MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Quakbot


Vendor detections: 9


Maldoc score: 10


Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash: 3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
SHA3-384 hash: 4a618efcb3e996d66279aa1f1740bc5bef1223b6369dac6ab8154a50de67bfa0e1cfa0b07cf949322347c1cbd727fb12
SHA1 hash: 57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0
MD5 hash: b4b3a2223765ac84c9b1b05dbf7c6503
humanhash: spaghetti-papa-robin-quiet
File name:#Qbot downloader
Download: download sample
Signature Quakbot
File size:129'024 bytes
First seen:2021-09-27 19:03:45 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiilBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAnE
TLSH T164C3AD463797C98BE94913398EE3869B3B72BC20DE73470332457F0E4EB96A18D16653
Reporter @KodaES
Tags:Downloader qbot Quakbot xlsx


Twitter
@KodaES
https://labs.inquest.net/dfi/sha256/3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
https://app.any.run/tasks/80df9488-3869-47b6-9006-76f84110c622

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 10
OLE dump
Sections: 21

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
1108 bytesCompObj
2244 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4101831 bytesWorkbook
5662 bytes_VBA_PROJECT_CUR/PROJECT
630 bytes_VBA_PROJECT_CUR/PROJECTlk
7116 bytes_VBA_PROJECT_CUR/PROJECTwm
897 bytes_VBA_PROJECT_CUR/UserForm2/CompObj
9302 bytes_VBA_PROJECT_CUR/UserForm2/VBFrame
10226 bytes_VBA_PROJECT_CUR/UserForm2/f
11272 bytes_VBA_PROJECT_CUR/UserForm2/o
124241 bytes_VBA_PROJECT_CUR/VBA/Module5
13991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
142501 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
151182 bytes_VBA_PROJECT_CUR/VBA/UserForm2
164332 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
172461 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
18138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
19264 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
20256 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
211047 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba
TypeKeywordDescription
AutoExecauto_openRuns when the Excel Workbook is opened
AutoExecauto_closeRuns when the Excel Workbook is closed
IOC190.14.37.178IPv4 address
IOC185.183.96.67IPv4 address
IOC185.250.148.213IPv4 address
SuspiciousRunMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
225
Origin country :
RU RU
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
Verdict:
Malicious activity
Analysis date:
2021-09-27 18:53:21 UTC
Tags:
macros macros-on-open macros-on-close loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Alert level:
4.5%
Document image
Document image
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Hidden Macro 4.0 Qbot
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Drops PE files to the user root directory
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Yara detected Qbot
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491755 Sample: #Qbot downloader Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 63 Document exploit detected (drops PE files) 2->63 65 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->65 67 Yara detected Qbot 2->67 69 8 other signatures 2->69 9 EXCEL.EXE 194 35 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 57 190.14.37.178, 49165, 80 OffshoreRacksSAPA Panama 9->57 59 185.183.96.67, 49166, 80 HSAE Netherlands 9->59 61 185.250.148.213, 80 FIRSTDC-ASRU Russian Federation 9->61 53 C:\Users\user\...\44466.8890891204[2].dat, PE32 9->53 dropped 55 C:\Users\user\...\44466.8890891204[1].dat, PE32 9->55 dropped 85 Document exploit detected (UrlDownloadToFile) 9->85 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->77 79 Injects code into the Windows Explorer (explorer.exe) 24->79 81 Writes to foreign memory regions 24->81 83 2 other signatures 24->83 34 explorer.exe 8 1 24->34         started        process9 file10 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->87 89 Injects code into the Windows Explorer (explorer.exe) 29->89 91 Writes to foreign memory regions 29->91 37 explorer.exe 8 1 29->37         started        93 Allocates memory in foreign processes 32->93 95 Maps a DLL or memory area into another process 32->95 40 explorer.exe 32->40         started        49 C:\Users\user\Drezd.red, PE32 34->49 dropped 97 Uses cmd line tools excessively to alter registry or file data 34->97 43 reg.exe 1 34->43         started        45 reg.exe 1 34->45         started        signatures11 process12 file13 71 Uses cmd line tools excessively to alter registry or file data 37->71 73 Drops PE files to the user root directory 37->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 37->75 47 schtasks.exe 37->47         started        51 C:\Users\user\Drezd1.red, PE32 40->51 dropped signatures14 process15
Threat name:
Script.Trojan.Heuristic
Status:
Malicious
First seen:
2021-09-27 19:04:09 UTC
AV detection:
4 of 45 (8.89%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://190.14.37.178/44466.7946528935.dat
http://185.183.96.67/44466.7946528935.dat
http://185.250.148.213/44466.7946528935.dat
http://190.14.37.178/44466.8783346065.dat
http://185.183.96.67/44466.8783346065.dat
http://185.250.148.213/44466.8783346065.dat

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:buerloader_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:TA505_Maldoc_21Nov_2
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377
Rule name:zloader_halo_generated
Author:Halogen Generated Rule, Corsin Camichel

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments