MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c
SHA3-384 hash: 1ef05140f6eeae6f4cef46aa0965bcfcde3bd42a74ac3ecc843adbf67d7582a6c7a6e327b2c7f9968d631af4d37745b3
SHA1 hash: 4ff8e714637d06bbcf684c2350b74dcaf546469c
MD5 hash: d8591c263e8cc18d0d11e5f6b29e3c14
humanhash: california-wolfram-alaska-september
File name:Shared Document From Cloud 292433.zip
Download: download sample
Signature Quakbot
Create hunting rule
File size:288'935 bytes
First seen:2023-02-14 14:56:22 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:liDzyxuT42lqjZ8blGwjcqZiKOgTu4HLcylg0sWgvPIALWQkjuuM:liDzTHlCEEIcqLLRgc+3WQKjM
TLSH T18054239D569E34A3D93F0E7AC2A7048A22F44B42CD5C871B1256E56C5CE04F3EF26B47
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter pr0xylife
Tags:1676370608 azd Qakbot Quakbot zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
RU RU
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:Adobe Cloud Certificate 292433.wsf
File size:7'149 bytes
SHA256 hash: fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458
MD5 hash: ff19670725eaf5df6f3d2ca656d3db27
MIME type:text/html
Signature Quakbot
File name:Adobe Cloud Shared 292433.pdf
File size:310'235 bytes
SHA256 hash: 6f5139a95b40d337fa0c0f3271b0738f0318df685a9026bbb2885ddb01320b4a
MD5 hash: 45ed9b22b005a9bad39d3f5dd6b4644d
MIME type:application/pdf
Signature Quakbot
File name:Adobe Document Cloud License.txt
File size:4'391 bytes
SHA256 hash: 5e2f8f70a37eb50d330c8e20ed451f57e1ee513b0641c735efac0accd57e386e
MD5 hash: 39604feed52c277e097b9f7e23268219
MIME type:text/plain
Signature Quakbot
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Wsf_Zip_1.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63eba13ef94334e0085426f5/reports/a20bb7c5-77db-4dce-b3b2-b80a1fb1265b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dm5rvbvegrfxtvevxafbqom3wdm7q5yjkau3xhvnf7ghmzhj5coa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230214-tdya3aee28/
Behaviour
Blocklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_certificate_payload
Create hunting rule
Author:Didier Stevens, Florian Roth
Description:Detects payloads that pretend to be certificates
Reference:https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/
Rule name:SUSP_certificate_payload_RID3087
Create hunting rule
Author:Didier Stevens, Florian Roth
Description:Detects payloads that pretend to be certificates
Reference:https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments