MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c
SHA3-384 hash: f207278b447a0523269b53db694212f3409e52e9cf52a78b050e25a1d773bd323d3e8512e2b9615ce57c301128f566b0
SHA1 hash: 822fefd4569f5ca25cd2b2d3662035555a7292c8
MD5 hash: 41772dc21ceaacf67da796ed864e86d2
humanhash: apart-angel-oven-william
File name:Open.bat
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'418 bytes
First seen:2023-02-08 16:40:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24:xO0zZpwmchvZAdq7LnUsrhtJUFhtJUVw8TKJDNdhUCM9iVBFYsemsVs6mv+:k0zZp2KdqvnUihtJqhtJ0xTSMpbmoBm2
TLSH T1222180F7A62492EE096088276625390715C4CC2B0CEF428F3F6959E6FB5CC5407AF7A2
Reporter pr0xylife
Tags:bat obama238 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
GH GH
Vendor Threat Intelligence
Malware family:
qbot
Create hunting rule
ID:
1
File name:
Open.bat
Verdict:
Malicious activity
Analysis date:
2023-02-08 16:41:35 UTC
Tags:
loader qbot
Link:
https://app.any.run/tasks/f9d91f44-2abe-4735-8ad0-f79a0ce7add3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/362081/
Detection(s):
Sanesecurity.Malware.28819.Heur.BadCmd.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Launching cmd.exe command interpreter
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a window
Downloading the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
50%
Link:
https://www.filescan.io/uploads/63e3d0a0459bcf4604ff82ed/reports/3d46abce-df53-475c-86bc-430639b41ee6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1169001
Signature
Sigma detected: Execute DLL with spoofed extension
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 801786 Sample: Open.bat Startdate: 08/02/2023 Architecture: WINDOWS Score: 56 31 Sigma detected: Execute DLL with spoofed extension 2->31 7 cmd.exe 2 2->7         started        process3 file4 27 C:\Users\Public\akvzmVI.cmd, ASCII 7->27 dropped 33 Suspicious powershell command line found 7->33 35 Tries to download and execute files (via powershell) 7->35 11 cmd.exe 1 7->11         started        14 powershell.exe 7 7->14         started        16 conhost.exe 7->16         started        signatures5 process6 signatures7 37 Suspicious powershell command line found 11->37 39 Tries to download and execute files (via powershell) 11->39 18 powershell.exe 14 16 11->18         started        21 powershell.exe 13 11->21         started        23 conhost.exe 11->23         started        25 rundll32.exe 11->25         started        process8 dnsIp9 29 146.59.43.159, 49713, 80 OVHFR Norway 18->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iudm2rrzoueyxxfnqnyftlx3rp7oaaqa4hvoexdox6x7ct2wj4wa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230208-t6321sch98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://146.59.43.159/780683.dat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/362081/

Comments