MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8
SHA3-384 hash: f639fbac4d4c92ddc278c493255ef10a36be4b3ada7455acfb9bf47df3b7ad1f2e2735372f8d55402f3a9c6f0fab4eaf
SHA1 hash: e305efe7987be1a91cdf39daa6bd1b19bc8c694c
MD5 hash: 1fa2068f08d1c55f06d6c33cb846f9ad
humanhash: leopard-carpet-cardinal-arizona
File name:extinct.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:393'728 bytes
First seen:2022-10-06 17:49:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3c85ad0d25a101f6044357c668da2423 (4 x Quakbot)
ssdeep 6144:OwWNVNYHWRZMZeiVt5p682MkWgylrBeKd5bYBWzjCvIuwDJnpCKHbrxOG53KPNs:Ol5eWt82Mk6lroKsLguiHOPNs
TLSH T115842C87ED94EFBBC2AD81B9AA5F099F561241167F0336EB621D4190B58374333E638C
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317384/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.2907.7298.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Modifying an executable file
DNS request
Creating a window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/633f154cd089a0c15dd58e74/reports/21221e5a-2ada-4555-93f7-9cf825a1b59f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0370f3d9-ab72-4144-89f0-0ef550d72794
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1085038
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717591 Sample: detracting.dat Startdate: 06/10/2022 Architecture: WINDOWS Score: 80 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected Qbot 2->63 65 Machine Learning detection for sample 2->65 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->67 14 loaddll32.exe 1 2->14         started        process3 process4 16 rundll32.exe 14->16         started        19 cmd.exe 1 14->19         started        21 regsvr32.exe 14->21         started        23 3 other processes 14->23 signatures5 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->53 55 Writes to foreign memory regions 16->55 57 Allocates memory in foreign processes 16->57 25 wermgr.exe 8 1 16->25         started        28 rundll32.exe 19->28         started        59 Maps a DLL or memory area into another process 21->59 31 wermgr.exe 21->31         started        33 rundll32.exe 23->33         started        process6 file7 51 C:\Users\user\Desktop\detracting.dll, PE32 25->51 dropped 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->69 71 Writes to foreign memory regions 28->71 73 Allocates memory in foreign processes 28->73 75 Maps a DLL or memory area into another process 28->75 35 wermgr.exe 28->35         started        37 rundll32.exe 33->37         started        signatures8 process9 process10 39 rundll32.exe 37->39         started        process11 41 rundll32.exe 39->41         started        process12 43 rundll32.exe 41->43         started        process13 45 rundll32.exe 43->45         started        process14 47 rundll32.exe 45->47         started        process15 49 rundll32.exe 47->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 17:50:06 UTC
File Type:
PE (Dll)
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7umllarv4ubxtn3vzq6lvpoi35mz44pxq6znfbridgm4etwmdd4a._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/221006-weksgaaah7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
254.220.133.175:61488
6.214.34.86:37718
129.63.87.139:47957
199.143.187.202:62342
233.203.75.113:40362
82.124.234.247:34892
77.88.220.108:65380
25.178.53.162:20183
234.205.153.76:63077
238.101.201.44:62063
244.41.89.118:54277
231.192.232.240:5182
13.173.166.131:1980
145.12.85.164:5864
13.198.107.186:24529
120.215.195.171:65347
193.162.253.134:2162
122.85.3.31:40483
50.116.208.51:18656
210.30.166.49:58465
153.82.223.80:52639
90.156.206.147:6480
248.255.3.157:36782
70.166.177.154:8582
80.52.240.184:39029
224.147.231.18:26231
201.254.148.88:2037
195.144.62.34:49877
188.64.131.241:4622
107.81.154.144:34441
237.206.212.29:56383
85.84.198.142:12295
97.135.164.94:41867
137.54.43.113:23074
235.219.178.212:22782
230.24.167.76:23622
240.14.116.14:19364
57.227.156.139:0
84.45.92.155:35924
230.175.205.20:24043
154.93.172.138:10659
61.169.210.127:33589
148.150.193.221:56754
131.161.227.172:2723
84.129.117.64:31596
195.232.207.127:65414
23.98.222.35:0
Unpacked files
SH256 hash:
5f1177c9dd91edca105481a60503701ab4732ae4c773800efe5df9305957d101
MD5 hash:
1235cc991935cd6280f46809afe6dc42
SHA1 hash:
17c76a7fced937d2648eda4352788b32937f8926
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/654ddd96-1c8e-4bea-ad70-e66728357963/
SH256 hash:
fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8
MD5 hash:
1fa2068f08d1c55f06d6c33cb846f9ad
SHA1 hash:
e305efe7987be1a91cdf39daa6bd1b19bc8c694c
Link:
https://www.unpac.me/results/654ddd96-1c8e-4bea-ad70-e66728357963/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd18b58235e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317384/

Comments