MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
SHA3-384 hash: 2d5c169414dfc3e9cc10b0a061c446292c7a79bda463b2743cb4833491740394c2cbfdb1f58ba99382a7c57bfa72cf94
SHA1 hash: 076e4a9a326d253d4fbf9e426b54f6f08cd04aad
MD5 hash: 54913eba4af75459add05894f27669ed
humanhash: high-chicken-snake-fanta
File name:24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'084'416 bytes
First seen:2020-11-10 11:18:16 UTC
Last seen:2024-07-24 12:17:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep 6144:WRuCDLgJ2VIARD83dakFICdy2Ms9NbD0qZ31EyNEgflm0tjKksGInR+HlZzmP6Mh:WRY2VhO8xn2MNleKpPUhulLhJ9FCe
Threatray 976 similar samples on MalwareBazaar
TLSH D03522D7F9BC8471CAED297F8993123C968A85E85D05D10B0778A5ADBDF3200FE9244B
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529745
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313971 Sample: 8SJSD3YgzV Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 7 8SJSD3YgzV.exe 4 2->7         started        11 8SJSD3YgzV.exe 2->11         started        13 8SJSD3YgzV.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Roaming\...\aypeuoq.exe, PE32 7->32 dropped 34 C:\Users\user\...\aypeuoq.exe:Zone.Identifier, ASCII 7->34 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (overwrites its own PE header) 7->46 48 Contains functionality to detect virtual machines (IN, VMware) 7->48 50 Contains functionality to compare user and computer (likely to detect sandboxes) 7->50 15 aypeuoq.exe 1 7->15         started        18 schtasks.exe 1 7->18         started        20 8SJSD3YgzV.exe 7->20         started        signatures5 process6 signatures7 52 Multi AV Scanner detection for dropped file 15->52 54 Detected unpacking (changes PE section rights) 15->54 56 Detected unpacking (overwrites its own PE header) 15->56 58 2 other signatures 15->58 22 aypeuoq.exe 15->22         started        24 explorer.exe 15->24         started        26 explorer.exe 15->26         started        30 4 other processes 15->30 28 conhost.exe 18->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:22:38 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=et4cq5blvlw3c5wt3oql346qm2bmc5fjwrvtlp25crpok7zkuzbq._file
Verdict:
malicious
Similar samples:
02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
QuakBot
12a33b4cbaa8523b49fbf03ce5ac773e1846660662a0ca67b7dae618606e6ae4
QuakBot
18a52a088f46ae8a4dbfc27760bdb3e22dda61ed353c8b8ff3dc16aaa1df4c43
QuakBot
279c511ba3dd0151e5c969eeb34924fbdb4707d0ccd4d0ac36dc9f63324a7582
QuakBot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
QuakBot
a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723
QuakBot
acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce
QuakBot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
QuakBot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
QuakBot
e623ccc3e7951238e956cd57702bc2375b0649d5d550fb4ad29e24f6b9323adf
QuakBot
+ 966 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201110-s1tpcdk1ee/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
MD5 hash:
54913eba4af75459add05894f27669ed
SHA1 hash:
076e4a9a326d253d4fbf9e426b54f6f08cd04aad
Link:
https://www.unpac.me/results/2b607f20-47ad-4fb1-8772-cef2392c48a6/
SH256 hash:
78c5a96607a03a1307a29c9489e49ac5910ca6edd605d4efce226a54ea87b76e
MD5 hash:
edb8a157a75736acffd86fe6a057b433
SHA1 hash:
ffaba2d93b5367957367681b7a276dac1406f0de
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2b607f20-47ad-4fb1-8772-cef2392c48a6/
Parent samples :
4f1566795077320406ae3ded8622923036b8531c9cde840a6540c66a366505dd
ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
77e8872e2c9a68dceed90a1e59d2805019963759747a1134be407f5bc14ce28b
58593fd5fb90f5fd420e3dcf0ed7e1fb5fcb5a3ac89acf685acc7d4c0e7df9ff
bf2e0f665eac44398fdeb7e3dc2451a9230686f6b8f0b18bb656d6a1bc8aad4e
d8be99a67635ce711c3d165e4e5ad8aad798bc398c92f8be924b5dec534063f0
54a201fb84a5b1c713037f0d687812aa96cd9029c933d9c316c1f035a9b3597e
SH256 hash:
cd4bd706fbdae40ca97c82bbac1ed2d9a55996b79f84bf8eeb3617d1291904c3
MD5 hash:
d47e1554642f67dd15db9e569e0352da
SHA1 hash:
4eb1f51921459cd0fad2e4a645cbca8c2c236c3a
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2b607f20-47ad-4fb1-8772-cef2392c48a6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments