MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuakBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e
SHA3-384 hash:	abb39fce109342391a18e8a47a3a36020a4d96730ec54f8d14f2823fc000e3ace0a3b92ceed8fac990e3e512c38ad86c
SHA1 hash:	33222f8cfb4334fceb5405591a5ed71abf64aab5
MD5 hash:	c669dfc15c8ec12d3bc686c6d26ccd92
humanhash:	red-muppet-music-eighteen
File name:	572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e
Download:	download sample
Signature	QuakBot Create hunting rule
File size:	261'080 bytes
First seen:	2020-11-01 10:05:08 UTC
Last seen:	2020-11-06 11:17:23 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:1CawmISRvDkMFC2Z0Jy4hoahQ/ii0ueKCfu+XuFKgMLqllq7PCufDfq433wb3xJU:gawCRk4Z0NhbJtWYKjSTfi6Z
Threatray	731 similar samples on MalwareBazaar
TLSH	B544E05263E80445F92B96BB8C71C31016223CA5973E5BAD0EC5B37D4E39E626FE071E
Reporter	JAMESWT_WT
Tags:	OOO Vertical Qakbot Quakbot signed

Code Signing Certificate

Organisation:	OOO Vertical
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Oct 9 00:00:00 2020 GMT
Valid to:	Oct 9 23:59:59 2021 GMT
Serial number:	C2FC83D458E653837FCFC132C9B03062
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	82294A7EFA5208EB2344DB420B9AEFF317337A073C1A6B41B39DDA549A94557E
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/81621/

Detection(s):

SecuriteInfo.com.Trojan.QakBot.39.4936.6994.UNOFFICIAL

SecuriteInfo.com.Trojan.QakBot.39.31214.3776.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

qakbot

Link:

https://mwdb.cert.pl/sample/572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-10-29 18:30:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4vihddbtxj6kcbbq52uj4bp2vtgykigiu2s73hw5esbt635yzpa._file

Verdict:

malicious

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/201101-83m6jr756n/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Qakbot/Qbot

Unpacked files

SH256 hash:

572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e

MD5 hash:

c669dfc15c8ec12d3bc686c6d26ccd92

SHA1 hash:

33222f8cfb4334fceb5405591a5ed71abf64aab5

Link:

https://www.unpac.me/results/f3c2609c-59ff-428f-9e23-e458a96139b1/

SH256 hash:

98c584afd893d90ce739898eb1884b55e0563361ae51bdd661f707598b2c74b4

MD5 hash:

1dc0e5190afd9a815cb196524f9004ba

SHA1 hash:

5718a34f9f4a2d31d601256ea54a4642ff93e173

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/f3c2609c-59ff-428f-9e23-e458a96139b1/

Parent samples :

e187fbf6543d1993f0945c04ee520600b6493236bae169a020f9a10c547e249d
572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e
dcda70b5cc63629dd2760dbc76ffda0bedefd0ee92af4d4e3740acc7dd2eaff2
5ddf021d191640fee8678ccdee0bff82ccca8d4fa552bffd78fb83757bc3fdba
4da932e297755bee1df38f19b60605892d7eec44606bd20317ba4264ee3664fb
07800361c385ebe050c51f65392e9fe7aab7e12163241e5ba5ac80e7e82ca438

SH256 hash:

56acacb633affa2706b42329433aa617de536b47dcad8e021c10c373f9898771

MD5 hash:

aba5e1691ed8791b23a908953bd9c351

SHA1 hash:

bde788416a00ec767667fad2a8fcbffc1d497e87

Detections:

win_qakbot_g0

win_qakbot_auto

Link:

https://www.unpac.me/results/f3c2609c-59ff-428f-9e23-e458a96139b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/572a838c619dd3e50821877544f02fd5666c290645352fecf6e92419fb7dc65e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/81621/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample