MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Maldoc score: 11


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e
SHA3-384 hash: 61c874994e681acfacc9e6e6aee87b43ddd7dddf06a5ee2d2c269fdc5993e4a7a95f253185ec501a024fadc037a81a9e
SHA1 hash: f6ade9ee4730ad2b320ea4c19ebbce1db6d1f3b9
MD5 hash: 92115a5237c7e2414d2df57ca3c8943e
humanhash: alaska-michigan-mars-bluebird
File name:Payment-1408525582-09222021.xls
Download: download sample
Signature Quakbot
Create hunting rule
File size:419'840 bytes
First seen:2021-09-22 17:16:16 UTC
Last seen:2021-09-22 18:17:16 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:Sk3hOdsylKlgxopeiBNhZF+E+W2kdAQTwapS+jS82DPz6ST4+e3G0SbwduSgcVw7:R5t8etSkuSgcfP8JjZwrcND7fsXo/j
TLSH T11C940248B2A1C917D55A27385FE287A72F77FC156F6B4207762AB31E08B92BC0C0255F
Reporter abuse_ch
Tags:1632302707 obama102 Qakbot qbot Quakbot xls


Avatar
abuse_ch
Qakbot payload URLs:
http://84.246.85.241/44461.8020041667.dat
http://185.82.202.248/44461.8020041667.dat
http://188.165.62.10/44461.8020041667.dat

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
OLE dump

MalwareBazaar was able to identify 20 sections in this file using oledump:

Section IDSection sizeSection name
1108 bytesCompObj
2244 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4391109 bytesWorkbook
5647 bytes_VBA_PROJECT_CUR/PROJECT
6116 bytes_VBA_PROJECT_CUR/PROJECTwm
797 bytes_VBA_PROJECT_CUR/UserForm1/CompObj
8301 bytes_VBA_PROJECT_CUR/UserForm1/VBFrame
9263 bytes_VBA_PROJECT_CUR/UserForm1/f
10272 bytes_VBA_PROJECT_CUR/UserForm1/o
114087 bytes_VBA_PROJECT_CUR/VBA/Module1
12991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
133024 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
141182 bytes_VBA_PROJECT_CUR/VBA/UserForm1
153881 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
162035 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
17138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
18264 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
19256 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
20856 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecauto_openRuns when the Excel Workbook is opened
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
AutoExecauto_closeRuns when the Excel Workbook is closed
IOC188.165.62.10IPv4 address
IOC185.82.202.248IPv4 address
IOC84.246.85.241IPv4 address
IOCXertis.dllExecutable file name
IOCXertis1.dllExecutable file name
IOCXertis2.dllExecutable file name
SuspiciousRunMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment-1408525582-09222021.xls
Verdict:
Malicious activity
Analysis date:
2021-09-22 17:22:42 UTC
Tags:
macros macros-on-open macros-on-close
Link:
https://app.any.run/tasks/a7576ece-1d0d-4883-a903-81495b11ce66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190354/
Detection(s):
TwinWave.EvilDoc.AutoTriggerEvilMrFantasyM3.20200721.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QakVBA2XLMUndertheBridge.20210921.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e/
Threat name:
Document-Excel.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 17:17:09 UTC
AV detection:
3 of 45 (6.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgxbspegtdfek6bv5dfonjbjrvz6blbafwvgk6jtgivmighjdepa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/210922-vtpvasdce3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://188.165.62.10/44461.803675.dat
http://185.82.202.248/44461.803675.dat
http://84.246.85.241/44461.803675.dat
http://188.165.62.10/44461.8038283565.dat
http://185.82.202.248/44461.8038283565.dat
http://84.246.85.241/44461.8038283565.dat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

Excel file xls 19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e

(this sample)

Quakbot

DLL dll 5b0bf4defd88befa231c4ebe655ae860b180baa8e0331cd6c570d31f6751b9bd

  
URLhaus
https://urlhaus.abuse.ch/browse/tag/obama102/
Cape
Cape
https://www.capesandbox.com/analysis/190354/
  
Dropping
SHA256 5b0bf4defd88befa231c4ebe655ae860b180baa8e0331cd6c570d31f6751b9bd
  
Dropping
MD5 7c94d5ab21646cbd6d053509de55a80e

Comments