MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f696d06d6579ee33cf8be2987f292370abe1b4b64a0d88631f5860f451e87320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f696d06d6579ee33cf8be2987f292370abe1b4b64a0d88631f5860f451e87320
SHA3-384 hash: f54f1b9e09385b434b7ba42e5287f96c7dacb3ce17b6001299b31bca8fa12ddc32f11f8810b9b84da1974c1256e9f51d
SHA1 hash: a8134e888302a23ef7343b1c784985f5829d1352
MD5 hash: a2446c145e02fb4034a320bc06950742
humanhash: burger-eight-two-echo
File name:Cvnhfn.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'258'216 bytes
First seen:2022-04-13 09:38:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b6ae7dc3cef2f202348b0723e309755e (5 x Quakbot)
ssdeep 24576:mC4A6JgoHbipiJfTczv8ojLBV4+1fTp6yCQgi3n8u+bPK5azHuC:mj
Threatray 454 similar samples on MalwareBazaar
TLSH T1F745B0B875047DD6E66E067BDE96ACDD13B6363289C7A9CD4066BBC30963332EE01C05
Reporter JAMESWT_WT
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263389/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50119070.14661.7382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/62569a3b482f2f41caa5e967/reports/768624f5-cd4d-4af2-90b8-4a404a9d4db5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b95191ca-396e-419d-94cc-cd85b261d454
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/976077
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608562 Sample: Cvnhfn.dll Startdate: 13/04/2022 Architecture: WINDOWS Score: 88 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Qbot 2->36 38 Sigma detected: Suspicious Call by Ordinal 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->40 42 Injects code into the Windows Explorer (explorer.exe) 8->42 44 Writes to foreign memory regions 8->44 46 2 other signatures 8->46 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->48 50 Injects code into the Windows Explorer (explorer.exe) 11->50 52 Writes to foreign memory regions 11->52 54 2 other signatures 11->54 20 explorer.exe 8 1 11->20         started        22 rundll32.exe 14->22         started        24 WerFault.exe 17 9 16->24         started        26 WerFault.exe 9 18->26         started        28 WerFault.exe 9 18->28         started        process7 process8 30 WerFault.exe 3 9 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f696d06d6579ee33cf8be2987f292370abe1b4b64a0d88631f5860f451e87320/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-13 09:39:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
14 of 42 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62lna3lfphxdht4l4kmh6kjdocv6dnfwjigyqyy7lbqpiupiomqa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1cdad75e7830e4ae946bb26c15be354676820710c2471d9ea6d24926fc0df86f
Quakbot
509553272b0a639d2bcd41e5358be61f4caad435bcdac1cb02fa825034068009
Quakbot
6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
Quakbot
73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af
Quakbot
82dae5e93006e8bbbef21b855953a5445999ec08a89852f40bdc848c9c072186
Quakbot
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
Quakbot
df8d431b3d7193b0d0d6667b269ef1b2431086343bf86a41c3a2a2488d9f1567
Quakbot
f2f87129d1786fd86f0ec659457aae0e186c023a19f63d207c17b28dc63ae2e9
Quakbot
f6e7187a8e0aa202fe89008b5a5cc5e99dc5c3aaede7213283cae41dc7cb3ebc
Quakbot
+ 444 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:aa campaign:1649660590 banker stealer trojan
Link:
https://tria.ge/reports/220413-lml1dsahcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
41.228.22.180:443
47.23.89.62:995
176.67.56.94:443
103.107.113.120:443
148.64.96.100:443
47.180.172.159:443
181.118.183.98:443
140.82.49.12:443
103.87.95.133:2222
96.21.251.127:2222
197.167.62.14:993
46.107.48.202:443
24.43.99.75:443
172.115.177.204:2222
80.11.74.81:2222
66.98.42.102:443
75.99.168.194:61201
173.174.216.62:443
45.9.20.200:443
39.41.158.185:995
187.207.48.194:61202
41.84.237.10:995
93.48.80.198:995
105.226.83.196:995
144.202.2.175:443
45.76.167.26:995
144.202.3.39:443
144.202.3.39:995
140.82.63.183:443
45.63.1.12:995
140.82.63.183:995
144.202.2.175:995
45.63.1.12:443
149.28.238.199:443
45.76.167.26:443
149.28.238.199:995
47.180.172.159:50010
71.13.93.154:2222
86.98.33.141:443
31.35.28.29:443
113.11.89.165:995
175.145.235.37:443
117.248.109.38:21
94.59.138.62:2222
32.221.224.140:995
5.95.58.211:2087
81.215.196.174:443
176.88.238.122:995
94.59.138.62:1194
92.132.172.197:2222
70.46.220.114:443
78.87.206.213:995
197.89.108.252:443
39.44.144.159:995
176.205.119.81:2078
91.177.173.10:995
72.76.94.99:443
24.178.196.158:2222
1.161.71.109:995
172.114.160.81:995
173.21.10.71:2222
1.161.71.109:443
86.97.11.43:443
217.128.122.65:2222
86.98.33.141:995
203.122.46.130:443
89.211.181.64:2222
37.186.54.254:995
86.98.208.214:2222
83.110.75.97:2222
202.134.152.2:2222
120.150.218.241:995
45.46.53.140:2222
180.129.102.214:995
217.164.210.192:443
217.165.147.83:993
84.241.8.23:32103
180.183.128.80:2222
74.15.2.252:2222
76.70.9.169:2222
47.23.89.62:993
75.113.214.234:2222
208.107.221.224:443
76.169.147.192:32103
190.73.3.148:2222
76.69.155.202:2222
96.29.208.97:443
108.60.213.141:443
75.99.168.194:443
182.191.92.203:995
73.151.236.31:443
38.70.253.226:2222
39.52.75.201:995
121.74.167.191:995
201.211.64.196:2222
71.74.12.34:443
191.99.191.28:443
85.246.82.244:443
101.50.103.193:995
182.253.189.74:2222
67.209.195.198:443
90.120.65.153:2078
37.34.253.233:443
96.37.113.36:993
181.62.0.59:443
41.38.167.179:995
197.205.127.234:443
45.241.232.25:995
185.69.144.209:443
2.50.137.197:443
73.67.152.98:2222
76.25.142.196:443
125.168.47.127:2222
201.145.189.252:443
109.12.111.14:443
102.182.232.3:995
72.12.115.90:22
47.156.191.217:443
174.69.215.101:443
70.51.138.126:2222
186.105.121.166:443
179.158.105.44:443
94.36.195.250:2222
109.228.220.196:443
120.61.2.95:443
103.88.226.30:443
103.139.243.207:990
68.204.7.158:443
196.233.79.3:80
39.57.76.82:995
187.250.114.15:443
103.246.242.202:443
190.252.242.69:443
5.32.41.45:443
100.1.108.246:443
72.252.201.34:995
191.17.223.93:32101
40.134.246.185:995
187.102.135.142:2222
191.34.199.129:443
181.208.248.227:443
138.204.24.70:443
209.197.176.40:995
42.235.146.7:2222
82.152.39.39:443
41.230.62.211:993
31.48.166.122:2078
187.251.132.144:22
143.0.34.185:443
88.228.250.126:443
Unpacked files
SH256 hash:
f696d06d6579ee33cf8be2987f292370abe1b4b64a0d88631f5860f451e87320
MD5 hash:
a2446c145e02fb4034a320bc06950742
SHA1 hash:
a8134e888302a23ef7343b1c784985f5829d1352
Link:
https://www.unpac.me/results/fa1c422b-da87-48c6-bb41-818a0a663e2f/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f696d06d6579/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/f696d06d6579ee33cf8be2987f292370abe1b4b64a0d88631f5860f451e87320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263389/

Comments