MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454
SHA3-384 hash: c50ca97e185bbd1bbf86cdc2bc1a785d5c529e3fc561772513df597e2ffc63742fd68d5d8a606e7bfa5d530c472da124
SHA1 hash: 91a30a2b1b936ab508b37a713ae35358b3c24150
MD5 hash: 5f8b22e659bfc7db9a7043a828da7675
humanhash: failed-kitten-king-moon
File name:44459.6948533565.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:842'752 bytes
First seen:2021-09-20 16:48:54 UTC
Last seen:2021-09-20 17:56:09 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash fcecb109cd51f9ec6659a40269cd21c6 (5 x Quakbot)
ssdeep 12288:b0y2ZOB93YJh6kwi4eYHc+12GPUhW1brsZCesX/OkSAIV5TQi/c+FI2PXCkp5:b0y+QFViB7IOcesPIVVZQi/csInk/
Threatray 114 similar samples on MalwareBazaar
TLSH T17505D02A7ED6E191C83C5D7988E1C8E67238BC686D28961739E53F3F29F30D1584909F
Reporter pr0xylife
Tags:dll Qakbot qbot Quakbot

Intelligence

File Origin
# of uploads :
4
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189528/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5328.4994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e22a382c-95ab-4433-bbd3-dfd53bc1de30
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/854273
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486700 Sample: 44459.6948533565.dat Startdate: 20/09/2021 Architecture: WINDOWS Score: 76 45 Sigma detected: Schedule system process 2->45 47 Sigma detected: Regsvr32 Command Line Without DLL 2->47 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        process3 signatures4 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->49 51 Injects code into the Windows Explorer (explorer.exe) 9->51 53 Maps a DLL or memory area into another process 9->53 14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 cmd.exe 1 9->19         started        23 2 other processes 9->23 21 regsvr32.exe 12->21         started        process5 file6 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->65 67 Injects code into the Windows Explorer (explorer.exe) 14->67 69 Writes to foreign memory regions 14->69 26 explorer.exe 14->26         started        71 Allocates memory in foreign processes 17->71 73 Maps a DLL or memory area into another process 17->73 29 explorer.exe 8 1 17->29         started        31 rundll32.exe 19->31         started        33 WerFault.exe 20 9 21->33         started        43 C:\Users\user\Desktop\44459.6948533565.dll, PE32 23->43 dropped 35 explorer.exe 23->35         started        signatures7 process8 signatures9 55 Uses schtasks.exe or at.exe to add and modify task schedules 26->55 37 schtasks.exe 1 29->37         started        57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->57 59 Injects code into the Windows Explorer (explorer.exe) 31->59 61 Writes to foreign memory regions 31->61 63 2 other signatures 31->63 39 explorer.exe 31->39         started        process10 process11 41 conhost.exe 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cu4gfs3zuiys6vfcgb2gbbzaayjyuze43ldfexpr2bgaspelcrka._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
gozi
Create hunting rule
Similar samples:
1507546bc27652090971bbe5c661030092c57d966d0bb38fc8444f96c669fe2c
Quakbot
224c62bcaf9e4eb208ea49c9727edc7cadfbd58c6209595a66a636627f43d085
Quakbot
31c74eb44cb2a0e6be34c161926e33a66cd1cf1e4f33e6de44f9d5491a32bfb0
Quakbot
3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
Quakbot
64213217559da3cb3ef610ea0fa328e6d64ce829511306b8f12c008b61aed07a
Quakbot
75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
Quakbot
90cd52a9005b6139c2fa84f9b139daff9c77be4dd38ecaf07f0f616612e7a205
Quakbot
a94291cc6f39425c30d1152a83ae122c0c8f10c8bf2f77c94542bbb30203aa94
Quakbot
bd09c02a8064de5f44d409eae767cfaa743c154edf967986f87ffb703467cf62
Quakbot
e73c6e159f026873f92f0b451fa4ada471dbe788d959fdca0c4eaf76af95529f
Quakbot
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210920-vbqc4shcgl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
0bb98276d290965632a41c6b05dd0a09f983ec315f2022196137fdd5879a25ed
MD5 hash:
3a29673fa921b807c383314cbc259a63
SHA1 hash:
006200be88174b2e0ca6e0f2362f1602c6f71f27
Link:
https://www.unpac.me/results/44ff6dd6-f90a-42a6-a537-dca26e2f4384/
SH256 hash:
b9c98ffc315e0d0b65d907118d202a0cda64fadd279bcba78b722cdb9d3daeb0
MD5 hash:
cd28febe1ee9f79d4c084ee82b74543c
SHA1 hash:
6c8e08583cc996c17aa71ec14d3df9530a8db916
Link:
https://www.unpac.me/results/44ff6dd6-f90a-42a6-a537-dca26e2f4384/
SH256 hash:
153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454
MD5 hash:
5f8b22e659bfc7db9a7043a828da7675
SHA1 hash:
91a30a2b1b936ab508b37a713ae35358b3c24150
Link:
https://www.unpac.me/results/44ff6dd6-f90a-42a6-a537-dca26e2f4384/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189528/

Comments