MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148
SHA3-384 hash: 5b8182fcf26aae615a73100726a3253a425af86b6b7a20caf52a23bf371af77943723b3411e157f5eb7a1b76ced2b5c2
SHA1 hash: 26075862139d5df7b8826393b2c3a0f5ae1ee69f
MD5 hash: 9042c0d338bb572b3b839fc9242c271c
humanhash: south-friend-lamp-april
File name:391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148
Download: download sample
Signature QuakBot
Create hunting rule
File size:281'560 bytes
First seen:2020-11-13 15:25:29 UTC
Last seen:2024-07-24 13:07:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee5fdfc0db72ef940bfed3428eabdafb (77 x QuakBot)
ssdeep 6144:pXfc7Dv1eK9cDlbAnb5NIwrs6R1TZ91Kj8QO8xaTk2:pk7DNeK9SQNLhRJZ/KzRz2
Threatray 1'347 similar samples on MalwareBazaar
TLSH B45412CBE9480C46ECD1BDBBFA98E39B9E6D7062475381DB613EC490ABDF300462554E
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Mint-9781255-0
Create hunting rule

Win.Packed.Mint-9782588-0
Create hunting rule

Win.Packed.Mint-9782609-0
Create hunting rule

Win.Packed.Mint-9782713-0
Create hunting rule

Win.Packed.Mint-9782716-0
Create hunting rule

Win.Packed.Mint-9783113-0
Create hunting rule

Win.Packed.Mint-9783114-0
Create hunting rule

Win.Packed.Mint-9783302-0
Create hunting rule

Win.Packed.Mint-9784358-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 15:28:27 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hemjrvpxbk2our3eiw3673xgmymb5e4zodhwdjg7d4q6eozgkfea._file
Verdict:
malicious
Similar samples:
45b042b39258eddf443532fb858698841f68fa784c15a0fb793ee729258d611f
QuakBot
4da932e297755bee1df38f19b60605892d7eec44606bd20317ba4264ee3664fb
QuakBot
4dda5ae8bfb21fa3c19b99e9164dc66030fc91c6b989f39404fd25fd48f15959
QuakBot
773d5944669d57a3f4c6efd3532711ee3f580a952915a1f4edd968e4a011bd93
QuakBot
93d7865771c6ae73997ce1af134e475e436dd0eb3e44ac1a4c8ad6baec8350ef
QuakBot
9ee360f8f38d1210fc36149ccd8ceeeef1652345644e3b7cd979f2f3b38f67fc
QuakBot
aab0cda9f1d257a3affd8ee4c8b7eb06369d598afa2a1daa3f0780851fc083cc
QuakBot
c8a04f8ad0a2e7cf898d5f969902407fdc7de310168cbce3ef7e6e8a9c66d03c
QuakBot
d15e3722518b9ba47aa6c7b87183e65831242831e94e632b4578abeb44868ac1
QuakBot
d4052d07c4e75c4f6be0d88a06fb94ce37091d6b84c3e34c51dff8382a2b2996
QuakBot
+ 1'337 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201113-wfxrg77tb2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148
MD5 hash:
9042c0d338bb572b3b839fc9242c271c
SHA1 hash:
26075862139d5df7b8826393b2c3a0f5ae1ee69f
Link:
https://www.unpac.me/results/989713b3-d311-4b0a-923d-e84405e6cabe/
SH256 hash:
11f4ade31fd09fd9c2199d1856407b7bb457077a26458eee7cc4194faa8bee18
MD5 hash:
eb5260269f47f7d1cd746d065c52397b
SHA1 hash:
8143a0c934e9655ee19620b005fb48428f225f3e
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/989713b3-d311-4b0a-923d-e84405e6cabe/
SH256 hash:
9a9952ada366befcc73eeb431624837c8adc407505aee300a5340a7a0aac20ec
MD5 hash:
34ba61e5ca147f0491c2668ce12e27ed
SHA1 hash:
751521250ee9a95bea5608a56e781df5f18356b6
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/989713b3-d311-4b0a-923d-e84405e6cabe/
Parent samples :
9ea960fd878163f83b9712993d5d909fbff31601e76b54a4278a282c1526d835
d15e3722518b9ba47aa6c7b87183e65831242831e94e632b4578abeb44868ac1
aab0cda9f1d257a3affd8ee4c8b7eb06369d598afa2a1daa3f0780851fc083cc
93d7865771c6ae73997ce1af134e475e436dd0eb3e44ac1a4c8ad6baec8350ef
f728716c490fdee6cd66e6d4122c9ff41f23530f2867a235a8963117bcdd7c3e
f7475ab8806e3f88556d177537b7abde3b0ec48ff24ad1af7bfa62b6dec3d1be
