MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a
SHA3-384 hash: 47bdb2a0a4e8ca19295fdd4f523ca6bbad91f9ab5f9a7553a78582be620c07ba288f4f59b8b6c002139e77097d4c0b77
SHA1 hash: 842a30119ac0dc43980e672bc7e03037f06b39fb
MD5 hash: fb2b803a0e07ddd4ad1fd252865a8329
humanhash: burger-nine-vermont-eleven
File name:05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a
Download: download sample
Signature Quakbot
Create hunting rule
File size:257'984 bytes
First seen:2020-11-25 08:12:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 64e1e7f51702ce69e4e7041d337602a9 (17 x Quakbot)
ssdeep 6144:dsVdYa8V57vikjhS3Gjvv2yTgEeSye53R:7aQhyGjvv2y8EoeX
Threatray 1'320 similar samples on MalwareBazaar
TLSH 7D449E7DBE13CC22E26C2BB061C39F941A9B9AD13150510E5AF15E5C7DEA3987C36F84
Reporter JAMESWT_WT
Tags:HELP d.o.o. Quakbot signed

Code Signing Certificate

Organisation:HELP, d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-11-11T00:00:00Z
Valid to:2021-11-11T23:59:59Z
Serial number: 6a241ffe96a6349df608d22c02942268
Intelligence: 16 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: f97f4b9953124091a5053712b2c22b845b587cb2655156dcafed202fa7ceeeb1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the Windows subdirectories
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/546762
Signature
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322477 Sample: Lk5mp8kt7q Startdate: 25/11/2020 Architecture: WINDOWS Score: 64 35 Multi AV Scanner detection for submitted file 2->35 37 Uses schtasks.exe or at.exe to add and modify task schedules 2->37 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->39 41 Injects code into the Windows Explorer (explorer.exe) 8->41 43 Maps a DLL or memory area into another process 8->43 15 explorer.exe 8 1 8->15         started        18 regsvr32.exe 11->18         started        20 regsvr32.exe 11->20         started        process5 file6 31 C:\Users\user\Desktop\Lk5mp8kt7q.dll, PE32 15->31 dropped 22 schtasks.exe 1 15->22         started        24 WerFault.exe 20 9 18->24         started        27 WerFault.exe 9 20->27         started        process7 dnsIp8 29 conhost.exe 22->29         started        33 192.168.2.1 unknown unknown 24->33 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 15:53:21 UTC
File Type:
PE (Dll)
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08aea1b94e39754c008bda7f693b3436309fe7d26acef0dfd502b3923c5fe9e6
Quakbot
526f98241a220a3ae95c33a6da095aab561d3d79c7055d456c272dfa79f74155
Quakbot
90828f1b7e4b93c6b19b11167ec12c2a81fecf73ca18cd6d17ea1696f7709bf6
Quakbot
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
Quakbot
aab1b81444cfa91a3b30ebeee77190e9a553e0f50dea9219900f3eaf9f1db041
Quakbot
e425a05ee8bd5ee32371857078122e04790578a16ca2c3b68bb89e41f33d04a2
Quakbot
f01877dc957f31702ff592478646c66b44abb7c02d40f20031de3a7b98b28e2b
Quakbot
f0e89069b78233ed90b2760d5909a7bde373b6787372770a443ba43bcc0b16e4
Quakbot
f62a0056f40817cf0151b6feb780b1d55dfc8b3ec522aaca632f0544a3fc51c2
Quakbot
f8577b751ea68e1e0b746aaceddcfa6e537f855af60aa9dab9881c8c39a3f662
Quakbot
+ 1'310 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201125-ed679f8pg6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a
MD5 hash:
fb2b803a0e07ddd4ad1fd252865a8329
SHA1 hash:
842a30119ac0dc43980e672bc7e03037f06b39fb
Link:
https://www.unpac.me/results/59437549-5130-4eb6-9630-59dbd3a26a9e/
SH256 hash:
3ff7fd3362a20f7eb0211ecbea26117fc6fa24e9600e9ae46e4acde102ebad16
MD5 hash:
66088d16f182c16ebc6f681673c2cefd
SHA1 hash:
310dd919a08e5ff93e1d1becb473b9d6e1f265d9
Link:
https://www.unpac.me/results/59437549-5130-4eb6-9630-59dbd3a26a9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105491/

Comments