MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03f3b96850249c01f6eb4bedf27f9a1835f56d258b19146c0486b4b42d0c5687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03f3b96850249c01f6eb4bedf27f9a1835f56d258b19146c0486b4b42d0c5687
SHA3-384 hash: 05810130b51be9d06db2336c7c4eb2f658cd82d73aa3b2cc598325a48c01e11f35d00933f35309179cba0f86e8114fdb
SHA1 hash: 05abf51dab97a4c4f1005fafb607660e5c3bded4
MD5 hash: c4106953c58e3ee2540b66fe72e1be85
humanhash: six-purple-illinois-king
File name:c4106953c58e3ee2540b66fe72e1be85
Download: download sample
Signature Quakbot
Create hunting rule
File size:800'768 bytes
First seen:2021-05-01 14:51:42 UTC
Last seen:2021-05-01 15:57:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 826b8583e9b3c846c8b3c651780f2bd2 (2 x Quakbot)
ssdeep 12288:l50YpKf2i/wNB+hu8BF2Vk3No+xq7pZ/3F8tTdxcb/7Ry251RvZcCELcmRB3:l50cKr4LoxRyUCZx51RvGb4mRB
Threatray 1'363 similar samples on MalwareBazaar
TLSH 6905AD707153C136D2726E35CD0AE5FD1A817C1AEF2A180B36D23FAFBB351614A36269
Reporter malwarelabnet
Tags:Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147865/
Detection(s):
SecuriteInfo.com.Variant.Zusy.380250.1430.23252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03f3b96850249c01f6eb4bedf27f9a1835f56d258b19146c0486b4b42d0c5687/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-05-01 14:52:10 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=apz3s2cqesoad5xljpw7e742da27k3jfrmmri3aeq22lilimk2dq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
11a37b108a01f9c6bcb2bbf4f7cd72d407280b9f3d33c223cc67bc2c6656c012
Quakbot
1a57dd305adb1ae4449a0baa9ee76a1b79477d7e7ad380319429f22fc9e96978
Quakbot
3a50ed28be3ab77b92f1bce16b8328baeff0eec46aed4c45e53de9d64fd66b4a
Quakbot
4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7
Quakbot
627ff5c6fcd538aa53d68149ab497f233ac741b1930acee12d9f549453cce664
Quakbot
8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55
Quakbot
a3658ba64eb500732cdfa46722ec26afda720f75d12b3425bc3c164ec0e8ec5e
Quakbot
a7ea628bdfde1435a4b8a1562e43cd960fcd9a98e65dfd6a81cbd1603ba9be1e
Quakbot
e0a88969512a0b68bd5fd0136bcbd033777066070650e16cb2851ac71a083356
Quakbot
e0b62cc5d8460d9854b733f65a76ec9325aeebadb50e68ef1755b2cbe7ec9fe4
Quakbot
+ 1'353 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210501-3kpy95ezrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
3aba9b9d8afd387fd1197fbed5e1cea356ef65e72c13e4c0af1d601799a91d26
MD5 hash:
73b9d663bee50d5d0d5f1a5d2b4538d8
SHA1 hash:
dbf7e5ee4269f82074a2b8052587eadb1b3ae599
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/0368ad58-4ab6-437c-b2b0-5ee57ac10dc9/
SH256 hash:
03f3b96850249c01f6eb4bedf27f9a1835f56d258b19146c0486b4b42d0c5687
MD5 hash:
c4106953c58e3ee2540b66fe72e1be85
SHA1 hash:
05abf51dab97a4c4f1005fafb607660e5c3bded4
Link:
https://www.unpac.me/results/0368ad58-4ab6-437c-b2b0-5ee57ac10dc9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03f3b96850249c01f6eb4bedf27f9a1835f56d258b19146c0486b4b42d0c5687

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147865/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-01 15:14:03 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0052] File System Micro-objective::Writes File
1) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
2) [C0040] Process Micro-objective::Allocate Thread Local Storage
3) [C0041] Process Micro-objective::Set Thread Local Storage Value
4) [C0018] Process Micro-objective::Terminate Process