470eecf9473e87035f52c8b93015254b36f38048c3f0d3084e20db2a2edc0fad
cea557477e83a210b769af666b2c66bca6466a4e0c854cd938df2d801922c631
7003bdff5a83543532eb7d2cecfc929d9a14cd26b4153c0039d3d9492cdc5420
1ec3e1d2b139ef37710c60e8218c5042c28bb59e6d1e8abfc17e97aecb91844b
acecc5c6d96ab6d1042159dfaac9710a347baf7974854118ae2337ae42b39c80
373d09bc41b2fe78159a6d7e722c4835f17155e6eebfd1232bbebc9290c4b2b8
63d65a8d926599c01d277d2c5ef1c5cad0c5be921960d25eedab4cff4f137c65
49a630fd0371705d0eabddb617c3cd32017f630497461f9470499323acc15073
401549fa75d464ceb39747bae4faaf7284c1fb6e3d7d76c9ccb687b743c11437
c4ee3e816ee1cf6dc20120175919d2e9b46a4f174c2d6503a3477df7782f80a1
85e6ebb0a28a04fbb9b81cced5ed7cbf139f72c4b248c311741287e47654315f
a31566cc907eb8c7073c7d3f7dc7244011a0ddc175023e273a5c836f97ffc83e
14890cc669432d023912925910270eb2ae43192ca3e21cf3b184a19ad7b84b47
bb123dd4354102f5d1772de17577aa08835c4fb2de4856bd805a1bb1c166a9ae
0a7b23f6d097b50a1e73f3a8957e0ccdbaf9c11d5e589a8c48cb93aad00a57f0
fd81adfea36239f7167bfec991c0bec8fe1ea4bfaf7bbdeb6e87e488beee7633
0de5d0d8244e39cc5a13599cc9204f27ec4d9c655ab52974562ed99aaea936b3
100510386c8e2f76cbc9db294b9c0649968cd5f18a39b17e85318509dc206770
6e0ec72e1021bcefec9a03020020410f40245ec6f24f31ea3b0479f82a8944e5
2992bec40e4571c28ab27fe093cdddccbb662e4f3ab1c15e1d6ce2e6d72162ff
789f8ad7f0f3f05e797bb291d0d0c12f64ba672b2e1bf13667cd9e9fe5591f02
5808bdba739e164cf20f97a96d05dd0dfb0a26237aaf112612c735073ac148fc
e4ec7300733a643cba036b02636ae68d41222b53cb7879c0ca3ce08aae0744d2
f74a047277acb9745fc3e5dc77d8ac19b5ef6368803501ba5792edeb14f1cbe6
3f3c157662d1c1a527f46480d07edb0689b42fc7b560b8d09613a2a84dc20f8c
de24b646baae833468dd0fdf4fd7c6d763c36365e24039a0fb5e1651c950d709
6d09658992671b00921a65458185808fa763d0b34a93a32e79bcf24142a91901
c6469b45009bacd65d59d3c0152170ecc48d4f88f850d2ba1ad8f3abd0e9fb7a
c614c3d0d158d19d72d8ae81d36204073a587c529d93544f9c11a6206febcddb
2d79319ac61fcbc16168cc6e2593fed62225065161f48079bcba5788a7cfde70
4054b1cbdaf583e65c1044ef8a788e55935ecb84b54e40b5e84184881c831b5e
b51f31ae8937c02a6608ee4b58290f93ae996dd59059fe2c953e0a73baaf21c8
fc2e68f0caa5ab5876777c527c2a8f62d92a4921c2d1b1d0607a139a48322531
881a2c7897390d89ecc9457641c19eac7bc5771efcb60bde8f2be08496e23517
391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148
4fd37016c1e3ece74eb05911b8c6256168d859ac52b076ea9e979f7485e8e761
1e84c5d4c5f77de6f315eaa6f4120d7d73e40c1073b55de43f55a4f2f311d55a
fd4bae5e1f6d19011c0b7b388b37381de35048a2b6801484f92378dffdcbf584
99a4bbcb24c802d4378150d8b140a51279892c1e292200fcabc450852f2c4a6e
463ce9629182004105bd31f85331ef0fa8c272721f2b2d48dc0438f4331e0218
8c93a7cbba2939e34fb76b79cec80ed3e5acdf39aa13995c978d31bd4c556d0a
5d417147746d9ea7ee8eb4f442c3acb17513c24adc00088b28a8bdfe963a7a79
88304ab93c57663dc72f3bed8e642c4b1842316143015f0eb59fdead12d2be59
879f0e8e5612deacaa464ec63bcb231e19d8f8ca983e2f5b53b454c391816cf0
12a6c346f0b99c8b7e4ba45e7d48d1cb49ad8e52a01b992038a9fcd52fa04a7c
635a94bdb84bf9d0eff43e13d5fa6e3994a67497a068831119464dd39a5b2c35
e1f2e8d57f930215eecdb592d48ca24a5469e20761491764b71e67a3d1809e72
26d01909e4ea51ef2da916b53b1ceca31a42f8cef6ef5d3514aae7f97dc00b91
67e716a88de90da2a492faae1f736079476b0ba289cb22d519f3ff175d2d757e
328f111d969f366f9d2353e88473959e6f9d8b1e468383401d53d2bc543a0d2b
a308ff74c08ae8a6e9e712d6d280f78eedff05443847c0e9a3c43b59ff100af1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/391898d5f70ab4ea476445b7efeee666181e939970cf61a4df1f21e23b265148

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments