MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 081a1b4e6accdee186f8f1c3726ca96d79146f612d9f40f724e89b9cf81bc4a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	081a1b4e6accdee186f8f1c3726ca96d79146f612d9f40f724e89b9cf81bc4a8
SHA3-384 hash:	b01c8560e46f6a051889dcd61dc1aedf9b2763c1e79ad48cce081182a998e154459715ddc11e7fcfaf165d1d66177ce8
SHA1 hash:	a71dbeb7546fbae7a3a257ca3927f79ed25f8e53
MD5 hash:	3d12839a55da685a009afb7cabe21720
humanhash:	thirteen-music-iowa-fillet
File name:	3d12839a55da685a009afb7cabe21720.dll
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'302'618 bytes
First seen:	2021-03-24 16:58:12 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	fd437c155e766d9c7ab04f8c3b66ef71 (5 x Quakbot)
ssdeep	24576:Mm4KIe7WgCBxOQyvlHxhXjqpdwWow1Rht956wCLVAWRCy9:14GQ9yvlHCdwSZT56wCL1b9
Threatray	1'496 similar samples on MalwareBazaar
TLSH	7A5533A913A3CC7AC919AFFD630B139F1309916E44318E3C87CF71A4856649FB7A2758
Reporter	abuse_ch
Tags:	dll Qakbot qbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Qbot-9841060-0

Win.Trojan.Qbot-9841134-0

Win.Trojan.Qbot-9841135-0

Win.Trojan.Qbot-9841138-0

Win.Trojan.Qbot-9841139-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6709593a-2cbc-49a2-9c5b-22eec6753c6f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/081a1b4e6accdee186f8f1c3726ca96d79146f612d9f40f724e89b9cf81bc4a8/

Threat name:

Win32.Trojan.QBot

Status:

Malicious

First seen:

2021-03-24 16:59:09 UTC

AV detection:

23 of 48 (47.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=banbwttkztpodbxy6hbxe3fjnv4ri33bfwpub5ze5cnzz6a3ysua._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

themida

Link:

https://tria.ge/reports/210324-7b66bre43n/

Behaviour

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

081a1b4e6accdee186f8f1c3726ca96d79146f612d9f40f724e89b9cf81bc4a8

MD5 hash:

3d12839a55da685a009afb7cabe21720

SHA1 hash:

a71dbeb7546fbae7a3a257ca3927f79ed25f8e53

Link:

https://www.unpac.me/results/39e54030-1dcf-4c2f-95d0-13043ba52ab6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/081a1b4e6accdee186f8f1c3726ca96d79146f612d9f40f724e89b9cf81bc4a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

DLL dll 081a1b4e6accdee186f8f1c3726ca96d79146f612d9f40f724e89b9cf81bc4a8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1017852/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample