MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a
SHA3-384 hash: 3845d1cb345f9a20b118a4426d1e165d2725c16804843a493ae8c2056a0e4ffee9904e95f275b886ef43afd331562275
SHA1 hash: 03ac095d3a7bedad7b5c4aa1ea02c77be9fa86cb
MD5 hash: 416a95274ef9248e08d88d5e2abe6971
humanhash: vermont-batman-texas-robin
File name:_Rsr.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:409'575 bytes
First seen:2022-09-12 15:57:00 UTC
Last seen:2022-09-12 17:07:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a9d5a9467068a950aca10d226cf265df (2 x Quakbot)
ssdeep 12288:Iszlp6XPvegFvr1rOl7OwLT7H5DOrC/Wg2t5rJgq:Iszlp0Pv/vr8xff1DOGb2t5iq
TLSH T1B594BF93E4489DBFD87906B825EE9F9B02C9FE10044CFC35F185264EDF1D322662A75A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
408
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309511/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.14715.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/631f56d01d4a849311e74de1/reports/c137b402-7e90-4765-bfcd-538c72425b62/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/151e1a3f-b6a2-4049-a2db-292acccb69be
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1068945
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701477 Sample: _Rsr.dll Startdate: 12/09/2022 Architecture: WINDOWS Score: 84 36 Malicious sample detected (through community Yara rule) 2->36 38 Yara detected Qbot 2->38 40 Machine Learning detection for sample 2->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->52 54 Injects code into the Windows Explorer (explorer.exe) 8->54 56 Writes to foreign memory regions 8->56 58 2 other signatures 8->58 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 regsvr32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->60 62 Injects code into the Windows Explorer (explorer.exe) 13->62 64 Writes to foreign memory regions 13->64 66 Allocates memory in foreign processes 13->66 23 explorer.exe 13->23         started        68 Maps a DLL or memory area into another process 16->68 25 explorer.exe 8 1 16->25         started        28 WerFault.exe 23 9 18->28         started        30 WerFault.exe 18->30         started        process7 file8 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->44 46 Injects code into the Windows Explorer (explorer.exe) 20->46 48 Writes to foreign memory regions 20->48 50 2 other signatures 20->50 32 explorer.exe 20->32         started        34 C:\Users\user\Desktop\_Rsr.dll, PE32 25->34 dropped signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-09-12 15:57:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tsjcaehf6yh32ud2ql2svlugbg47x6igubuoonpdjikouvylffa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:bb campaign:1662992461 banker stealer trojan
Link:
https://tria.ge/reports/220912-tdxdrshchk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
41.97.64.224:443
191.97.234.238:995
89.211.219.157:2222
193.3.19.37:443
70.51.137.118:2222
99.232.140.205:2222
175.110.231.67:443
196.92.172.24:8443
179.111.111.88:32101
134.35.11.110:443
84.38.133.191:443
102.188.100.131:995
197.94.210.133:443
200.161.62.126:32101
194.49.79.231:443
41.248.89.135:443
81.131.161.131:2078
86.98.156.176:993
37.210.148.30:995
81.214.220.237:443
64.207.215.69:443
2.182.103.16:990
14.172.229.70:443
187.205.222.100:443
95.136.41.50:443
190.158.58.236:443
105.98.130.85:443
190.44.40.48:995
154.247.225.8:443
105.197.192.21:995
186.50.245.74:995
181.127.138.30:443
167.60.82.242:995
196.112.34.71:443
88.251.38.53:443
68.224.229.42:443
37.37.206.87:995
123.240.131.1:443
37.76.197.124:443
188.157.6.170:443
100.1.5.250:995
109.158.159.179:993
68.50.190.55:443
181.111.20.201:443
41.98.252.163:443
31.166.116.171:443
201.177.163.176:995
84.238.253.171:443
197.49.50.44:443
169.159.95.135:2222
45.160.124.211:995
113.22.102.155:443
211.248.176.4:443
186.167.249.206:443
85.114.110.132:443
85.98.206.165:995
139.195.132.210:2222
182.213.208.5:443
201.177.163.176:443
45.183.234.180:443
98.180.234.228:443
184.82.110.50:995
179.24.245.193:995
88.245.165.2:2222
94.99.110.157:995
181.56.125.32:443
119.42.124.18:443
181.231.229.133:443
2.89.78.130:993
70.81.121.237:2222
181.81.116.144:443
197.11.128.156:443
41.142.132.190:443
105.111.60.60:995
154.238.151.197:995
156.219.49.22:995
154.181.136.133:995
179.223.89.154:995
47.146.182.110:443
102.101.231.141:443
220.116.250.45:443
138.0.114.166:443
62.114.193.186:995
85.98.46.114:443
85.99.62.74:443
184.99.123.118:443
186.120.58.88:443
46.186.216.41:32100
156.213.107.29:995
27.73.215.46:32102
68.151.196.147:995
181.59.3.118:443
68.129.232.158:443
45.241.140.181:995
212.156.51.194:443
87.75.195.211:443
1.10.253.207:443
87.220.229.164:2222
109.200.165.82:443
41.105.197.244:443
190.59.247.136:995
219.69.103.199:443
61.105.45.244:443
105.105.104.0:443
169.1.47.111:443
78.182.113.80:443
210.195.18.76:2222
125.24.129.160:995
88.246.170.2:443
95.10.13.82:443
171.248.157.128:995
118.68.220.199:443
139.195.63.45:2222
118.216.99.232:443
181.80.133.202:443
102.40.236.32:995
46.116.229.16:443
61.70.29.53:443
179.108.32.195:443
171.238.230.59:443
81.56.22.251:995
31.32.180.179:443
197.204.209.38:443
186.64.87.202:443
85.139.203.42:32101
120.150.218.241:995
173.189.167.21:995
24.139.72.117:443
104.34.212.7:32103
47.23.89.61:995
24.55.67.176:443
172.115.177.204:2222
217.165.77.134:995
24.178.196.158:2222
67.209.195.198:443
111.125.245.116:995
39.49.67.4:995
78.101.202.75:50010
37.34.253.233:443
217.165.77.134:443
46.107.48.202:443
70.46.220.114:443
63.143.92.99:995
93.48.80.198:995
179.158.103.236:443
47.180.172.159:443
47.23.89.61:993
72.252.157.93:995
182.191.92.203:995
Unpacked files
SH256 hash:
5792c1440cdad008e4e2382aaf6fd7cc6c84e0ec272725575edfe44fb9b13e2b
MD5 hash:
80ae5aad42c2668aafd20610caae08b8
SHA1 hash:
6d4b5488b382b68e6819b7a947af04e6451e6156
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/57bf27c8-c671-4627-a5d9-e636fd5f47da/
Parent samples :
fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a
a635c2a6c7e4b6b8d912c6aadd5b5d09c4ca9e499df6229901058d1deca4977e
SH256 hash:
fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a
MD5 hash:
416a95274ef9248e08d88d5e2abe6971
SHA1 hash:
03ac095d3a7bedad7b5c4aa1ea02c77be9fa86cb
Link:
https://www.unpac.me/results/57bf27c8-c671-4627-a5d9-e636fd5f47da/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fce49100872f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309511/

Comments