MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30
SHA3-384 hash: 2247ad44b4dee89b0847e72f68fc1a0a41b22d26359589df571214ba54f1b95691f7617ced1163879f2af0cee16740b7
SHA1 hash: d5a6c35bbeb0990bb7d890abdaca1533f31305a2
MD5 hash: 288bc129d402228bb3cac14828d26ecf
humanhash: march-cold-oklahoma-hawaii
File name:3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30
Download: download sample
Signature QuakBot
Create hunting rule
File size:261'072 bytes
First seen:2020-11-01 10:11:26 UTC
Last seen:2020-11-07 12:50:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:PawCRk4Z0Nhb4s6g1IILx4r37gCyljAEg:ZGk4ZkhMil4b7Xog
Threatray 742 similar samples on MalwareBazaar
TLSH 3E44E04213E84445F86B667A4CB2C32016627C95972EAFED0EC5B36C4D36E73AFC471A
Reporter JAMESWT_WT
Tags:APPI CZ a.s Qakbot Quakbot signed

Code Signing Certificate

Organisation:APPI CZ a.s
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 23 00:00:00 2020 GMT
Valid to:Oct 23 23:59:59 2021 GMT
Serial number: 51CD5393514F7ACE2B407C3DBFB09D8D
Intelligence: 19 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: D497A1698F4B9A558DED6CFD8BC4B1D881EEB3C04F349B215FFA89946F63C7F0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81624/
Detection(s):
SecuriteInfo.com.Trojan.QakBot.38.17156.19252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/517684
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307946 Sample: qb6uBPy5za Startdate: 01/11/2020 Architecture: WINDOWS Score: 88 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Qbot 2->34 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->36 38 Uses schtasks.exe or at.exe to add and modify task schedules 2->38 7 qb6uBPy5za.exe 4 2->7         started        11 qb6uBPy5za.exe 2->11         started        13 qb6uBPy5za.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\...\uadhneed.exe, PE32 7->28 dropped 30 C:\Users\...\uadhneed.exe:Zone.Identifier, ASCII 7->30 dropped 40 Detected unpacking (changes PE section rights) 7->40 42 Contains functionality to detect virtual machines (IN, VMware) 7->42 44 Contains functionality to compare user and computer (likely to detect sandboxes) 7->44 15 uadhneed.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 qb6uBPy5za.exe 7->20         started        signatures5 process6 signatures7 46 Multi AV Scanner detection for dropped file 15->46 48 Detected unpacking (changes PE section rights) 15->48 50 Contains functionality to compare user and computer (likely to detect sandboxes) 15->50 22 uadhneed.exe 15->22         started        24 explorer.exe 15->24         started        26 conhost.exe 18->26         started        process8
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-31 11:56:35 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hokizjkqo3ho3q7gsfp7twz63zncina3gs5fkknsxkvosghxz4ya._file
Verdict:
malicious
Similar samples:
28073d4484050c1d52ea7be1a8c94a554387311529909fc451525872af5b1164
QuakBot
2964eeb4bb8c0efe746244428f24422aa311b216238fafe6619577e408a7f3fa
QuakBot
3ad143fe091e2398207ac89ed82cc31f5bee574def93abd938e001b35898fbbc
QuakBot
572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e
QuakBot
93d7865771c6ae73997ce1af134e475e436dd0eb3e44ac1a4c8ad6baec8350ef
QuakBot
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
QuakBot
d9b5e7443c3d48d18c5da2ce0dbd958cdc6eac082bede6ba35a8531a5a39470e
QuakBot
dcda70b5cc63629dd2760dbc76ffda0bedefd0ee92af4d4e3740acc7dd2eaff2
QuakBot
e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
QuakBot
f82b9272137a67377451d1f1516511ff05df90dd75af0a53e55ef30e0e21e483
QuakBot
+ 732 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201101-6x5pwp9zmn/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30
MD5 hash:
288bc129d402228bb3cac14828d26ecf
SHA1 hash:
d5a6c35bbeb0990bb7d890abdaca1533f31305a2
Link:
https://www.unpac.me/results/faf7fce5-5201-4850-a049-687e8beeb7b1/
SH256 hash:
c323d13533b677727ef9221e9f64d242d0d6d739ff62611d4c24b97e2b8a74aa
MD5 hash:
a29a1c119ff0f4e7eeae73a412b86e2f
SHA1 hash:
dec486ccc0e6bcede0c2c02278aaf3d5c7a7fc62
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/faf7fce5-5201-4850-a049-687e8beeb7b1/
Parent samples :
1f622642ed6ea23622fb1786f08270c81b635c29b00350f7dc5ba41c76c0e3f7
3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30
9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02ae2cb98b7f1924aa175
16f511f7fdc83981b31b85fe6c42591093db5397d7634bef9bff0e048f37bc7e
2964eeb4bb8c0efe746244428f24422aa311b216238fafe6619577e408a7f3fa
303121f6de8cf468ba8556e3da25d7b4ce3d326d97125ab1fb677335d7f58e64
b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8bbfe19b13157715265
b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e68d762f35cefc51566
e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd631c2ea67022dd810f
2087c1816ef9c47dbe81b251f52b46ce41be1720d7a3ac290dd5c0805dc15535
51a8e39de1754e2cb174354c56933f880e0d260da7068d4a1ac5712bbe63cf16
796628a486952b0d191b62c012f52fa3771b2cdeb3057e15a68a159256060d49
bdd813551ef4d133ccdc26e089f7269cb36b2df961065e3c7327d03656bbb3d9
8d0aa4e2fff62cafbe3f1cd898feae87800f14c47c80b506237e075d60aa1458
eece9bc5d2f1ef51a4e821cf9e26978560a647168da86301b2547c5fa265971c
f4722b9eb8c15411048fe02c891f63db1f3f926c9e29718a795f459298a796bd
061ca32438f9fd9e9c838d4590bbbf462e78f8ed5fa847d7ffde37eebdd3b60d
4dda5ae8bfb21fa3c19b99e9164dc66030fc91c6b989f39404fd25fd48f15959
d7c9f470e76a75c1c2b308cf3e47b361b57559273d52991a663e37daf7c0c582
e94ee23df573403682a2c8fe38b469aa9cb9fca18349b0fe4eacbc181c096b0e
ba00d44ecfb51be7ea3d616c8f925cb256981a21b010d25976b6ac8f56b7169f
bc14db72b84a578b6fe65c853ebd2c623a3eff6a3933bf2fc96d3ff7a97abebe
c75c4a0df0dd899533dfefd1d6806d85a7ce0070d1e76e6a8562c153c7c1bf6d
83ffb5742f448672bb348e6bfe213894405e6ee91e687583c46e1d651a10b5c4
2740229cd0513f81b0be2ac7cb06871f44bdfcea2fca954b7d4d78823c1f19c1
536f7521b4c6570df4094524a49be30de2055f94c0ad5a362a32569ba5abf931
3a5402e7a931dd14b1c3ab20da1ac45b00dbb9339fad4d40c7b4919b5e5323d3
76abda9df345a813d02af71536094068af8a8cb18f39f684033fad0f83d5337d
a2706b67cfed2b714aa4d2f41f791723ba0eb3c8951c2d941e31752c03cbd70b
36df136289e908fb4f37de40e48fddeee60136acf1e4cee7fa5f9f008dd894e1
c871f956f413e3d11bd1659d131f9374baeff06b2b2868a46f844af67c4e5b9a
ec43ad24c31234837c87b54b21ebae357474c57618f49074e975ebf70efcb767
d74e55accbca02508e6825814f30ad6d6963c54c85bce1329c71caffff83636a
730a2f13a2d69afe03a940276aca880c5a2c29b68d3d2d15e4d517ef69d03ce7
b8c5c616fe5b05a907c6351c9799b7bfd59fa84553be40bd89f8322d0d5dc30e
57c09bbf5492ee198bdf74d95207d1e2e257ebdc0572aa65b73dffc8c6cc78c2
4a3c2e5457b2971c9fcd3f9209431b8f37142e37692af98342756945529e8cc7
8ae2f00bbca9bc0e93a06fcb9deba04de4d50c53ca39dfb953572d575322038a
dfc2e675b57de77317ff34d8be106f68c675d09abf868e4b5959769462925572
f31096a0ceb735b902141983779a6b458a7f9ca4f8e80edaee1077f73c56422a
62700176f2f6f64b62f962a474d4e8b3c04a3c3902ef09d949ee8c72a7dde370
de5a65f97824edbf9900228932697cd51d802104dd9d56412744bea00ea25f11
fad3bef0301e1ecfddca2e63b90700f1f07e52d29cfaf7f4f213e65963e745c4
62f8136420a8eab4610def50bb95f526523acf0b7301548276cbcaa7d0bae30b
6e16391ad5e8921b07b88b35c8c95c540e501c3cc84ca88fd19a5fcb66d12705
835016ef25797959e65f0846a57690cafd660d5990183ca6befd0e959792a6c8
303f849169ca40e9886ee8f34efca5dc04093e53ede6daabdfb78138a922fd51
4bdb932bbcf90913e17c246fe10b9acc344db0072c4336506c4ee7e5ca4e7a72
dc831fb8258bedfbafc19f99b31b5684cc1f0fc7d0013eb2f7f5622e5cb5d7b4
bdceef9210ba942ece4c90f3d10230ec3c322306a6859df0244aaf21d6d2433c
8ef30b69488ba9a0762508131f45d1e59e2a53108c7983906a000b14eb4e93a5
bc4344d8cc4738aaf1eeecc376dac7f8c2593b4f887272c1df71f2a361411ef0
44082bf06374d9a7bce46bba11b08b8bd1966fa310518656c01bcecea3ceaa34
116acb1bbe4190c0a15f5c3b6e5f290727585bf774caccc2d787220b90896e83
8507b39e7f1444996ac860a7c6ba39101b7e575dc99472e9381a763ddaceda1f
358ffadb642fe360ad1973d46a383963acd3c48171354a13b9132994df6c7a26
a6a365ce08f5eda1ded850e66fa51e4117dcb6aa0bbad2e45568e8a6317859f9
e619c79d519b8aee147c5b4ddb4acd94eeb7d203483caf40b1d120a16ac9c7b4
SH256 hash:
ba9d2f2767e955cf030ab37f52499e69eb6f6be2dbf1fa039fcac0ed12703111
MD5 hash:
e4aa8e845879dfe09cf08496dd8c2da4
SHA1 hash:
e5194c9786112cb58b9b33a57068c14246a6bfda
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/faf7fce5-5201-4850-a049-687e8beeb7b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/81624/

Comments