MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a971cb00b359b0a9a86157d6e19e2710e7f42098eb4fdd3f8d46f5333cdbf45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a971cb00b359b0a9a86157d6e19e2710e7f42098eb4fdd3f8d46f5333cdbf45
SHA3-384 hash: 47f82e067d8758b5b5db4da42a5eab365b310432d933bb2735e664fcb6d6a8455290b761174518f66919e7ea4751387f
SHA1 hash: 0ef53e8d25d6f5cdf1cfd36663de20b1e615d700
MD5 hash: 78a53e535e229dfeaf3c57f0c83a47c0
humanhash: pennsylvania-mockingbird-cup-berlin
File name:Cubic Information Systems, UAB (2)
Download: download sample
Signature Quakbot
Create hunting rule
File size:3'535'864 bytes
First seen:2020-08-26 09:47:39 UTC
Last seen:2020-08-26 10:56:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8dcd2704b33bb40b833725f37f2dcdaf (4 x Quakbot)
ssdeep 12288:gyB8tzikyTxNxUNxNxAixNxgxNxXptLCXgtM:gb7yl1M
Threatray 94 similar samples on MalwareBazaar
TLSH 41F5F1AD24B9D173E7D9CE7F0A6BBC39C45EBA10D22643DFBD90F294980129352D7488
Reporter JAMESWT_WT
Tags:Cubic Information Systems UAB Qakbot Quakbot signed

Code Signing Certificate

Organisation:Cubic Information Systems
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jan 24 00:00:00 2020 GMT
Valid to:Jan 23 23:59:59 2021 GMT
Serial number: 5C7E78F53C31D6AA5B45DE14B47EB5C4
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: F91D436C1C7084B83007F032EF48FECDA382FF8B81320212ADB81E462976AD5A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51141/
Detection(s):
SecuriteInfo.com.BackDoor.Qbot.536.8878.20198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/451499
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected potential unwanted application
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: QBot Process Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278258 Sample: Cubic Information Systems, ... Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Sigma detected: QBot Process Creation 2->28 30 9 other signatures 2->30 7 Cubic Information Systems, UAB (2).exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        14 Cubic Information Systems, UAB (2).exe 7->14         started        dnsIp5 22 127.0.0.1 unknown unknown 9->22 20 C:\...\Cubic Information Systems, UAB (2).exe, PE32 9->20 dropped 32 Uses ping.exe to sleep 9->32 16 conhost.exe 9->16         started        18 PING.EXE 1 9->18         started        file6 signatures7 process8
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a971cb00b359b0a9a86157d6e19e2710e7f42098eb4fdd3f8d46f5333cdbf45/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 14:44:38 UTC
File Type:
PE (Exe)
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3987a758b4ba5aa5a7a88370559abb4468b8fed89b98bf341761a94c6fedb8ab
Quakbot
40479c0e95d9426135d1f65c7f29e1a782a5cc79f1dcd5cb2c04aa8995f06a0b
Quakbot
4856aa92825a6c51304e39d51d5ea92c35e290936589039548612e8f927ce974
Quakbot
531b5d8939216cbba9c4c8b9aee9d550dea1dd317d9fe9a3c9d7eb9ada13d090
Quakbot
68659662a735e14235e68e5edee17995b1443af662e6d789c5461c8733f4b3aa
Quakbot
6d84f86d9e7302e74978775a519caad46cd86b08b82940cafe8dc163238ae808
Quakbot
7bf0912cd1d107e491c474767c3bd83b39d08e55fafa810d076a5da898ea822a
Quakbot
99f851b8bb921318568a9c87ef39bc353c0e3c9af67a8f5078e957f4bb046491
Quakbot
e151320cbe3e8a9f44c3dfdacba4d741058c4ff30919d490eb8d552d4a8c6115
Quakbot
f1748543fd3d8ad75889012685d7ca632f257723dc5454ebfadd32c1cf2f1ac6
Quakbot
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200826-zj653b2rce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs ping.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a971cb00b359b0a9a86157d6e19e2710e7f42098eb4fdd3f8d46f5333cdbf45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe 3a971cb00b359b0a9a86157d6e19e2710e7f42098eb4fdd3f8d46f5333cdbf45

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/51141/
  
URLhaus
https://urlhaus.abuse.ch/url/428825/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/428845/

Comments