MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d71f075bea3a0676161c066ad62175bdf28655c7ef685192859b278e93c6a06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d71f075bea3a0676161c066ad62175bdf28655c7ef685192859b278e93c6a06
SHA3-384 hash: bfce224ec9b1ed6f81dad77191ae0f73dafce9240e9df5c1ca77cccc95312ff975b00f5d7347e0cd8261224df133afb2
SHA1 hash: 2f05196bd17b962f87bd26e0534044ed7163b6d2
MD5 hash: c7580a6351ed5eef53c207758f0d8463
humanhash: india-charlie-ten-alanine
File name:4d71f075bea3a0676161c066ad62175bdf28655c7ef685192859b278e93c6a06
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'094'096 bytes
First seen:2020-11-15 09:55:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8c436887f0ff05ef82a9442bb6ba7ca (3 x QuakBot)
ssdeep 12288:PqflDDoYel20NNHCizXv+Omjt7Wq1X6EQ2Xbhv7:P00k0NNHCgCt7nNbR7
Threatray 1'451 similar samples on MalwareBazaar
TLSH DC35011BE2E35E9BD893447D59E284B98031EFADD31BE4732A48F5DA31F26C4822E505
Reporter JAMESWT_WT
Tags:Orangetree B.V. Qakbot Quakbot signed

Code Signing Certificate

Organisation:Orangetree B.V.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Nov 4 00:00:00 2020 GMT
Valid to:Nov 4 23:59:59 2021 GMT
Serial number: 7E0CCDA0EF37ACEF6C2EBE4538627E5C
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: D032358A31097655857E002CE8EC0FA10DDA8E7569D97955CED1DACC7D79926A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Jaik-9792690-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d71f075bea3a0676161c066ad62175bdf28655c7ef685192859b278e93c6a06/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 14:23:12 UTC
File Type:
PE (Exe)
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvy7a5n6uoqgoylbybtk2yqxlppsqzk4p33ikgjilgzhr2j4nida._file
Verdict:
malicious
Similar samples:
00518aa68c49a0a26130ddd74c227bd8bc39511ca59b57fd1ac5b2c40932bc5f
QuakBot
30a37091398c28d86d8d13713ef305bdb788afaf278318088811e98169d8e5c0
QuakBot
4c79778a10d1b6eabfa425cc031041eceb47e06c7499069607b13975158dc481
QuakBot
55e044458184d43ce58b0c4ed30012ffea51c9f2318f670351c7ced786bc9098
QuakBot
65983fdf282ac701cc9ad42be4109813c2d20f2df605498aaa62119739a31ea7
QuakBot
81538aa1ff874e5a79dc8d5bfc56d61777d214850726ada1b50c3cefe348b293
QuakBot
9bdcba646b1d23d407beed7aaf077b177fdd260b1a6974940817c67952fbc097
QuakBot
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
QuakBot
ae6c68d1ba34c997cb9a55ed0e016a457d1bb84680eee0a97d5362b0312d03b0
QuakBot
d946deeeff734644a86d7b254ad9d69f730e2014411404696da19dbd508711c4
QuakBot
+ 1'441 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201115-z9tbwzd31e/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
4d71f075bea3a0676161c066ad62175bdf28655c7ef685192859b278e93c6a06
MD5 hash:
c7580a6351ed5eef53c207758f0d8463
SHA1 hash:
2f05196bd17b962f87bd26e0534044ed7163b6d2
Link:
https://www.unpac.me/results/827c6521-c394-4275-aa52-6ea74536a522/
SH256 hash:
601d3bfa5b79fbeb10915d85f77eb8571bf6ec931e9c68bb0d5e8093901e9171
MD5 hash:
292c32869b2d38ebd62f3b2d24ab5863
SHA1 hash:
06176e73f6ed54f615a0d09ea1e0c555da91488c
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/827c6521-c394-4275-aa52-6ea74536a522/
SH256 hash:
4692f0a62f714d0acb7a58b0f52e96844d75e93980e87a3c959eb6773d734e0d
MD5 hash:
34b6b8e9f422bd64ddac18fb466cbdfa
SHA1 hash:
fb0f92fcab48eb274191d734fc557158c0ebc8df
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/827c6521-c394-4275-aa52-6ea74536a522/
Parent samples :
bec5a928b9c8302b548e7dc833fb81e0a257144872551644b0a140a54a98cfb5
4d71f075bea3a0676161c066ad62175bdf28655c7ef685192859b278e93c6a06
7bee1221cbd108696ffa02049448bf4a39894b742f6cba59bd67bc83863617b3
dc062275af294c93bf891da3aa1445bb52433632e83c97d152d05f0aa3466650
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments