MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f707e3279f00a28aa3f6da188588add19b22dd31dfa0b9d3c429b679aa3f6c69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f707e3279f00a28aa3f6da188588add19b22dd31dfa0b9d3c429b679aa3f6c69
SHA3-384 hash: f196890cfa6933d61324b9088fc0d1a48eb56152b321f0087e0a49d4266be06353b7adad544272290fd4c4a4ae86ef16
SHA1 hash: 8f4622d14a9117006c88a9f4823143a034389cde
MD5 hash: 8637cb0ca63af357b08a2f3c005845e6
humanhash: march-undress-equal-potato
File name:_vRR.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:564'405 bytes
First seen:2022-09-08 20:50:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3fc9f28b98c9ee1f8738e04f332dd4d2 (3 x Quakbot)
ssdeep 12288:LWghjfsaHKisYUVJAEvyxN1Us1RvCey4CZfxz4uc:SijHHKH53vU1UwRq3bzp
Threatray 1'351 similar samples on MalwareBazaar
TLSH T166C4AF22F6C04437D37726389C5BA664B839BED03B2958662BF81D8C5F397813979393
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/308852/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.11789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/631a5606d94ccae410863ab9/reports/45781e83-446e-45e8-9d53-45117312076a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ddf6e97-6041-4d39-b9fe-9a297bdefe25
Result
Threat name:
CryptOne, Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067429
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699961 Sample: _vRR.dll Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Yara detected CryptOne packer 2->57 59 Yara detected Qbot 2->59 61 4 other signatures 2->61 10 loaddll32.exe 1 2->10         started        13 powershell.exe 9 2->13         started        15 powershell.exe 2->15         started        process3 signatures4 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->65 67 Injects code into the Windows Explorer (explorer.exe) 10->67 69 Writes to foreign memory regions 10->69 73 3 other signatures 10->73 17 cmd.exe 1 10->17         started        19 explorer.exe 10->19         started        71 Creates files in the system32 config directory 13->71 22 regsvr32.exe 13->22         started        24 conhost.exe 13->24         started        26 regsvr32.exe 15->26         started        28 conhost.exe 15->28         started        process5 signatures6 30 rundll32.exe 17->30         started        63 Uses schtasks.exe or at.exe to add and modify task schedules 19->63 33 regsvr32.exe 22->33         started        35 regsvr32.exe 26->35         started        process7 signatures8 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->75 77 Injects code into the Windows Explorer (explorer.exe) 30->77 79 Writes to foreign memory regions 30->79 37 explorer.exe 8 1 30->37         started        40 WerFault.exe 23 9 30->40         started        81 Maps a DLL or memory area into another process 33->81 43 explorer.exe 8 2 33->43         started        process9 dnsIp10 51 C:\Users\user\Desktop\_vRR.dll, PE32 37->51 dropped 45 schtasks.exe 1 37->45         started        53 192.168.2.1 unknown unknown 40->53 47 conhost.exe 43->47         started        file11 process12 process13 49 conhost.exe 45->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f707e3279f00a28aa3f6da188588add19b22dd31dfa0b9d3c429b679aa3f6c69/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 20:51:12 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64d6gj47acrivi7w3imilcfn2gnsfxjr36qltu6efg3htkr7nruq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
142d465bdbf028d9035d0bf496ff73147824535f88d1e66f7fe32c55a36301b8
Quakbot
4f13d35180b85261aa49bd280ae52c6ff501fcc224ecd8ff729697337e14ce14
Quakbot
5fe5acb2467c0b99e0bc07c7c661af29ab23da9388e356b0c6fb64037debe7a4
Quakbot
73e9c07b6422fb135f06e0660b24a08be7d5bfe5b77d2b9f0096f8d03af52876
Quakbot
7d436b6200af103cb2fba472e95972dfb5475feb65d485720d0c547ca00c2547
Quakbot
8efcbc04149f10398a69623701f97af6e1e0e1fc23f88c498af84406aab585aa
Quakbot
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
Quakbot
dcd14c38adfeaf976dbf3aacce00d5e664e007fd3ad4b3d4f6d603be8ae4d92d
Quakbot
e0accb4407df08ec103be2d05017a3f3b37459c0784f9feb4eaf50122bfcd80e
Quakbot
+ 1'341 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb campaign:1662647912 banker stealer trojan
Link:
https://tria.ge/reports/220908-zm6axsfhc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
197.94.210.133:443
193.3.19.37:443
70.51.153.182:2222
99.232.140.205:2222
123.240.131.1:443
177.102.84.28:32101
105.156.152.227:443
190.59.247.136:995
89.211.218.88:2222
81.214.220.237:443
85.99.62.74:443
191.97.234.238:995
81.131.161.131:2078
217.165.68.122:993
219.69.103.199:443
37.210.148.30:995
64.207.215.69:443
113.169.57.104:443
179.225.221.169:32101
151.234.99.49:990
84.238.253.171:443
87.220.229.164:2222
42.118.158.96:443
61.105.45.244:443
27.73.215.46:32102
145.82.135.6:443
105.105.104.0:443
169.1.47.111:443
78.182.113.80:443
210.195.18.76:2222
113.53.59.10:995
88.246.170.2:443
95.10.13.82:443
171.248.157.128:995
118.68.220.199:443
139.195.63.45:2222
118.216.99.232:443
181.80.133.202:443
102.40.236.32:995
46.116.229.16:443
61.70.29.53:443
179.108.32.195:443
171.238.230.59:443
81.56.22.251:995
31.32.180.179:443
197.204.30.177:443
186.64.87.202:443
31.22.202.71:32101
120.150.218.241:995
173.189.167.21:995
24.139.72.117:443
104.34.212.7:32103
47.23.89.61:995
24.55.67.176:443
172.115.177.204:2222
217.165.77.134:995
24.178.196.158:2222
67.209.195.198:443
111.125.245.116:995
39.49.67.4:995
78.101.202.75:50010
37.34.253.233:443
217.165.77.134:443
46.107.48.202:443
70.46.220.114:443
63.143.92.99:995
93.48.80.198:995
179.158.103.236:443
47.180.172.159:443
47.23.89.61:993
72.252.157.93:995
182.191.92.203:995
187.172.230.151:443
72.252.157.93:990
24.158.23.166:995
32.221.224.140:995
41.84.238.19:443
41.228.22.180:443
197.167.27.20:993
45.46.53.140:2222
47.156.129.52:443
148.64.96.100:443
63.143.92.99:443
173.21.10.71:2222
66.230.104.103:443
76.25.142.196:443
100.38.242.113:995
208.107.221.224:443
197.89.12.179:443
39.44.34.119:995
196.203.37.215:80
39.57.40.50:995
117.248.109.38:21
121.7.223.38:2222
85.104.122.231:443
118.172.249.102:443
1.161.70.129:443
39.52.28.146:995
188.136.218.20:61202
212.70.96.76:995
1.161.70.129:995
174.69.215.101:443
69.14.172.24:443
86.213.191.206:2078
176.45.233.14:995
82.41.63.217:443
67.69.166.79:2222
217.164.237.54:2222
217.164.121.130:1194
39.41.114.133:995
100.38.242.113:443
120.61.3.17:443
101.50.120.124:995
217.128.122.65:2222
217.128.122.65:443
88.227.46.238:443
223.229.136.61:443
72.252.157.93:993
Unpacked files
SH256 hash:
705d1dd6b6c2f79c1e65aaff226d659e894a847b3c649f2da892713467fc71ca
MD5 hash:
8d249bd127f6560357b67061de5c8eeb
SHA1 hash:
d951cccc124588aba3794131e5250d099f57fb87
Link:
https://www.unpac.me/results/31127abd-fccc-4e53-9443-9a53d43dec70/
SH256 hash:
7ccabca68a4830878f1598056475e8bc62a81bf7a794300af3fed248c2d72ada
MD5 hash:
377acb7149fdfa56c090d9a12619a53c
SHA1 hash:
9a99438b39514c6e87e38a0045faa2b06c2b2a3c
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/31127abd-fccc-4e53-9443-9a53d43dec70/
Parent samples :
8efcbc04149f10398a69623701f97af6e1e0e1fc23f88c498af84406aab585aa
f707e3279f00a28aa3f6da188588add19b22dd31dfa0b9d3c429b679aa3f6c69
SH256 hash:
f707e3279f00a28aa3f6da188588add19b22dd31dfa0b9d3c429b679aa3f6c69
MD5 hash:
8637cb0ca63af357b08a2f3c005845e6
SHA1 hash:
8f4622d14a9117006c88a9f4823143a034389cde
Link:
https://www.unpac.me/results/31127abd-fccc-4e53-9443-9a53d43dec70/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f707e3279f00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f707e3279f00a28aa3f6da188588add19b22dd31dfa0b9d3c429b679aa3f6c69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308852/

Comments