MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39cd9bd6d501184b00f48c1fd162acf2e513d3b46a391fc56dfaaa2abbc1b9e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39cd9bd6d501184b00f48c1fd162acf2e513d3b46a391fc56dfaaa2abbc1b9e4
SHA3-384 hash: f30c659d600660294f04095faa41f2001b96247717fb166ca511c135153c3af0f32c6a7a71f64bb07aaa314d82472993
SHA1 hash: 6d2ef23f7416ed01965224986aebfe33dc23a6f0
MD5 hash: 7aa83b9568c48e952c104b8837b6b961
humanhash: emma-mike-blue-december
File name:Complaint_233.doc
Download: download sample
Signature Quakbot
Create hunting rule
File size:244'224 bytes
First seen:2020-08-11 13:50:35 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 3072:5p2Ql/UDx9pzLwWGXMVR3Km5i+zdEguhvG5lAxFN5N0Ra1rx+xM5PC/t:5NsDxDUWdKEPzd6he5lA3GiC/
TLSH 2F34E544F543CEA9C65520340C77CBF66724BC895C8E872B36A4B74F2EB91B8990E7E4
Reporter abuse_ch
Tags:doc Quakbot spx152


Avatar
abuse_ch
Malspam distributing Quakbot:

HELO: premium75-2.web-hosting.com
Sending IP: 198.187.31.225
From: <anum@tesla-pv.com>
Subject: Re: A Biblical Option to Rising Healthcare Costs
Attachment: Complaint_233.zip (contains "Complaint_233.doc")

Quakbot payload URL:
http://denibhelpme.com/pncciwm/1597161079.png

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Doc.Downloader.Generic-8011192-0
Create hunting rule

Sanesecurity.Malware.24682.OffHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Sending an HTTP GET request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/419125
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: MS Office Product Spawning Exe in User Dir
Sigma detected: Suspicious Program Location Process Starts
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39cd9bd6d501184b00f48c1fd162acf2e513d3b46a391fc56dfaaa2abbc1b9e4/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhgzxvwvaemewahurqp5cyvm6lsrhu5uni4r7rln7kvcvo6bxhsa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/200811-rjm4rrcwxe/
Behaviour
Office macro that triggers on suspicious action
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39cd9bd6d501184b00f48c1fd162acf2e513d3b46a391fc56dfaaa2abbc1b9e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Quakbot

zip 58f1e98f2ea3934a6f3a4669f3f802f3f140972f97ef36bad032023faddc47cd

Quakbot

Word file doc 39cd9bd6d501184b00f48c1fd162acf2e513d3b46a391fc56dfaaa2abbc1b9e4

(this sample)

Quakbot

Executable exe 99f851b8bb921318568a9c87ef39bc353c0e3c9af67a8f5078e957f4bb046491

  
URLhaus
https://urlhaus.abuse.ch/url/429360/
  
Dropped by
MD5 4f4a40177ea3993675f8b8d2c10d0cd8
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 99f851b8bb921318568a9c87ef39bc353c0e3c9af67a8f5078e957f4bb046491
  
Dropping
MD5 ecbdc762e9dafb05df850145a6cbc875
  
Dropped by
SHA256 58f1e98f2ea3934a6f3a4669f3f802f3f140972f97ef36bad032023faddc47cd

Comments