MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28073d4484050c1d52ea7be1a8c94a554387311529909fc451525872af5b1164. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28073d4484050c1d52ea7be1a8c94a554387311529909fc451525872af5b1164
SHA3-384 hash: d6f98c16673f50f4cb73d7ea5a1e26c8c412d231669c79ee9b3d0b1dfac11e2751ca67517ffd572078c3cc9c580398a8
SHA1 hash: de477a747d986d227269468be46d3f3e53148cf8
MD5 hash: 50be37c8b06035eaf12aeb99305b815a
humanhash: single-helium-alanine-oscar
File name:50be37c8b06035eaf12aeb99305b815a.exe
Download: download sample
Signature Quakbot
Create hunting rule
File size:247'296 bytes
First seen:2020-10-26 16:15:50 UTC
Last seen:2020-10-26 17:51:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f852fb7910bbadef3a5dbc2273a0898 (2 x Quakbot)
ssdeep 6144:qdtJ9rtpMBa7CSqNF2+Nlu/of4jHwr68M:qd1rMBgCSqY+Nloof4Hw2
Threatray 727 similar samples on MalwareBazaar
TLSH 7434E0D2A2D48140F5F776361237C3883766BE5D993DA27F253572DEA930A812D3832E
Reporter abuse_ch
Tags:exe Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3909.31436.26989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512284
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305311 Sample: 62uW1512sJ.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 7 62uW1512sJ.exe 4 2->7         started        11 62uW1512sJ.exe 2->11         started        13 62uW1512sJ.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\...\idikf.exe, PE32 7->29 dropped 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (overwrites its own PE header) 7->43 45 Contains functionality to detect virtual machines (IN, VMware) 7->45 47 Contains functionality to compare user and computer (likely to detect sandboxes) 7->47 15 idikf.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 62uW1512sJ.exe 7->20         started        signatures5 process6 signatures7 49 Antivirus detection for dropped file 15->49 51 Multi AV Scanner detection for dropped file 15->51 53 Detected unpacking (changes PE section rights) 15->53 55 7 other signatures 15->55 22 explorer.exe 1 15->22         started        25 idikf.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 39 Contains functionality to compare user and computer (likely to detect sandboxes) 22->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28073d4484050c1d52ea7be1a8c94a554387311529909fc451525872af5b1164/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 04:28:54 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fadt2reeaugb2uxkppq2rskkkvbyomivfgij7rcrkjmhfl23cfsa._file
Verdict:
malicious
Similar samples:
3ad143fe091e2398207ac89ed82cc31f5bee574def93abd938e001b35898fbbc
Quakbot
73efa825c8ac05d163d714fa32c9761a7850b3955207690ebacf661cdfb15f9f
Quakbot
77156ec82469bc688ff6fc4c82ceb4e725347dcdc1ea0282d44de212b53d564e
Quakbot
93d7865771c6ae73997ce1af134e475e436dd0eb3e44ac1a4c8ad6baec8350ef
Quakbot
997c6f1d8c2bb2028ee0ab542962c868b573c437fb0f19745a0f48602e9736f1
Quakbot
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
Quakbot
b31a8c0636d44f543596dd687ed7c75da9b81ff2af465d762f2748b2616df8c4
Quakbot
d1457d2c3473bab86d18d4cf8b4f74647eb6a2cb0979666a30a4f85fe8e23f9d
Quakbot
d9b5e7443c3d48d18c5da2ce0dbd958cdc6eac082bede6ba35a8531a5a39470e
Quakbot
e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
Quakbot
+ 717 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201026-d88vvfkbd6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe 28073d4484050c1d52ea7be1a8c94a554387311529909fc451525872af5b1164

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/699329/
  
Delivery method
Distributed via web download

Comments