MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6
SHA3-384 hash: 41a962a0761f78de6c5c662bfbe2f20b303ee1a22f35bc6a29d2d36579159dc018a718cf4cdce28b93fa448d02020919
SHA1 hash: a1c99f5f4f02a9905628766cc792c1a50fc42736
MD5 hash: 7b80ca7e6d5df4faaddf7f9065c9ad02
humanhash: india-purple-east-arkansas
File name:0810gif
Download: download sample
Signature Quakbot
Create hunting rule
File size:4'291'136 bytes
First seen:2020-10-08 12:39:29 UTC
Last seen:2020-10-08 12:44:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7654029ac65857fec48fdd197c8c29ae (1 x Quakbot)
ssdeep 6144:QQP9G+wgVFGOyD+Tl/GJu18SVTtQ/OpoN3f2cfgJOSoPDR3g1y:/A+wg9yD+TVnTXQGpg3flfgJM38y
Threatray 584 similar samples on MalwareBazaar
TLSH 5416E197BD810E02CBA75D73CB7CABD886639D0C0650A85CA12FF154FA3E4F2359626D
Reporter JAMESWT_WT
Tags:Qakbot Quakbot

Code Signing Certificate

Organisation:GNEEFQWDREIBVLFFQY
Issuer:GNEEFQWDREIBVLFFQY
Algorithm:sha1WithRSA
Valid from:Oct 8 04:57:10 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -480381DBAC8A157EBE532730E3FE1546
Thumbprint Algorithm:SHA256
Thumbprint: F913648A7E003BDF365A3A7D7A586D365A8D585ACB4581AB9715CCF2045036DA
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485388
Signature
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295155 Sample: 0810gif Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Qbot 2->33 35 Machine Learning detection for sample 2->35 37 3 other signatures 2->37 7 0810gif.exe 4 2->7         started        11 0810gif.exe 2->11         started        process3 file4 27 C:\Users\user\AppData\...\yvjnrxpp.exe, PE32 7->27 dropped 29 C:\Users\...\yvjnrxpp.exe:Zone.Identifier, ASCII 7->29 dropped 41 Detected unpacking (changes PE section rights) 7->41 43 Contains functionality to detect virtual machines (IN, VMware) 7->43 45 Contains functionality to compare user and computer (likely to detect sandboxes) 7->45 13 yvjnrxpp.exe 7->13         started        16 schtasks.exe 1 7->16         started        18 0810gif.exe 7->18         started        signatures5 process6 signatures7 47 Multi AV Scanner detection for dropped file 13->47 49 Detected unpacking (changes PE section rights) 13->49 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->51 53 5 other signatures 13->53 20 explorer.exe 1 13->20         started        23 yvjnrxpp.exe 13->23         started        25 conhost.exe 16->25         started        process8 signatures9 39 Contains functionality to compare user and computer (likely to detect sandboxes) 20->39
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 12:41:06 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
160ef13cda764f2ffa2eebf3f9928f8b0cd9bd38f04bfc94911306ededc102eb
Quakbot
2a9ab4b103557c2e45afb9b59ae9243866209cf755fc3435f717439df0871488
Quakbot
4e0b356397a2c59e696a2542b9ad070a9e2becb3c05950882387a92efae6027c
Quakbot
5e2d7b990c9f6667311a44f7fce078a5bd3e033965db4a31c177bb84b06e8540
Quakbot
617eec7fa8d8e94b3307417d42a08c7cd21f2a70d58547b65f1a8d7c4437abd5
Quakbot
8a5776f0dc1869efa02e2842c52fc645456050aaf981e520fcb768cb2f039c2f
Quakbot
997c6f1d8c2bb2028ee0ab542962c868b573c437fb0f19745a0f48602e9736f1
Quakbot
d1101cb827bd6ae2e090a62579022b7e87f5a45aafa93ac23633fe8ed2ff022e
Quakbot
f0f993925f000b7bd91578d59bc3731247e7122f81e4439347bc145f2dfb1215
Quakbot
f88c7e72905a83e1496485f8f6d3a3507143a8a043df280bafd0eb8971cf8319
Quakbot
+ 574 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201008-5beg98jp5j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Unpacked files
SH256 hash:
53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6
MD5 hash:
7b80ca7e6d5df4faaddf7f9065c9ad02
SHA1 hash:
a1c99f5f4f02a9905628766cc792c1a50fc42736
Link:
https://www.unpac.me/results/93de5f7b-7b3b-4568-8f3c-27e6d833b292/
SH256 hash:
4d1469176d3b3c0acae50ab1fe4064f1bc344ed069d1254a37b76695203ec1f9
MD5 hash:
0d19287994c882bfecd96100bcc6a0ad
SHA1 hash:
155b2e583a639dacec267ab7912f0d24ebd33c17
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/93de5f7b-7b3b-4568-8f3c-27e6d833b292/
Parent samples :
53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6
65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb
SH256 hash:
0c2d85a32ce17bcd80832f72f87a8435038c34341ed9a6cde5688f77562c189f
MD5 hash:
9cb7c1675bf5acb6e6b41b9a5d3598c5
SHA1 hash:
b939ef5c80ed3c472792622e6186975bb07e8bef
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/93de5f7b-7b3b-4568-8f3c-27e6d833b292/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptolocker
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe 53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/69219/
  
URLhaus
https://urlhaus.abuse.ch/url/670083/
  
Delivery method
Distributed via web download

Comments