MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be
SHA3-384 hash:	e2b7dea0f1addcca8542f22c706523d4877a79e758de87f4035b687a15aaf7d4c06694d29f59891e67a47b121a3d1a0e
SHA1 hash:	62f434f4f3d65c5ec36e8b217a549b140994a43c
MD5 hash:	22742c483d1556f23690c1898148fd8a
humanhash:	vegan-echo-twelve-pip
File name:	aubt.xlsb
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	256'975 bytes
First seen:	2022-02-28 19:05:29 UTC
Last seen:	2022-02-28 20:48:58 UTC
File type:	xlsx
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	3072:dOs1hq7zzz4e9n3PGOX/zSKypELkt7QycykvRx1LpynRz1X1jCV0IfRWG8S1Ivu:JzYRhPGOX724jPgRz11jCXEmq2
TLSH	T1CC44E14A1621D92CD75CC5F78BBFA7335A0D31A7F394324524A0F6A8B63621329CB1ED
Reporter	k3dg3___
Tags:	qbot Quakbot ta577 tr xlsb xlsx

Intelligence

File Origin

# of uploads :

# of downloads :

419

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Malicious

File type:

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/245418/

Detection(s):

TwinWave.EvilDoc.XL4DataopItWasGoodLivingWithYou.20220118.UNOFFICIAL

TwinWave.EvilDoc.XL4DataopItWasGoodLivingWithYou.20211109.UNOFFICIAL

TwinWave.EvilDoc.DataOpGodGaveRockNRoll2U.20211215.UNOFFICIAL

TwinWave.EvilDoc.XL4QakyFeaturingNothingNowhere.M2.20220215.UNOFFICIAL

TwinWave.EvilDoc.XL4QakyFeaturingNothingNowhere.M2.20210611.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Creating a process with a hidden window

Sending an HTTP GET request

Launching a process by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

OOXML Excel File with Excel4Macro

Link:

https://app.docguard.net/16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be/results/dashboard

Payload URLs

URL

File name

http://ikilemkitap.com/o1pW0pUT/nh.p

sharedStrings.bin

Document image

Image:

Download PNG

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

macros-on-open regsvr32 regsvr32.exe

Link:

https://www.filescan.io/uploads/621d1d24b94fb38cb4270c0a/reports/073c0616-8919-4c6f-9186-127ce835bb77/overview

Label:

Malicious

Suspicious Score:

9.9/10

Score Malicious:

Score Benign:

Link:

https://www.malware.ai/gui/files/?id=0ea9e983-0d59-457f-a9fe-5599202d5989

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be

Details

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Result

Threat name:

Hidden Macro 4.0

Detection:

malicious

Classification:

expl.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/947622

Signature

Antivirus detection for URL or domain

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Found Excel 4.0 Macro with suspicious formulas

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Microsoft Office Product Spawning Windows Shell

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be/

Threat name:

Document-Excel.Downloader.Heuristic

Status:

Malicious

First seen:

2022-02-28 19:06:09 UTC

File Type:

Document

Extracted files:

AV detection:

8 of 43 (18.60%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c3unql2ggtlumxk4qubyxgriq43wwl45nycrg5cyuqu6dfhxi27a._file

Result

Malware family:

n/a

Score:

10/10

Tags:

macro xlm

Link:

https://tria.ge/reports/220228-xr3dqaehf3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Process spawned unexpected child process

Malware Config

Dropper Extraction:

http://ikilemkitap.com/o1pW0pUT/nh.png
http://angstromcom.com/9I9Qbt8bFXm7/nh.png
https://kgmtvmedia.com/Te8LkoRiq1SL/nh.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/16e8d82f4634d7465d5c85038b9a2887376b2f9d6e05137458a429e194f746be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/245418/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample