MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b
SHA3-384 hash: d996f713c94bba7afa74274347a24bfde7155ea7ff223f50af2b2b5f075330e62a90e801c9c493347a048c6a436c37e0
SHA1 hash: 1223a42bea918585ed4ea77e6c8ad9b3f151e2a7
MD5 hash: ac377cea30d0b6227c70ae0ef6871f71
humanhash: kansas-artist-seventeen-bakerloo
File name:187737.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:790'016 bytes
First seen:2023-02-14 12:30:53 UTC
Last seen:2023-02-14 14:37:46 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e62ccf1e5c561da53ca2f798bfd5b608 (5 x Quakbot)
ssdeep 24576:/H81smt4vyVjXe1ikZdtjMsc7MscXMscktkTNd8uB:kefBtkf8
Threatray 1'946 similar samples on MalwareBazaar
TLSH T14AF43A2AFA0191F9ED1200F2950FFBFB54342B394C65CCDBE2441EADBBB5D60511AB1A
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter jstrosch
Tags:dll qbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365665/
Detection(s):
SecuriteInfo.com.BackDoor.Qbot.746.11298.30455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll
Link:
https://www.filescan.io/uploads/63eb7f096ea97adc8fc1d769/reports/f7246859-662e-42f6-89b8-9187cf04fd55/overview
Verdict:
Malicious
Labled as:
Backdoor/Qakbot.ac
Link:
https://www.hybrid-analysis.com/sample/476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ba944e07-f28b-4302-b910-9659a04c70c9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1174397
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 807197 Sample: 187737.dat.dll Startdate: 14/02/2023 Architecture: WINDOWS Score: 56 37 Multi AV Scanner detection for submitted file 2->37 39 Sigma detected: Execute DLL with spoofed extension 2->39 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 WerFault.exe 5 9 10->18         started        21 rundll32.exe 12->21         started        23 WerFault.exe 4 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        31 2 other processes 16->31 dnsIp6 35 192.168.2.1 unknown unknown 18->35 33 WerFault.exe 17 9 21->33         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 12:32:18 UTC
File Type:
PE (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5xigqmxvrwngcaalhmgvcrkjhrreexnoxqnndsoeh6mhpdldwfq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
057a01850c142230544710ea363b2af54cd5ddbf299a103e10e9d3cbbee6f021
Quakbot
4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c
Quakbot
6e30dc6403253650fd131d9c60db92680d319624c16aeb9e7aea4bdfc3c47a77
Quakbot
70d8f263a41bc7606968ed192e027338c7ff63a1dc80675b039cfac2861bcebc
Quakbot
7dd17b8cb0639732fe6929a5d7e1431fedae58acd401a7810afc0be8f9c42ad0
Quakbot
cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff
Quakbot
cc97293401b033700c6ca626147931a8955262cf4203c0ecfa80a9d7d4b572d6
Quakbot
e1f670924bf0dac3e239d0acb5d9cc8fc83c9d8f927dbf758ad01a0bdffdbe63
Quakbot
f89369a40c56332a7dcdd526491216f9125697221b9655c0dfb7a418e183b496
Quakbot
+ 1'936 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230214-pp2qeacf8x/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b
MD5 hash:
ac377cea30d0b6227c70ae0ef6871f71
SHA1 hash:
1223a42bea918585ed4ea77e6c8ad9b3f151e2a7
Link:
https://www.unpac.me/results/0de3e2b9-a349-414f-8070-28f1841743e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

Microsoft OneNote (one) one EC674E92A9D108D67D2CC0F1F2D20579A8CA8BA6E32AF1FE0ED8A1067A426586

Quakbot

DLL dll 476e834197ac6cd3080059d86a8a2a49e31212ed75e0d68e4e21fcc3bc6b1d8b

(this sample)

  
Dropped by
SHA256 EC674E92A9D108D67D2CC0F1F2D20579A8CA8BA6E32AF1FE0ED8A1067A426586
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/365665/
  
Dropped by
MD5 830fc6f15e740f05ae2fa46189e79dd8

Comments