MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be
SHA3-384 hash: a515731e4f895cab8921a9a4476223b52070d1c442e578538982c6f3cb8b080342e7089ece8190e71ac5ad4c654a41c2
SHA1 hash: dd527e44b24e8389665482915b2b71ddc472e7e7
MD5 hash: 6ab3eb3ba149d9cce2a335d5a630f325
humanhash: earth-gee-golf-vegan
File name:42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be
Download: download sample
Signature QuakBot
Create hunting rule
File size:348'112 bytes
First seen:2020-11-14 18:00:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4833859d9df0e403c253c8a799426c16 (47 x QuakBot)
ssdeep 6144:3mrao/6vdwjie1qCOYFpXD36g3pPnx5b9XP0+Bha//W:3mrao/6e2eQxopr3pPnt8akW
Threatray 1'447 similar samples on MalwareBazaar
TLSH 2174E02FDF2789A1E2613BF642C60BE94D33B8A93132561A4DC616472DEE3DC3913794
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Bankerx-9789115-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:01:40 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilxljvtb37v2y7uedbd4jlqlszb6bn3tetu66ef6jx2blfja6o7a._file
Verdict:
malicious
Similar samples:
00518aa68c49a0a26130ddd74c227bd8bc39511ca59b57fd1ac5b2c40932bc5f
QuakBot
07fd3129e86fc448eb752a68f4e7e24aec3bffe0c1223a6f9d7a3b3d507e6d14
QuakBot
30a37091398c28d86d8d13713ef305bdb788afaf278318088811e98169d8e5c0
QuakBot
4c79778a10d1b6eabfa425cc031041eceb47e06c7499069607b13975158dc481
QuakBot
55e044458184d43ce58b0c4ed30012ffea51c9f2318f670351c7ced786bc9098
QuakBot
65983fdf282ac701cc9ad42be4109813c2d20f2df605498aaa62119739a31ea7
QuakBot
9bdcba646b1d23d407beed7aaf077b177fdd260b1a6974940817c67952fbc097
QuakBot
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
QuakBot
ae6c68d1ba34c997cb9a55ed0e016a457d1bb84680eee0a97d5362b0312d03b0
QuakBot
d946deeeff734644a86d7b254ad9d69f730e2014411404696da19dbd508711c4
QuakBot
+ 1'437 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201114-mtphb7b716/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be
MD5 hash:
6ab3eb3ba149d9cce2a335d5a630f325
SHA1 hash:
dd527e44b24e8389665482915b2b71ddc472e7e7
Link:
https://www.unpac.me/results/35f98154-16a9-4350-b1ed-d159b236f068/
SH256 hash:
ccfcd62774cd066edc45d8271022092a04adf6330feaca6eb7d85c59895ba8a5
MD5 hash:
80e10d96381f4a6463386ee2b34b0821
SHA1 hash:
170e6469e70a6b2805fb43007551660e75986883
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/35f98154-16a9-4350-b1ed-d159b236f068/
SH256 hash:
47a802bccfab2ec23561d8adeb886bc938c91b765af77cd4e3ed25d9cf3a751b
MD5 hash:
62f6306ade36542ad204147a63cab80b
SHA1 hash:
04a826c06c5dd996b0556be01ce89ee230c2e089
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/35f98154-16a9-4350-b1ed-d159b236f068/
Parent samples :
d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3
b67267d494ea23d58a61c127eb8e32b274878c3dcfa6586e344604397f7a457b
afb04ccb08e70f8364ab5550702d3700ec8a4e288f784d9d3a0c2d87731f9241
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
00518aa68c49a0a26130ddd74c227bd8bc39511ca59b57fd1ac5b2c40932bc5f
55e044458184d43ce58b0c4ed30012ffea51c9f2318f670351c7ced786bc9098
9bdcba646b1d23d407beed7aaf077b177fdd260b1a6974940817c67952fbc097
07fd3129e86fc448eb752a68f4e7e24aec3bffe0c1223a6f9d7a3b3d507e6d14
4c79778a10d1b6eabfa425cc031041eceb47e06c7499069607b13975158dc481
16e8dd4d681393a757e3420dfd00187ce7bca1aaf0f792c33bc6bc68693b936a
5d6aa5ee7c6b17615f2840c7ce21cd8449ebd66664be2cfe996187c6e67f53d7
bfb5a74c26316210ab08a6a5e5a5ca141064a9e06962fc07d4b647ed2dffbe74
8109257615124835d77bf857ba60bc516ae9319daf92444028663653358ca3ba
adb77964027061ba4f007c8d125b5da4c332a83058dfce27229674f79c60d674
141a9a4d70ec62c5716f6daf01e5e068525217f06551076fac102a88fd66f3e8
5dee81f839ef4b7e681bfe9dc08efd092c286c5c69fd3bff279ca4deea225b9d
520b6a248e5caf2e361bef4fc425524053e6e45bdd012b9ce6fd808d2f16e37a
17a7dfacd8cbe5f72678b555686a95384e33d1ef4d7c08178937fa8e0da580c3
100ecb0548437822834fce5bd2cfd4eb40c22e90cb2fd013d77d967c7a13054a
78ee8b4f784a925697988c36c75004a752f6ba0f04189451c65909716091fc69
9a3e68ff897ae34d1353411f041d28da65a8813284371e58d36054e364d708ac
3b8ef052038d49eb5dd8922178781abebbac9ab240fdc6217e759441ca6894cd
e500c4bac91c72d84eda077e40c8fe2d0b208d96cf20afa087a587a2d91faa92
7a6f78fe16ceb595bbca244a09faf2a484fa10cf8c9832d3fd81ee29fc944538
aab1b81444cfa91a3b30ebeee77190e9a553e0f50dea9219900f3eaf9f1db041
165696c8e9809f88f42ea30ecf479739325a63e398f50e06205d8c05ba679fe9
88227726f54585fec223503ce81fccb48374446ac860e7b198776fff6866c91a
81fe223734031264739575dacad134efc09f2c813bb6f29d157d68de49dd321d
42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be
dc9667424c7d6a7d3aa75fe33f01c13c3f5295480e89db78600c7f28ef977f1e
14d660ccf1c5fcca2901c9af7049394463ff3cc094974d95271184c93d55d311
a7aa237fdef6605a6d7e396c64ae831211358416caeeec255bf7b0d26b85d9b8
60131eaf79f1934020fc13ac9c7f02c855cdd8b2abfe00eae324f4e6f150866c
27d9a1f73efa976505ef317f1c74c7a325761017aa385d217cab6df2c5d3ee9a
c929200d0410ea735f4094a8217b50f8ca68880a8c5991c95c76912bd2e0434e
7f1f5839e5b466f9120116195752d65126514b024ba635100da06cf23a624547
74196416a7f3a4f7422bc237526fa90a840945732629821831027e119e75906d
0897c2f3d203f2c3ad538a5b91b71f5c5c41b9bf7184900c27d667dcd82401f5
b433d37dee81f3bca6220435a9738b837c67f96eccf0c76fb45c251441bbf1b1
27c3678a902db5c188bba8d49f32f7e829b47a1a2ed2c49e10039b4c170385c3
c53e1bf27a23d7e2bf0d7f7e820d03409cf7020fd2b06fc53d12884766695dad
a8f97463173ac6b52512291172d465d490547d3e94e0055890f51c4e82e4fb60
85fe3c966a534f455f71ed91ab9619f7d393ab4ac493981e6e05999403d37f44
60c64cb07036a6dc7c25695c091f1bc78edf53b7057686cb914b1d0706d78be8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments