MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7
SHA3-384 hash: 30a484ab851a81f5d7bc20a9d7008505ab364cf4d2f3a31771cd9f8f96bf8a658d1b37e84dc64713597d01dfa31678fe
SHA1 hash: 8b612f4f4a49e5cfa2057395fe3a0d0353f55b05
MD5 hash: e273bf8c8df8d32d7bca05db9b155803
humanhash: friend-steak-winter-bravo
File name:2023-02-27-Qakbot-DLL-returned-from-67.207.84.43.bin
Download: download sample
Signature Quakbot
Create hunting rule
File size:606'304 bytes
First seen:2023-02-28 21:46:55 UTC
Last seen:2023-02-28 23:34:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 001b26f64621bf924e8e5fcf57e6ac98 (4 x Quakbot)
ssdeep 12288:dt1VOakzj7hpQynG+6g1zJACP406bvcgW+oMfu+3:dt/xk37hyyzl1BP4ftoeu+3
Threatray 3 similar samples on MalwareBazaar
TLSH T1C4D47D1176DCBC75F27A023479B9A27955B9FDB15C39810E739C2A1F2E30682BD24B23
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00d9d9716c660164 (4 x Quakbot)
Reporter malware_traffic
Tags:BB17 dll Qakbot qbot Quakbot


Avatar
malware_traffic
Run method: rundll32.exe [filename],N115

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370715/
Detection(s):
SecuriteInfo.com.BackDoor.Qbot.758.13084.24046.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed qbot shell32.dll
Link:
https://www.filescan.io/uploads/63fe765747dff094b527fad1/reports/9368cdc3-b864-498e-a730-9597a1c1bf48/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ddf3178c-942d-4c34-9c01-4fc69f97576a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 21:47:08 UTC
File Type:
PE (Dll)
Extracted files:
21
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqscbl2pyviwj5jzb3diqr53usxidv2fgrzhs5pupn65tvw33ptq._file
Verdict:
unknown
Similar samples:
227aa72b932ddd6ab0bc7788bb024d47e2ab37bff073b3cf462191b3bd97576c
Quakbot
acf5b8a5042df551a5fe973710b111d3ef167af759b28c6f06a8aad1c9717f3d
Quakbot
ff0730a8693c2dea990402e8f5ba3f9a9c61df76602bc6d076ddbc3034d473c0
Quakbot
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230228-1m63wsch5y/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7
MD5 hash:
e273bf8c8df8d32d7bca05db9b155803
SHA1 hash:
8b612f4f4a49e5cfa2057395fe3a0d0353f55b05
Link:
https://www.unpac.me/results/c292fc87-14f2-4eff-a267-1f4f7e1a2097/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370715/

Comments