MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212
SHA3-384 hash: a350e39da54e130486b5652b5367d131c3b8c7a7801238f02be67cd1aa16ec1ef3a534dfff15f4a89e273933c5e3641f
SHA1 hash: 1c58b5ea59cdad291f8183414391af7b0d5119a7
MD5 hash: fd3495c03fd956548c722fa5943ca9f9
humanhash: fifteen-carolina-thirteen-helium
File name:user.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:528'384 bytes
First seen:2022-12-22 15:53:13 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d0ce5a8d5d0f4fa36cbdd8035bad1ebc (4 x Quakbot)
ssdeep 12288:+ihnctArBgRprvbiIIAuz19n26pmpmlCO:HnqAyprvbiIIAuRUmxf
Threatray 1'871 similar samples on MalwareBazaar
TLSH T122B4D02172E39175EC9742B1201E5F3DEFF97A2046779C9B4F9804C12F249A2EB3664B
TrID 31.0% (.EXE) InstallShield setup (43053/19/16)
22.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.SCR) Windows screen saver (13097/50/3)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter pr0xylife
Tags:dll obama232 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
IN IN
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349086/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63a47d9c811f33f30455304d/reports/944fcd37-672b-47b0-8a8b-cfdde80fe3fb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1cb1251d-b865-465e-8306-0f3147b61c97
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1139459
Signature
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 772189 Sample: user.dat.dll Startdate: 22/12/2022 Architecture: WINDOWS Score: 48 37 Sigma detected: Execute DLL with spoofed extension 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 12->20         started        23 WerFault.exe 22 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 9 16->27         started        29 WerFault.exe 16->29         started        31 2 other processes 16->31 dnsIp6 33 WerFault.exe 3 9 18->33         started        35 192.168.2.1 unknown unknown 20->35 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 15:54:06 UTC
File Type:
PE (Dll)
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2lvpgbemfqrtgzaey7tpe7by3kwfgoavca4nx6njpe3ou5xkija._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
22c5d9c52f3e9e072e384cc2963a7a453225c2ed7f26f60d0fb043c77f0c4079
Quakbot
30ba48c675fe81437d78a25384a4c07e357577a58fe63cea022f0847e61e71b1
Quakbot
329732f00e782c5c2512f83db2d07c4b26364298cde645f4fd7adca2f27c00bd
Quakbot
457482f12d66c77f8d15a55fa52fe75ce54ffb292bd96440dde97a5f769c1eb9
Quakbot
4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411
Quakbot
88f2ca8f56c76d8689ec1738a23beb4ca30f43a3def3472de430f895805e7e48
Quakbot
96d2f4131542e1b4a6e9bba0bf3807008cb8340e7d247b464fdbebe11031d9e2
Quakbot
c2818a0dde04b70ce0f01342df88b2d01c2ab0fced4e94fdc1254bf505325bf6
Quakbot
ce81b2ab0a243fe8e85a249b0f425007d858d7e9cc7e65af5d2f9e68efb5e5d0
Quakbot
+ 1'861 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221222-tb7fyshh4v/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212
MD5 hash:
fd3495c03fd956548c722fa5943ca9f9
SHA1 hash:
1c58b5ea59cdad291f8183414391af7b0d5119a7
Link:
https://www.unpac.me/results/833073d3-c01e-4007-9b91-cfdcf29f2df4/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/269757982461/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349086/

Comments