trojan
Link:
https://tria.ge/reports/220524-pllj1sdffl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
2.50.4.57:443
24.178.196.158:2222
91.177.173.10:995
187.207.131.50:61202
81.129.112.49:2078
124.40.244.118:2222
176.67.56.94:443
140.82.49.12:443
86.97.11.30:443
108.60.213.141:443
84.241.8.23:32103
202.134.152.2:2222
39.44.66.76:995
39.44.62.55:995
197.87.182.35:443
67.209.195.198:443
182.191.92.203:995
39.52.77.102:995
103.116.178.85:995
2.34.12.8:443
217.165.109.187:993
148.64.96.100:443
197.94.85.72:443
121.7.223.59:2222
37.208.155.29:6883
37.34.253.233:443
82.152.39.39:443
90.120.65.153:2078
179.145.13.69:32101
45.241.222.104:993
1.161.122.145:443
75.99.168.194:443
37.186.54.254:995
175.145.235.37:443
93.48.80.198:995
75.99.168.194:61201
80.11.74.81:2222
183.82.103.213:443
47.23.89.60:993
39.41.249.181:995
173.174.216.62:443
78.101.84.56:2222
173.21.10.71:2222
74.14.5.179:2222
103.246.242.202:443
92.132.172.197:2222
217.128.122.65:2222
72.27.86.98:443
186.90.153.162:2222
120.150.218.241:995
78.180.86.123:443
172.114.160.81:995
148.0.15.41:443
69.14.172.24:443
32.221.224.140:995
70.46.220.114:443
46.107.48.202:443
2.50.137.155:443
86.98.208.214:2222
144.202.2.175:443
144.202.3.39:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
45.76.167.26:995
140.82.63.183:443
144.202.2.175:995
149.28.238.199:443
45.63.1.12:443
144.202.3.39:995
149.28.238.199:995
76.25.142.196:443
210.246.4.69:995
117.248.109.38:21
180.129.108.214:995
67.165.206.193:993
45.46.53.140:2222
73.151.236.31:443
174.69.215.101:443
85.246.82.244:443
208.107.221.224:443
82.41.63.217:443
79.80.80.29:2222
217.164.117.199:1194
196.203.37.215:80
41.228.22.180:443
41.84.238.50:995
111.125.245.118:995
120.61.2.124:443
38.70.253.226:2222
106.51.48.170:50001
187.172.219.103:443
89.137.52.44:443
109.12.111.14:443
76.70.9.169:2222
179.158.105.44:443
39.49.23.236:995
72.66.116.235:995
125.168.47.127:2222
172.115.177.204:2222
190.36.232.221:2222
190.252.242.69:443
187.208.122.239:443
101.50.67.212:995
72.76.94.99:443
181.208.248.227:443
47.156.131.10:443
70.51.138.133:2222
40.134.246.185:995
100.1.108.246:443
24.139.72.117:443
189.223.134.157:443
46.176.192.130:995
72.252.157.93:990
201.172.23.68:2222
72.252.157.93:995
189.253.111.196:443
200.148.9.225:32101
72.252.157.93:993
191.250.188.54:443
187.16.64.193:2222
102.182.232.3:995
186.105.119.233:443
24.55.67.176:443
79.129.121.68:995
86.195.158.178:2222
217.164.117.199:2222
125.24.193.41:443
118.161.37.101:995
89.86.33.217:443
47.157.227.70:443
103.107.113.83:443
41.38.167.179:995
113.89.6.31:995
41.84.233.96:443
203.122.46.130:443
197.165.163.159:995
67.69.166.79:2222
81.215.196.174:443
63.143.92.99:995
187.251.132.144:22
68.204.7.158:443
177.157.156.136:443
194.36.28.62:443
5.32.41.45:443
5.193.138.70:2222
173.22.32.101:443
94.36.195.102:2222
76.23.237.163:995
96.37.113.36:993
Unpacked files
SH256 hash:
346a2b19c3e9ee766a073ea8ce466f5695af6cabf9d15068d148d1308a0d1e0f
MD5 hash:
64298ad66f2f61f1458567db811371e7
SHA1 hash:
8d92d068d0bfbd135f8cefd5c9fb15d602749925
Link:
https://www.unpac.me/results/48b266a1-566a-4d92-92cc-a073c425fccd/
SH256 hash:
985254c18178d7d1d50b51549b5365273db3a286a8c03955cd02f977080f0b97
MD5 hash:
019117f66e43de489b3ff56377f9907b
SHA1 hash:
4fc8cd21b51034e3ca5e21e7975769257ea591a5
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/48b266a1-566a-4d92-92cc-a073c425fccd/
Parent samples :
35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
22c107e74ac92a9269c28b9184cc718d772be469f590ad6c069ffcc53dc2cca3
69700dfbcbe60d5b9085ca551ca1fe25556b9e78db8bca5125380bf6aba6a690
ed67b3bed0f3b27b49bcd90d7786901ffc9e31e687aa2ddc5155e1fd319236b0
12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0
f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
60c225589579f7667684deff14c30d16c2f14c7c98fbd25b8ab36af7dab019a7
SH256 hash:
f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
MD5 hash:
e22148ada163240fc242c83e2faabc9a
SHA1 hash:
0b1762842b1db2944c1dc0ef1ed59ecf5ccef408
Link:
https://www.unpac.me/results/48b266a1-566a-4d92-92cc-a073c425fccd/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f50cc756ef93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274065/

Comments