MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuakBot

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a
SHA3-384 hash:	9cd87c461189be62e9370be56b7e209dd0193f8273e20ff0a43b58b053de864d6c0972c0dcf870fedd17f99618273825
SHA1 hash:	f4912032a749f9ca21d75884ae7055320992502f
MD5 hash:	f13694eb033445e7b89423d170091abf
humanhash:	robert-oregon-four-pennsylvania
File name:	4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a
Download:	download sample
Signature	QuakBot Create hunting rule
File size:	256'528 bytes
First seen:	2020-11-05 22:01:05 UTC
Last seen:	2020-11-05 22:02:41 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:uy5RbM/fsmoLYZj9qWCOWhcXF8rqeEaQDAZ:uCRQOY7qWCdh68rqeEaQDu
TLSH	2A44E08253D8C145F4376E77833EC3770566BD98A5239B9EC9C1B3A86F388266B13724
Reporter	seifreed
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/84303/

Detection(s):

Win.Packed.Razy-9785653-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-10-31 09:27:04 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j33ciryt6y73xinucq2k36mljvrmuievmqkqkjjfshxlvho4euva._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/201105-5hd5kj2fe2/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Qakbot/Qbot

Unpacked files

SH256 hash:

92efa4e1b62a8828ba3914cc4b1f4e8356b0774fd6593099e9757aa3357e9cea

MD5 hash:

ab26ba7229fe38e41dbdd4166082a3aa

SHA1 hash:

25e29179f213445e4fd60e6e5c77a72ff5e69d7f

Detections:

win_qakbot_g0

win_qakbot_auto

Link:

https://www.unpac.me/results/a8226722-38cc-4df2-a4fc-1ae83efd5dfc/

SH256 hash:

408c6261d3fe607be9533196651bfc481fd9cdf6ca53e67ab555a1cd584b5fd2

MD5 hash:

64bdd45abf6db36b5ab2aaf210fc2de5

SHA1 hash:

e2c56be94728a17db37fe6d1699d2d53e3720e6a

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/a8226722-38cc-4df2-a4fc-1ae83efd5dfc/

Parent samples :

6cb75c332da3645c1a3febb0cd3721050d935458dba93cfc6fcd18b6224f68af
96f3ce81be9c325cbcf7a4d6ac1d9f853786f438e14c7ac2efab1f3a9f92e17e
dce8c0a91515f298034dbe9d3db8d391a3989b3f878a64be5548a29f71ff3fa2
4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a
2b8eb8d6cfc169a994f3cf64d13c519969796e67fcfc8d677c159c3f51098603
701f1480dd42b05dcee4b5c3bd4c5baeff138c7b0a31003471a691b7f41465f5
b969ea5cd3135f19f58c1358509301373fa318f7d14248dfa4cdc6592e2aab88
fd838d99c76785f287c2088b82ea9d5d39dcb3dd8f0ad6af19b20167a544bb5a
bbd7c6b69b24afae38e8bb8dad1d1b05d0cd692add80cadc409bf02c9f41ada3
0387dd1d6d022e64582227a6a3edc92bf2b4ce4742bd948fb5a293c4d19042c0
bee777bdbb59c3120bc7739f233ac06f45f2b7f538c343e0be94c61de5071c0f
4cf82d583d9b0a153239079f9a0058ef4b2e6c6be2f0123b9198c561ffd42364
29e227af74dd7f3b308cab571f0b9db60a18745802259119e13fcaf353d18e67
4bf66097567db93b546d2b672c0c5065921582f13284d9eb68847309b00204cd
4dedb88eb83be1c251bf6334bbb2e1c1ca97f9983e54f2838e2f717001d4e266
eb9df43f0a8cd991657ff6034bb5daf779e8aae976b1a9e2c77a88991a015084
ee692f16050292a1c8ce5f4102e2d3e394d107e9e1b2d6315ad3cc0acc9865b5
bd7ae73fc5365d137acde6d2793a6bd12046d651cc53b4554dabbf0f782a0238
b844fa5e0fb285b30c46e7d4d384c87e7284e3560d68530cbaa1991862b82913
b0298ac579dada46528e0971fa161f422523141cbd327098eeb24c5b0f514af8
bb2cc0cff5a632b708f8c1643d7599d6866024dec5206a1b88069ffc119f8c32
6bbb48104c5bb62141fc25770483777820d3c9e8cdecc962d8ea2a3569aa5fdb
56d529f84f59923d5169bae5e6c2b9f476aea1faaa58a85d38ba8e8551dca502
39d6cd237b99668d5018f346f4d71fae6cf2f085ca36d6d008d43fac5eccaea0
0f579a0fb58adcbae4da44603c3c2548aeda4de6b1ba82357c72d34dc71279ab
6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b
f8f4b44d49ad632d96582d49f2f481f7bc1766c45a394cae0ddb4c703b10e56d

SH256 hash:

4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a

MD5 hash:

f13694eb033445e7b89423d170091abf

SHA1 hash:

f4912032a749f9ca21d75884ae7055320992502f

Link:

https://www.unpac.me/results/a8226722-38cc-4df2-a4fc-1ae83efd5dfc/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/699329/

Cape

https://www.capesandbox.com/analysis/84303/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample