MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c
SHA3-384 hash: 657a91189bbb77eafa38e6ce8ea0a19a3b4b4e750b729198e26b5ca6838a6453d27f268de68c17c5f2e1381891850bef
SHA1 hash: 4d51367638800728b94af5ba0b6d364c407c7773
MD5 hash: 5004555240fa78e8e49483e33f7550c0
humanhash: alanine-beer-one-tennessee
File name:Churchill.bin
Download: download sample
Signature QuakBot
Create hunting rule
File size:2'761'232 bytes
First seen:2020-06-17 11:49:55 UTC
Last seen:2020-06-17 12:53:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e80336862f35b45ff7d1507fba8cde5 (1 x QuakBot)
ssdeep 12288:utlQY2wwLHqpVxTa/shQHiKP8+Ykfgn6ggKX/cmr:uf2wwTySvPAkfg93Ph
Threatray 421 similar samples on MalwareBazaar
TLSH 20D5F137B89C441FD13748B395F116BB296AEFFD063A744E0D90B912A8A2ED34C51D8B
Reporter JAMESWT_WT
Tags:Qakbot

Code Signing Certificate

Organisation:XYXLIJAWWFYCNAVMTC
Issuer:XYXLIJAWWFYCNAVMTC
Algorithm:sha1WithRSA
Valid from:Jun 16 08:58:06 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -3523AD7BCF3A924DB51E0F53B71C5438
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: BBAA52B62E8082E6F58744B77A7F8A446CB487001DBEFF7C8F57956CA1DC63FA
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19525/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.67972.23564.6528.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 12:35:50 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e5372fd7ae262365e2be6438a14b3e2b5b72424580d53ae96ae347936df03c4
QuakBot
24f0117431531a4c2b31b595ca84bd1eb8741a80fe891da921b4ed65581ff91a
QuakBot
3cd54a6ebb3d837c2c73839f5eae1da1f6d6dd9c6bbb01752b149b9a309d49bc
QuakBot
576029dbd4166e9d6548f877bea422da5d7a07adfc5ca60c93dabbecfab3d6c7
QuakBot
7a35e95b5c5ad0c2ca40f25acd09a0ca481254bf034ff198777ad1abd071d809
QuakBot
84a0c818da5d2624e3c7cf0543cb8c6dbc1e90759681fdf87fe2aedd1950347b
QuakBot
aeac401a979114462768e6af0ddd96e4784eeef08953884aca607fc000d229f3
QuakBot
aec4a8545ebb046d6f354225d51130616b6617b4d71f90f1e206864fb90c982c
QuakBot
c37cc051bd43c57a8566f51c131aad34c36ea0285f8b53e2f307548d9b7ad06e
QuakBot
c6f428373659b634d0f0a9f23c7afec8a4bab7ee2161582708e76539631bc708
QuakBot
+ 411 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot evasion
Link:
https://tria.ge/reports/200624-9mlkhd6v72/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Windows security modification
Loads dropped DLL
Executes dropped EXE
Turns off Windows Defender SpyNet reporting
Qakbot/Qbot
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19525/

Comments