MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7
SHA3-384 hash: 0c9923f5e3796ce88c15f0308f7efc3cd29bbbd648563e30b32dc2c72e120cec0e79fc78c34aee0bea242cb23d820e30
SHA1 hash: 83dd26cadc4069a93a692ad0f66503b180bd4141
MD5 hash: 84e5510398254a57d240f0da77df08d2
humanhash: carbon-uranus-jersey-lion
File name:84e55103_by_Libranalysis
Download: download sample
Signature Quakbot
Create hunting rule
File size:396'816 bytes
First seen:2021-04-30 18:01:30 UTC
Last seen:2021-05-01 14:50:09 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3e1f0fb4b54229dd240a1006f34727b8 (3 x Quakbot)
ssdeep 6144:oWHgRUTixuu8njF/EeBfCFH7OE11J8JRO+njE2X2J/7vKsa4:oWYNuu8njF/EqfCFHyY1+lFG7
Threatray 1'357 similar samples on MalwareBazaar
TLSH 6D84BF7DAA22C877E2152FF162D35F980913A8F47660664F51B12F1E2EAD3C47C3AE44
Reporter Libranalysis
Tags:Quakbot


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147710/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.24401.24476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/705407
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Disabled Volume Snapshots
Sigma detected: EvilNum Golden Chickens Deployment via OCX Files
Sigma detected: Exchange Exploitation Activity
Sigma detected: Fireball Archer Install
Sigma detected: Koadic Execution
Sigma detected: Mustang Panda Dropper
Sigma detected: QBot Process Creation
Sigma detected: Raccine Uninstall
Sigma detected: Schedule REGSVR windows binary
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Rundll32 Invoking Inline VBScript
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Sigma detected: Suspicious WMI Execution Using Rundll32
Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401628 Sample: 84e55103_by_Libranalysis Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 17 other signatures 2->40 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        process3 signatures4 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->50 52 Injects code into the Windows Explorer (explorer.exe) 8->52 54 Maps a DLL or memory area into another process 8->54 13 cmd.exe 1 8->13         started        15 explorer.exe 8 1 8->15         started        18 regsvr32.exe 11->18         started        process5 file6 20 rundll32.exe 13->20         started        32 C:\Users\...\84e55103_by_Libranalysis.dll, PE32 15->32 dropped 23 schtasks.exe 1 15->23         started        25 WerFault.exe 20 9 18->25         started        process7 signatures8 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->42 44 Injects code into the Windows Explorer (explorer.exe) 20->44 46 Writes to foreign memory regions 20->46 48 2 other signatures 20->48 27 explorer.exe 20->27         started        30 conhost.exe 23->30         started        process9 signatures10 56 Contain functionality to detect virtual machines 27->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 27->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 18:02:19 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1a57dd305adb1ae4449a0baa9ee76a1b79477d7e7ad380319429f22fc9e96978
Quakbot
2386cf963dc70f9e148125608ab62b1c9d25a04b8a9baa190bd542b2266702ee
Quakbot
3a50ed28be3ab77b92f1bce16b8328baeff0eec46aed4c45e53de9d64fd66b4a
Quakbot
627ff5c6fcd538aa53d68149ab497f233ac741b1930acee12d9f549453cce664
Quakbot
8ff3397c5cc8c866d6c1f492ccfe88f39b3b968757a3b3c9400d85f8ca0aba55
Quakbot
98a062850c6a8381bfc18fc967506bf71721ae6c4301a1a2894dddbf49bfc01c
Quakbot
a3658ba64eb500732cdfa46722ec26afda720f75d12b3425bc3c164ec0e8ec5e
Quakbot
a7ea628bdfde1435a4b8a1562e43cd960fcd9a98e65dfd6a81cbd1603ba9be1e
Quakbot
e0a88969512a0b68bd5fd0136bcbd033777066070650e16cb2851ac71a083356
Quakbot
e0b62cc5d8460d9854b733f65a76ec9325aeebadb50e68ef1755b2cbe7ec9fe4
Quakbot
+ 1'347 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210430-63msldenpe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Loads dropped DLL
Unpacked files
SH256 hash:
bdfa467549608b3447c749d2465d8db91a35ef3f9d51bc668677dcd6bf91cf0e
MD5 hash:
3303a3d18581df3af7e83c8291f16395
SHA1 hash:
848f49a2fc975b397040f13430a39d8a3bf723c8
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2b23c2ea-3b22-493c-8c16-60c7ba65c6de/
Parent samples :
627ff5c6fcd538aa53d68149ab497f233ac741b1930acee12d9f549453cce664
4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7
fe1d763bd2c2c1c563a284e6e38c2e5eab5344c176bf9cf72eb1f4c33ffa0e1d
SH256 hash:
4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7
MD5 hash:
84e5510398254a57d240f0da77df08d2
SHA1 hash:
83dd26cadc4069a93a692ad0f66503b180bd4141
Link:
https://www.unpac.me/results/2b23c2ea-3b22-493c-8c16-60c7ba65c6de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147710/

Comments