MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40f103e0282320e1c2ecaaff660bda2a897025e24e7e5b2f7aeb57cb0fb8bf29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40f103e0282320e1c2ecaaff660bda2a897025e24e7e5b2f7aeb57cb0fb8bf29
SHA3-384 hash: 7b1ec31a44c90c72639781614c8d80603f8b849e4f196d06161f54c4f607d018bc3f2e1fa65a978bd20c46e58e5c634b
SHA1 hash: ed7223484893de9db117138bff509298b2054a0c
MD5 hash: 7af304617c114545738c3ef0bfcfac28
humanhash: neptune-undress-lion-connecticut
File name:33333333
Download: download sample
Signature Quakbot
Create hunting rule
File size:2'752'016 bytes
First seen:2020-06-23 14:19:03 UTC
Last seen:2020-06-23 15:21:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3160032955ad5fea5aae8beeb1176b8f (1 x Quakbot)
ssdeep 6144:ryYoQTHwJ9vNDc+lZaoQgIw6bE3nSW0yLnvI2XGPygGzk23MOaXFqn6B:fe6X03nSezvXXQF23MOqga
Threatray 420 similar samples on MalwareBazaar
TLSH 6BD5F12BE170710FE1024D7991F165F2A621EF7EC388F6A3363DBE5979F1AA2550060B
Reporter JAMESWT_WT
Tags:Qakbot Quakbot

Code Signing Certificate

Organisation:HFQAOBLCWSJIQHWAST
Issuer:HFQAOBLCWSJIQHWAST
Algorithm:sha1WithRSA
Valid from:Jun 19 14:35:34 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: 5DA297AE28D943BC4E5D71F671A3E983
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: DFAFAC456F0EE25EB131F10A5578DA13420D86A170A3587184E4F5F39D34F5EB
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13084/
Detection(s):
SecuriteInfo.com.Troj.Qbot-FS.18650.29789.UNOFFICIAL
Create hunting rule

Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40f103e0282320e1c2ecaaff660bda2a897025e24e7e5b2f7aeb57cb0fb8bf29/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 14:18:53 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idyqhybiemqodqxmvl7wmc62fkexajpcjz7fwl325nl4wd5yx4uq._file
Verdict:
malicious
Similar samples:
0e5372fd7ae262365e2be6438a14b3e2b5b72424580d53ae96ae347936df03c4
Quakbot
24f0117431531a4c2b31b595ca84bd1eb8741a80fe891da921b4ed65581ff91a
Quakbot
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c
Quakbot
3cd54a6ebb3d837c2c73839f5eae1da1f6d6dd9c6bbb01752b149b9a309d49bc
Quakbot
576029dbd4166e9d6548f877bea422da5d7a07adfc5ca60c93dabbecfab3d6c7
Quakbot
7a35e95b5c5ad0c2ca40f25acd09a0ca481254bf034ff198777ad1abd071d809
Quakbot
84a0c818da5d2624e3c7cf0543cb8c6dbc1e90759681fdf87fe2aedd1950347b
Quakbot
aeac401a979114462768e6af0ddd96e4784eeef08953884aca607fc000d229f3
Quakbot
aec4a8545ebb046d6f354225d51130616b6617b4d71f90f1e206864fb90c982c
Quakbot
c37cc051bd43c57a8566f51c131aad34c36ea0285f8b53e2f307548d9b7ad06e
Quakbot
+ 410 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot evasion
Link:
https://tria.ge/reports/200624-e2bs7ldldn/
Behaviour
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Runs ping.exe
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Runs ping.exe
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Runs ping.exe
Loads dropped DLL
Windows security modification
Loads dropped DLL
Windows security modification
Loads dropped DLL
Windows security modification
Executes dropped EXE
Turns off Windows Defender SpyNet reporting
Executes dropped EXE
Turns off Windows Defender SpyNet reporting
Executes dropped EXE
Turns off Windows Defender SpyNet reporting
Windows security bypass
Qakbot/Qbot
Windows security bypass
Qakbot/Qbot
Windows security bypass
Qakbot/Qbot
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13084/

Comments