MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d101ab54e3e49a71dbf790d1c31ed787b51437d292c5544c17b111d22a2cec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d101ab54e3e49a71dbf790d1c31ed787b51437d292c5544c17b111d22a2cec6
SHA3-384 hash: 25b12c7914df33784bab18e99c8c73537593048b0f8f165fe1c1a53e48aa4100e0a6524c095afc57ce965373f775c329
SHA1 hash: d8ffe58c5311304560aea2db21f9022777605b0a
MD5 hash: 7faf176073d4c46abf26acee201c1fe4
humanhash: connecticut-jupiter-ack-emma
File name:923753.jpg
Download: download sample
Signature Quakbot
Create hunting rule
File size:257'984 bytes
First seen:2020-11-26 01:20:16 UTC
Last seen:2020-11-26 01:31:58 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 64e1e7f51702ce69e4e7041d337602a9 (17 x Quakbot)
ssdeep 6144:UsVdYa8V57vikjhS3Gjvv2yTgEeSye53g:qaQhyGjvv2y8EoeW
Threatray 1'333 similar samples on MalwareBazaar
TLSH D444AE7DBE13CC22E26C2BB061C39F941A9B9AD13250510E5AF15E5C7DEA3987C36F84
Reporter Anonymous
Tags:Quakbot

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105702/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying an executable file
Creating a process with a hidden window
Creating a window
Creating a file in the Windows subdirectories
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/547522
Signature
Antivirus / Scanner detection for submitted sample
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322864 Sample: 923753.jpg Startdate: 26/11/2020 Architecture: WINDOWS Score: 80 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Qbot 2->36 38 Uses schtasks.exe or at.exe to add and modify task schedules 2->38 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->40 42 Injects code into the Windows Explorer (explorer.exe) 8->42 44 Maps a DLL or memory area into another process 8->44 15 explorer.exe 8 1 8->15         started        18 regsvr32.exe 11->18         started        20 regsvr32.exe 13->20         started        process5 file6 30 C:\Users\user\Desktop\923753.dll, PE32 15->30 dropped 22 schtasks.exe 1 15->22         started        24 WerFault.exe 20 9 18->24         started        26 WerFault.exe 9 20->26         started        process7 process8 28 conhost.exe 22->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d101ab54e3e49a71dbf790d1c31ed787b51437d292c5544c17b111d22a2cec6/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 01:21:04 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a
Quakbot
1d165c74a229d4482dd99ed52261c9a054ae250a3a0e6838e2daf9f55d5e2550
Quakbot
204d220c365234d042f104b9d3f31c78f6aec0baa208a8ed5832340c63b0e252
Quakbot
4a32a7b1cf4e71d60aab5fc7830ad201c23df709d72e8f8cc36bfd736f7be962
Quakbot
5a88a7d4265ad336447bbd99de45886d3b8fc679ee634b1a87b1247c53ba739c
Quakbot
90828f1b7e4b93c6b19b11167ec12c2a81fecf73ca18cd6d17ea1696f7709bf6
Quakbot
c87c90e4ca093cb6ee55d605f08d1f679df35ebfe7943ffeef41ab1d2e7e39a0
Quakbot
e425a05ee8bd5ee32371857078122e04790578a16ca2c3b68bb89e41f33d04a2
Quakbot
f0e89069b78233ed90b2760d5909a7bde373b6787372770a443ba43bcc0b16e4
Quakbot
f8577b751ea68e1e0b746aaceddcfa6e537f855af60aa9dab9881c8c39a3f662
Quakbot
+ 1'323 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201126-1nz9s6f1nx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
0d101ab54e3e49a71dbf790d1c31ed787b51437d292c5544c17b111d22a2cec6
MD5 hash:
7faf176073d4c46abf26acee201c1fe4
SHA1 hash:
d8ffe58c5311304560aea2db21f9022777605b0a
Link:
https://www.unpac.me/results/2a7b0100-0926-4acb-9ede-0b8059d408d0/
SH256 hash:
3ff7fd3362a20f7eb0211ecbea26117fc6fa24e9600e9ae46e4acde102ebad16
MD5 hash:
66088d16f182c16ebc6f681673c2cefd
SHA1 hash:
310dd919a08e5ff93e1d1becb473b9d6e1f265d9
Link:
https://www.unpac.me/results/2a7b0100-0926-4acb-9ede-0b8059d408d0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105702/

Comments