MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f893e2e5b6cb171f4cbe389fa1ce8565a12c01da43c997d8439af8f4a41af668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f893e2e5b6cb171f4cbe389fa1ce8565a12c01da43c997d8439af8f4a41af668
SHA3-384 hash:	9c5bc0b92c7f4cad4690bf1c46a623ff3853fd661ce3d80e11234565665e8e7223909c84992ae6c686bc2820e05ffe9e
SHA1 hash:	212bb99df6a28af7c3e751853cba4f8487c792fe
MD5 hash:	ef8a3473dafb548c69efc4ab1f507b60
humanhash:	bluebird-ten-moon-william
File name:	555555555png
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	2'081'256 bytes
First seen:	2020-08-28 05:39:55 UTC
Last seen:	2020-08-28 07:03:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	17d602de97d4a27d1713c5ede8fa43d2 (7 x Quakbot)
ssdeep	6144:jFD5rOTjedhmsRcYvNlCYkzfox1I39AzMvTzsbIElq/TrcLE:15rOTjeXmWNlZkz8gCqTQPlOj
Threatray	393 similar samples on MalwareBazaar
TLSH	5BA5CF4072F5C40ACAD49A786C6E483E7AA9DD449939601F73DF7FAC7DF130249AA40B
Reporter	JAMESWT_WT
Tags:	Instamix Limited Qakbot Quakbot signed

Code Signing Certificate

Organisation:	Instamix Limited
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Aug 22 00:00:00 2020 GMT
Valid to:	Aug 22 23:59:59 2021 GMT
Serial number:	A7989F8BE0C82D35A19E7B3DD4BE30E5
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	3E93AADB509B542C065801F04CFFB34956F84EE8C322D65C7AE8E23D27FE5FBF
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/52155/

Detection(s):

SecuriteInfo.com.Mal.EncPk-APW.4271.23526.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a process with a hidden window

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/453187

Signature

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

qakbot

Link:

https://mwdb.cert.pl/sample/f893e2e5b6cb171f4cbe389fa1ce8565a12c01da43c997d8439af8f4a41af668/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-08-28 05:31:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

qakbot

Score:

10/10

Tags:

trojan banker stealer family:qakbot

Link:

https://tria.ge/reports/200828-53yqv5wy9a/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Qakbot/Qbot

Malware Config

C2 Extraction:

72.204.242.138:32100
86.98.89.189:2222
108.5.32.113:443
178.87.28.63:443
217.165.164.57:2222
47.44.217.98:443
216.201.162.158:443
89.44.194.168:2222
103.76.160.110:443
72.66.47.70:443
72.186.1.237:443
72.204.242.138:465
65.30.213.13:6882
92.99.249.199:443
101.109.217.84:443
120.150.60.189:995
174.19.122.177:2222
190.199.59.207:2078
39.36.101.208:995
209.182.122.217:443
217.162.149.212:443
175.211.225.118:443
103.110.49.88:443
117.215.199.154:443
59.124.10.133:443
200.124.231.21:443
78.96.199.79:443
72.132.249.144:995
98.173.34.212:995
98.26.50.62:995
71.88.104.107:443
86.98.56.189:443
211.24.72.253:443
83.216.134.94:2222
59.96.163.50:443
94.99.116.7:995
45.32.154.10:443
37.210.51.210:443
105.101.216.231:443
84.247.55.190:443
207.246.75.201:443
199.247.16.80:443
80.240.26.178:443
203.106.195.67:443
165.120.230.108:2222
39.118.245.6:443
154.56.69.231:443
94.52.68.72:443
73.121.132.5:443
151.73.112.220:443
58.233.220.182:443
84.232.238.30:443
68.204.164.222:443
45.77.193.83:443
64.121.114.87:443
59.26.204.144:443
118.168.236.56:443
24.205.42.241:443
2.88.20.171:995
75.136.40.155:443
80.14.209.42:2222
62.38.111.70:2222
95.179.247.224:443
172.91.19.192:443
36.77.151.211:443
71.163.222.7:443
67.165.206.193:993
94.205.171.126:995
65.131.35.218:995
69.40.92.82:443
173.169.189.169:443
71.84.5.114:995
5.193.155.181:2078
199.247.22.145:443
77.30.124.93:443
174.110.39.220:443
72.204.242.138:443
2.90.53.174:995
41.228.252.194:443
203.198.96.186:443
68.174.15.223:443
175.111.128.234:443
76.111.128.194:443
117.218.208.239:443
94.52.160.116:443
45.32.155.12:443
23.240.70.80:443
2.42.219.242:443
188.247.252.243:443
189.183.27.148:995
47.185.140.236:80
84.117.176.32:443
86.126.209.239:443
86.121.64.253:2222
205.178.7.90:443
95.76.109.181:443
37.210.169.210:443
73.200.219.143:443
71.220.200.82:2222
68.116.193.239:443
24.40.173.134:443
2.186.59.82:995
65.102.149.38:995
74.195.88.59:995
173.173.1.164:443
68.39.177.147:995
67.6.51.74:443
73.90.130.109:443
67.84.163.230:443
24.255.176.233:443
71.197.126.250:443
72.193.192.205:443
174.101.142.231:443
24.191.214.43:2083
36.236.231.178:443
173.21.10.71:2222
98.240.24.57:443
50.29.166.232:995
70.166.91.26:443
172.112.163.197:2222
76.179.54.116:443
188.25.42.185:2222
174.16.141.99:443
75.136.26.147:443
66.208.105.6:443
68.46.142.48:995
209.140.8.178:443
71.74.12.34:443
73.23.194.75:443
197.52.235.37:995
73.137.184.213:443
187.206.113.210:995
96.37.207.85:443
73.79.10.31:443
68.82.125.234:443
24.28.183.107:995
172.78.1.133:443
73.32.115.251:443
216.160.166.122:443
68.33.206.204:443
74.73.27.35:443
184.89.71.68:443
45.37.19.232:995
174.20.188.104:995
71.205.158.156:443
76.104.230.174:443
209.59.87.83:443
156.200.158.118:995
73.104.218.229:0

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f893e2e5b6cb171f4cbe389fa1ce8565a12c01da43c997d8439af8f4a41af668

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/52155/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample