MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241
SHA3-384 hash: 36af2d6ffc5890ad32ea81455253b8596546db1b9be6af6b5a309aa0913c543469691c012405a12a13a14f28361334be
SHA1 hash: 46670f4ad2e38b9de80f5b74804fc0aa87acc796
MD5 hash: 2b621a9c3fa4bf50bc028448e11beab4
humanhash: speaker-ack-pluto-delaware
File name:cursor.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'217'344 bytes
First seen:2022-12-20 16:15:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 290cad5b94deff5e8979efae9fbf9af1 (4 x Quakbot)
ssdeep 24576:LKbbqQlRH90zhBs7tl+vJtzsJPwfwXR1F0yvc8NTmIg9EcjZdFkze:LKXqQz901gcDsJPwfwXfFxvFnQN
Threatray 1'867 similar samples on MalwareBazaar
TLSH T15F45E72BE20790FAC54337B30647E5DF2228A715C4347F6EAD9C0C58F736A41A96E267
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter pr0xylife
Tags:dll Obama231 Qakbot qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348421/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay packed
Link:
https://www.filescan.io/uploads/63a1dfc3d2108f6a6f380cfd/reports/37de1a14-4bad-4f2a-990b-8298caf3bf49/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/24bfcd84-6e9b-45e3-90e8-a5314915d0e9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1138060
Signature
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 770790 Sample: cursor.dat.dll Startdate: 20/12/2022 Architecture: WINDOWS Score: 48 35 Sigma detected: Execute DLL with spoofed extension 2->35 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 2 9 12->20         started        23 WerFault.exe 4 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        dnsIp6 31 WerFault.exe 20 9 18->31         started        33 192.168.2.1 unknown unknown 20->33 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241/
Threat name:
Win32.Infostealer.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 16:16:09 UTC
File Type:
PE (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f25wf2kk3246foe4qyky2bd4ii35lxzeuaxqgjfz3apld2qwijaq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
28938e9b7dc8ba1641a245277c4f1ef95ed148984a8cce2e8b1c07e6ff5f740c
Quakbot
329732f00e782c5c2512f83db2d07c4b26364298cde645f4fd7adca2f27c00bd
Quakbot
457482f12d66c77f8d15a55fa52fe75ce54ffb292bd96440dde97a5f769c1eb9
Quakbot
5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697
Quakbot
69d829b1dc15636a01b783fe04179165fd7f28bc11393782bbdbdfd77619e785
Quakbot
855e478e4b59dafee6a223500c4a6b5650fab00f05442bd8161375dfe9b51858
Quakbot
9c99d4c2d10e852395f892378225247f4e6eb2b5d9b9718e39127634e3acae3b
Quakbot
a62dcf9b94179a272e52607b21e873f1699ab02b68a371ef12b559bd8fafb59b
Quakbot
ce81b2ab0a243fe8e85a249b0f425007d858d7e9cc7e65af5d2f9e68efb5e5d0
Quakbot
db333be4247b3cef1efefe762327112ca465de58a15a260033d03a7aaaf5cbb2
Quakbot
+ 1'857 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221220-tqslcadd41/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241
MD5 hash:
2b621a9c3fa4bf50bc028448e11beab4
SHA1 hash:
46670f4ad2e38b9de80f5b74804fc0aa87acc796
Link:
https://www.unpac.me/results/4d9ef187-8201-4043-9029-74e27f3601c1/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ebb62e94ade/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/348421/

Comments