MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 283fed02e9434975e43435a8748ab01451199a061da32e94e39128fd7745db24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 283fed02e9434975e43435a8748ab01451199a061da32e94e39128fd7745db24
SHA3-384 hash: 2433456570f1300c70fcba4e9fe0d508b7494177598240ad944ffb2bafc1e934057e00906fde25f493d02719e7db2f63
SHA1 hash: ea485f0c12822dfc16f4c939c92e5940a86183a7
MD5 hash: f348da9ce0ea0883dc540614150badbf
humanhash: jupiter-blossom-spaghetti-jig
File name:44616.6383127315.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:864'256 bytes
First seen:2022-02-24 15:23:51 UTC
Last seen:2022-02-24 16:47:16 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c1121acfcf8b9aeea983fd06a6c0a74e (12 x Quakbot)
ssdeep 12288:l9hhPVn6mBXIlb5oC7QMFkbWlV4AuBmzKT5NQMvNHgTJfnoHu:/XometXnF+WHTWT59O
Threatray 45 similar samples on MalwareBazaar
TLSH T1CD05AE1253724835DB3B4F38ED4B12A89C15FDF2F86898F5AED4A8687B386512C5B307
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244371/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.11275.6464.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed
Link:
https://www.filescan.io/uploads/6217a317a6f52d32f18223e0/reports/b2fcd676-f06b-4087-a4bc-444b6fba403e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31c42311-5440-4c13-bf02-660870d1f519
Result
Threat name:
CryptOne Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945846
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578327 Sample: 44616.6383127315.dat Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected CryptOne packer 2->67 69 5 other signatures 2->69 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->71 73 Injects code into the Windows Explorer (explorer.exe) 9->73 75 Writes to foreign memory regions 9->75 77 3 other signatures 9->77 16 explorer.exe 8 1 9->16         started        20 cmd.exe 1 9->20         started        22 regsvr32.exe 12->22         started        24 regsvr32.exe 14->24         started        process5 file6 49 C:\Users\user\Desktop\44616.6383127315.dll, PE32 16->49 dropped 51 Uses cmd line tools excessively to alter registry or file data 16->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 16->53 26 schtasks.exe 1 16->26         started        28 rundll32.exe 20->28         started        55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->55 57 Injects code into the Windows Explorer (explorer.exe) 22->57 59 Writes to foreign memory regions 22->59 61 3 other signatures 22->61 31 explorer.exe 8 2 22->31         started        signatures7 process8 signatures9 33 conhost.exe 26->33         started        79 Contains functionality to detect sleep reduction / modifications 28->79 35 WerFault.exe 23 9 28->35         started        37 explorer.exe 28->37         started        81 Uses cmd line tools excessively to alter registry or file data 31->81 39 reg.exe 1 1 31->39         started        41 reg.exe 1 1 31->41         started        43 conhost.exe 31->43         started        process10 process11 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/283fed02e9434975e43435a8748ab01451199a061da32e94e39128fd7745db24/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 15:24:14 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
036c25ca8f8bfd424dc22bdacdfc1b1b101afd51fa60391253a757c075b62964
Quakbot
1df8d420198c7997c2e0bf9b63d74661ab21a0a9d5826d1b20deb2ece536cf80
Quakbot
532f5a32f685a1acdb7c0982bb4fd721852af1e9fb278bf5d0faa82a6741f3c8
Quakbot
67486db1b558b02235a0a8edaa7183ab707c3c8d12ec87231cd12445856e2398
Quakbot
790951787b259b98ea0f3b7face9c805643bd5e36b2d8a9d92d6d20a7107971b
Quakbot
af9ff6ecb351b6b63446c24677070b767b8f77b0a53feccdfde2c42c1205c258
Quakbot
c1c8bacb9d1cbcef187da4adfde7761c91543e84223a37385fd5c25803e1d16f
Quakbot
ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79
Quakbot
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220224-ss2rcsdcb3/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Suspicious use of NtCreateProcessExOtherParentProcess
Windows security bypass
Unpacked files
SH256 hash:
8854051db65d8a8743b263d8f0349095222a4a035152a7958033e924148b22b5
MD5 hash:
9dad75a83c453b02a8a3dcd1825281d4
SHA1 hash:
6d8cca1fe2630070e02f095445a0c77be0a165e9
Link:
https://www.unpac.me/results/36887821-a52b-4fb7-8c66-d0e372df6a19/
SH256 hash:
d43e0141811b4a4665c27efcf0ec1c62f9824db9303c279e6bd8c95276bcb83f
MD5 hash:
6235eaecef4d922cf80cc97f87d96681
SHA1 hash:
1a6c870b25feddb7328f202a13baff4331b3adf4
Link:
https://www.unpac.me/results/36887821-a52b-4fb7-8c66-d0e372df6a19/
SH256 hash:
283fed02e9434975e43435a8748ab01451199a061da32e94e39128fd7745db24
MD5 hash:
f348da9ce0ea0883dc540614150badbf
SHA1 hash:
ea485f0c12822dfc16f4c939c92e5940a86183a7
Link:
https://www.unpac.me/results/36887821-a52b-4fb7-8c66-d0e372df6a19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/283fed02e9434975e43435a8748ab01451199a061da32e94e39128fd7745db24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/244371/

Comments