MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7
SHA3-384 hash:	65d9366de776e1e32717d7f72860b93d879bb2c5f7893514791771d407e168f4d87b4011d2c57ba082347f5753985932
SHA1 hash:	1aeb2714a30331054cdc1abb5f02551d39d38d7e
MD5 hash:	6a6da4c4d55c95eb227ab1933f8eb4ed
humanhash:	social-arkansas-king-freddie
File name:	ORDER009984834.exe
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'026'136 bytes
First seen:	2020-10-13 09:31:23 UTC
Last seen:	2020-10-13 10:50:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:U48zV4T/2vZzzY0yJkjm0uUQvIeALDrIlIDDdnqsWjVWvwKboSe0/p3CQISs9wEJ:2+CmvULDroNwpZwP
Threatray	42 similar samples on MalwareBazaar
TLSH	4B25F53EACC44623D5768632C5E6A5A2FB2179833526ED0F229703814D23B5B7DCED6C
Reporter	cocaman
Tags:	exe Quakbot

Code Signing Certificate

Organisation:	Microsoft Corporation
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	May 2 21:37:46 2019 GMT
Valid to:	May 2 21:37:46 2020 GMT
Serial number:	33000001519E8D8F4071A30E41000000000151
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	B5DC4E58C8AFB9688734F6C5CF3ED0D4D89BF8366ACE982CC6B6854C480FC82E
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Bulz.78769.9370.3214.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Setting a keyboard event handler

Creating a file in the %AppData% subdirectories

Creating a window

Connection attempt to an infection source

Enabling autorun by creating a file

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/489463

Signature

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7/

Threat name:

ByteCode-MSIL.Trojan.Variadic

Status:

Malicious

First seen:

2020-10-13 07:24:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d3yze5g3vs7q3nlrbdlnaxzfxexlu3swgnimm65mldyherh6ktlq._file

Verdict:

malicious

Label(s):

masslogger

Result

Malware family:

quasar

Score:

10/10

Tags:

trojan spyware family:quasar

Link:

https://tria.ge/reports/201013-1z3ck52dgj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Quasar RAT

Unpacked files

SH256 hash:

4fab3955800392defea3ceb674e60550d7d8d05dc53df225697b942eab498e6f

MD5 hash:

fd2defbb41fb729555b2ac0db0f4da19

SHA1 hash:

a5de2fda988fbf6164d73dd07916edfb7ace99b0

Link:

https://www.unpac.me/results/34866d7b-b55d-44f7-8bb0-09ae4a76d35a/

SH256 hash:

80f7e5af2ab5720278bfdff4f8f164ece56f89a989e5aaf95005b8bfe5c513dc

MD5 hash:

21ad5cf29929cf2a59678fc6ab6dfe3e

SHA1 hash:

ce21bbf8d14845fdc83125cd1e8253a8060f0da7

Link:

https://www.unpac.me/results/34866d7b-b55d-44f7-8bb0-09ae4a76d35a/

SH256 hash:

1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7

MD5 hash:

6a6da4c4d55c95eb227ab1933f8eb4ed

SHA1 hash:

1aeb2714a30331054cdc1abb5f02551d39d38d7e

Link:

https://www.unpac.me/results/34866d7b-b55d-44f7-8bb0-09ae4a76d35a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Quakbot

rar bdba7177f8e75e073c0043151b69a2f9bb33421df85bf1ce1537ea6ed980cdc2

Quakbot

exe 1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7

(this sample)

Delivery method

Other

Dropped by

SHA256 bdba7177f8e75e073c0043151b69a2f9bb33421df85bf1ce1537ea6ed980cdc2

Cape

https://www.capesandbox.com/analysis/70364/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample