MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Quakbot


Vendor detections: 8


Maldoc score: 11


Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash: 2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b
SHA3-384 hash: fb65a35408915dd602fc3e6da66e313c3ce02e39701491c8267fd2d089bb8d512e5165cc6f992cb5744905e11b15d3f1
SHA1 hash: a7b9d6fa34914921826fc7913e0d3ccd145ebaf2
MD5 hash: 34ee9111f987b903bce643f660d2d7ce
humanhash: india-nebraska-alpha-zebra
File name:2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b.vir
Download: download sample
Signature Quakbot
File size:207'872 bytes
First seen:2021-09-25 10:25:36 UTC
Last seen:2021-09-25 11:10:19 UTC
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 6144:oKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgCSPofSHl8oD5j:ERq55j
TLSH T1D0149157A9058AC3E51C93F8BE434ED92F066F08E9463EEB21157F8B7F742530D8A11A
Reporter @DSTLabs
Tags:excel4macros maldoc Quakbot sansisc vba xlsx

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
OLE dump
Sections: 20

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
1103 bytesCompObj
2240 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4180804 bytesWorkbook
5603 bytes_VBA_PROJECT_CUR/PROJECT
6116 bytes_VBA_PROJECT_CUR/PROJECTwm
797 bytes_VBA_PROJECT_CUR/UserForm1/CompObj
8301 bytes_VBA_PROJECT_CUR/UserForm1/VBFrame
9226 bytes_VBA_PROJECT_CUR/UserForm1/f
10272 bytes_VBA_PROJECT_CUR/UserForm1/o
113768 bytes_VBA_PROJECT_CUR/VBA/Module1
12991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
133010 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
141195 bytes_VBA_PROJECT_CUR/VBA/UserForm1
153860 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
162004 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
17138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
18212 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
19206 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
20864 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba
TypeKeywordDescription
AutoExecauto_openRuns when the Excel Workbook is opened
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
AutoExecauto_closeRuns when the Excel Workbook is closed
IOC94.140.114.44IPv4 address
IOC103.155.92.211IPv4 address
IOC193.38.54.149IPv4 address
IOCXertis.dllExecutable file name
IOCXertis1.dllExecutable file name
IOCXertis2.dllExecutable file name
SuspiciousRunMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
2
# of downloads :
265
Origin country :
BE BE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b.vir
Verdict:
Suspicious activity
Analysis date:
2021-09-25 10:28:27 UTC
Tags:
macros macros-on-open macros-on-close

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Alert level:
4.5%
Document image
Document image
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Threat name:
Script.Trojan.SuspectMacro
Status:
Malicious
First seen:
2021-09-21 04:51:55 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://94.140.114.44/44464.4349746528.dat
http://103.155.92.211/44464.4349746528.dat
http://193.38.54.149/44464.4349746528.dat
http://94.140.114.44/44464.4350751157.dat
http://103.155.92.211/44464.4350751157.dat
http://193.38.54.149/44464.4350751157.dat

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:TA505_Maldoc_21Nov_2
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments