MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
SHA3-384 hash: f37c3277c3b48d92342095a3329397728eca1284e58c63fe22c217e3c681e33002f48654f6bfab178206b8e2d9c270c9
SHA1 hash: d7c417ecd18f6e492301b1d0d582639841cf0792
MD5 hash: e0af488d21a58e77ccc509f2a0f6e204
humanhash: speaker-finch-queen-yellow
File name:454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
Download: download sample
Signature Quakbot
Create hunting rule
File size:758'784 bytes
First seen:2022-05-05 16:58:33 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1f323ccab9817929388091e1b9ddaddf (9 x Quakbot)
ssdeep 12288:b0tFRlN3qlI7Sq77ti3kKvKJPXWwvPi40Q13cvZRz5Bt:bUzrOKfQUDZCi1eZRdBt
Threatray 1'027 similar samples on MalwareBazaar
TLSH T179F48D22A3D34836DD77163D8C5B97949825FD013D34DCFA2BE4EE6C8E39A403A1529B
TrID 59.1% (.EXE) InstallShield setup (43053/19/16)
19.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
2.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter malwarelabnet
Tags:dll obama182 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268929/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.31147.1630.25000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware hacktool keylogger packed remote.exe
Link:
https://www.filescan.io/uploads/6274026ebd5c76586e12f3e9/reports/da99e2a3-1578-4444-a539-b50e9f3f8da7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a56b3de8-c419-4654-bf30-a9fd67da39d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 16:59:09 UTC
File Type:
PE (Dll)
Extracted files:
58
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivgkw7ii46kxiar5qzzv7pmh5kckdy3k6cl6fh77jjkbqytjqwfa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
Quakbot
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
Quakbot
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
Quakbot
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
Quakbot
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
Quakbot
+ 1'017 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220505-vhdmwsgdc7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
c5655c5f9a9aa83bc254d287d1859ae6708fc61c5565b4b6bdf1c609c5425c19
MD5 hash:
679840f58d00b06175547357f8c2985f
SHA1 hash:
d5c2de76e405e8993473a16da7a1a3d940e4e794
Link:
https://www.unpac.me/results/7f50764a-1d0f-4245-bdbd-6e029e171462/
SH256 hash:
931a012c14e0289cffd0ef48b433493e2b6d0fc4100e8e36ad1af9966e314286
MD5 hash:
aa20ad2e6405b98fc552282d089447e9
SHA1 hash:
a1b8f7721560ea8120e2da2e25d54ebd32b9c19b
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f50764a-1d0f-4245-bdbd-6e029e171462/
Parent samples :
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
c4e64cace2a3d08bcd96617d935bc90e204ba0b734c8b07f9a5039f2bbf80b49
44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
d762057dd5a76075f38baf15f8f453416cb5c446253a5aff0427f09a3755e302
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
81e6b3957773675320a240ef080cf4a52e2fa72c66a60a716296b68121cefd06
SH256 hash:
454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
MD5 hash:
e0af488d21a58e77ccc509f2a0f6e204
SHA1 hash:
d7c417ecd18f6e492301b1d0d582639841cf0792
Link:
https://www.unpac.me/results/7f50764a-1d0f-4245-bdbd-6e029e171462/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/454cab7d08e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268929/

Comments