MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
SHA3-384 hash: 125fb5b9cdc4f7852b144cfe3b9a4ad4f58d24c9e0c19ba13906f07ab1313237d49098f77c5408426c101037596be8d1
SHA1 hash: 07940aad7aac690a609af922366f94808c671342
MD5 hash: 2cd4463c743f323345bdc5c2c3cf9320
humanhash: finch-november-muppet-alabama
File name:02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'084'416 bytes
First seen:2020-11-07 17:04:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep 6144:lUMjIvVQgIeRD83dFkFICdy20s7NbDNoZ31EylEgflBMtjKkMGInR+HlZzmV6Mkw:laQgvOTxn20i62KtVUhulLhJ9FCe
Threatray 790 similar samples on MalwareBazaar
TLSH 613522D7F9BC8471CAED297F8993123C968A85E85D05D10B0778A5ADBDF3200FE9244B
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-07 17:07:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ak3ld4ju4geoyzzlf6s2jrybhn32v5chj7ipthjrcytcljc2kkeq._file
Verdict:
malicious
Similar samples:
0b4f4140ef64be8fa74093213ee2689dba6294c26c0486995feba3f1eb92bd76
QuakBot
12a33b4cbaa8523b49fbf03ce5ac773e1846660662a0ca67b7dae618606e6ae4
QuakBot
39f79b149947ee3c4fd222baf490b801ee03d959702475fd078e40fa3757bf65
QuakBot
53d703661a2cf7df5758129c98a98e08dcd520f9656e167ee5725a71b81dfcbe
QuakBot
77156ec82469bc688ff6fc4c82ceb4e725347dcdc1ea0282d44de212b53d564e
QuakBot
9eccb19815875eb6131325e0c29161a21df290881832ce3d36284e1c025e8cd7
QuakBot
9ee360f8f38d1210fc36149ccd8ceeeef1652345644e3b7cd979f2f3b38f67fc
QuakBot
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
QuakBot
e2d5f4c171dc88b453be93a2b940a815143657952863fe6daf32bdd01ed1577d
QuakBot
e69e49577f8b771f07b99abd82924748dc1974ebcb88664243304aea74c47868
QuakBot
+ 780 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201108-2k4nf8srs6/
Behaviour
Runs ping.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Qakbot/Qbot
Unpacked files
SH256 hash:
02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
MD5 hash:
2cd4463c743f323345bdc5c2c3cf9320
SHA1 hash:
07940aad7aac690a609af922366f94808c671342
Link:
https://www.unpac.me/results/ec4d0753-1f41-44c1-a56c-287fc2b0f954/
SH256 hash:
e068823985f4c78c6374ca36e1d6e1f3c15d0492d7b78297220e6d2ecea11301
MD5 hash:
d40584d124a0b077ebb260b3b110c454
SHA1 hash:
4de5ea2801bbb8a8e60e042e173f34bfab9d6560
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec4d0753-1f41-44c1-a56c-287fc2b0f954/
Parent samples :
02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
63e634708c32b76a6f40c0ccb0b8fb59ecb4e42cbe1f89a2fa56ab41f16fa433
SH256 hash:
d1457f69383b2d024579aa4e4771bae96d41c1aade6419e7c06611f372836384
MD5 hash:
42569e12886d2e4a4d7ebb9505271867
SHA1 hash:
38eb972bbdae0c644fac8a8caec474d47349497a
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec4d0753-1f41-44c1-a56c-287fc2b0f954/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT32_KerrDown
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments