MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 095c41270ae3a26ae9efb626be12ed920c44432f3c8cc8ed8ee67d67425c1251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 095c41270ae3a26ae9efb626be12ed920c44432f3c8cc8ed8ee67d67425c1251
SHA3-384 hash: 057cbd1349b7e1add8b8c32d0de176bd53435d25da21f31a0b10b1c56de66946ff761f27aaf7d0b4be538c8dd46019b6
SHA1 hash: b0804ed04064aed6c9b283629b3416b5aeac84fb
MD5 hash: 944db2ee2b1958a2740d0b5c0057c46f
humanhash: batman-finch-pluto-dakota
File name:944db2ee2b1958a2740d0b5c0057c46f.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:842'752 bytes
First seen:2021-09-20 17:27:25 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fcecb109cd51f9ec6659a40269cd21c6 (5 x Quakbot)
ssdeep 12288:s0ySZOB93YJh6kwi4eYHc+12GPUhW1brsZCesX/OkSAIV5TQi/c+FI2PXmkp5:s0yiQFViB7IOcesPIVVZQi/csIrk/
Threatray 116 similar samples on MalwareBazaar
TLSH T19605D02A7ED6E191C83C5D7988E1C8E67238BC686D28961739E53F3F29F30D1584909F
Reporter abuse_ch
Tags:dll Qakbot qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189535/
Detection(s):
SecuriteInfo.com.Artemis944DB2EE2B19.13749.8279.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85ca126e-efba-435a-bd6a-47d1eb027686
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/854304
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486734 Sample: R1kKq2SV1F.dll Startdate: 20/09/2021 Architecture: WINDOWS Score: 76 44 Sigma detected: Schedule system process 2->44 46 Sigma detected: Regsvr32 Command Line Without DLL 2->46 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        process3 signatures4 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->48 50 Injects code into the Windows Explorer (explorer.exe) 8->50 52 Writes to foreign memory regions 8->52 54 2 other signatures 8->54 13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        22 2 other processes 8->22 20 regsvr32.exe 11->20         started        process5 file6 66 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->66 68 Injects code into the Windows Explorer (explorer.exe) 13->68 70 Writes to foreign memory regions 13->70 25 explorer.exe 13->25         started        28 rundll32.exe 16->28         started        72 Allocates memory in foreign processes 18->72 74 Maps a DLL or memory area into another process 18->74 30 explorer.exe 18->30         started        32 WerFault.exe 20 9 20->32         started        42 C:\Users\user\Desktop\R1kKq2SV1F.dll, PE32 22->42 dropped 34 schtasks.exe 1 22->34         started        36 explorer.exe 22->36         started        signatures7 process8 signatures9 56 Uses schtasks.exe or at.exe to add and modify task schedules 25->56 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->58 60 Injects code into the Windows Explorer (explorer.exe) 28->60 62 Writes to foreign memory regions 28->62 64 2 other signatures 28->64 38 explorer.exe 28->38         started        40 conhost.exe 34->40         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/095c41270ae3a26ae9efb626be12ed920c44432f3c8cc8ed8ee67d67425c1251/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:28:08 UTC
AV detection:
8 of 27 (29.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfoecjyk4orgv2ppwytl4exnsigeiqzphsgmr3mo4z6woqs4cjiq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
gozi
Create hunting rule
Similar samples:
1507546bc27652090971bbe5c661030092c57d966d0bb38fc8444f96c669fe2c
Quakbot
153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454
Quakbot
224c62bcaf9e4eb208ea49c9727edc7cadfbd58c6209595a66a636627f43d085
Quakbot
3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
Quakbot
63deda6fe8af221a650f6ba6a2ee6c7fec17f10bc5e063c9b0aaee4981a01150
Quakbot
64213217559da3cb3ef610ea0fa328e6d64ce829511306b8f12c008b61aed07a
Quakbot
75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
Quakbot
90cd52a9005b6139c2fa84f9b139daff9c77be4dd38ecaf07f0f616612e7a205
Quakbot
a94291cc6f39425c30d1152a83ae122c0c8f10c8bf2f77c94542bbb30203aa94
Quakbot
e73c6e159f026873f92f0b451fa4ada471dbe788d959fdca0c4eaf76af95529f
Quakbot
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210920-v116xaefe8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
12aca0db4089456e7f4b15ade64a737644d41872a7e475140327299f6452b86a
MD5 hash:
ef3f9065a43a1ef153d8f03f76efaec4
SHA1 hash:
0bd35a176c971a4a0e62c365154e78d65d8097ac
Link:
https://www.unpac.me/results/71ea5000-7e85-42c2-b6f5-80ba46e9b74a/
SH256 hash:
96086850c220196c52c686dfae0585b71de7d243dab2c54174b7ff1cbfe47825
MD5 hash:
391d6156e015e7549bdedf242867bdcc
SHA1 hash:
cd0467aa73974c165a48e548bc42093beed7353a
Link:
https://www.unpac.me/results/71ea5000-7e85-42c2-b6f5-80ba46e9b74a/
SH256 hash:
095c41270ae3a26ae9efb626be12ed920c44432f3c8cc8ed8ee67d67425c1251
MD5 hash:
944db2ee2b1958a2740d0b5c0057c46f
SHA1 hash:
b0804ed04064aed6c9b283629b3416b5aeac84fb
Link:
https://www.unpac.me/results/71ea5000-7e85-42c2-b6f5-80ba46e9b74a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/095c41270ae3a26ae9efb626be12ed920c44432f3c8cc8ed8ee67d67425c1251

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189535/

Comments