MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1
SHA3-384 hash: 0ef47787336ca669df66ee0c130c9de3767dc5821cdd05b4fb6a319380fed5465e16c1bed15267cbe321b9a8cae85800
SHA1 hash: 94c7a9c82dae78e269e02702c06f4fc6ec984dae
MD5 hash: 1f14204ba00d4c5c0738f92d3beb79fa
humanhash: arizona-johnny-happy-oregon
File name:5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'017'336 bytes
First seen:2020-10-07 05:56:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 48c67d6a901541a84e7e8bc49cd63032 (21 x Quakbot)
ssdeep 6144:VgfRCEBsOYa5y3g0q+Z1Af61g8nC8StMkuNURdRoc0WKkm5J:eJCEyOYsqLjACi8C8vJZkm5J
Threatray 563 similar samples on MalwareBazaar
TLSH D625D02FF737D840D3E82FF6458307A85977ACA9BA22521729D63A1A7CF5BD03C22544
Reporter JAMESWT_WT
Tags:Olymp LLC Qakbot Quakbot signed

Code Signing Certificate

Organisation:Olymp LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Sep 30 00:00:00 2020 GMT
Valid to:Sep 4 23:59:59 2021 GMT
Serial number: D59A05955A4A421500F9561CE983AAC4
Intelligence: 16 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 7F56555AC8479D4E130A89E787B7FF2F47005CC02776CF7A30A58611748C4C2E
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68825/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483771
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294345 Sample: pUOvILnLr5 Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Qbot 2->37 39 3 other signatures 2->39 7 pUOvILnLr5.exe 4 2->7         started        11 pUOvILnLr5.exe 2->11         started        13 pUOvILnLr5.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\...\ebcgbtdi.exe, PE32 7->29 dropped 31 C:\Users\...\ebcgbtdi.exe:Zone.Identifier, ASCII 7->31 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Contains functionality to detect virtual machines (IN, VMware) 7->45 47 Contains functionality to compare user and computer (likely to detect sandboxes) 7->47 15 ebcgbtdi.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 pUOvILnLr5.exe 7->20         started        signatures5 process6 signatures7 49 Antivirus detection for dropped file 15->49 51 Multi AV Scanner detection for dropped file 15->51 53 Detected unpacking (changes PE section rights) 15->53 55 6 other signatures 15->55 22 explorer.exe 1 15->22         started        25 ebcgbtdi.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 41 Contains functionality to compare user and computer (likely to detect sandboxes) 22->41
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 05:51:37 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljah5gmsfoo5ddhpimjwyfwz7pwntxsh46ev7rfowb3sjbztt7aq._file
Verdict:
malicious
Similar samples:
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
QuakBot
45bd22771aeaab651a6ff5a3a23193446ffd305472082d06ad6612878fa2786e
QuakBot
70c7a48f3dfb41c0137b736bf5f3071bfd550eb8dee8fc6b3c5a075adbecbdbb
QuakBot
78749911faeac0032bb0c8562761fa6ee3fb85f37e099f5169d9dcc29c8024bd
QuakBot
92459aab5fc4c348f5a6a10fa7ce8bc734121a8e2d8d3c30e4337f74ae87017a
QuakBot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
QuakBot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
QuakBot
b92c0aafb4e9b0fc2b023dbb14d7e848249f29e02b0e4cd8624ce27e55c9ac4c
QuakBot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
QuakBot
e6e67623e24b8c95021d63966ac7f2ba20e7fbe9495b32290871fc9fa8fe4fe3
QuakBot
+ 553 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201007-qyfhfv51q2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
ee08c50373f5a9564fabd61c463ce6dd5ed329227f118788655a9ecf48d79b98
MD5 hash:
9a3a157f0750b4dcec6abd52ab4e2476
SHA1 hash:
c6bcaf07a195b045401cf5fc14e5eade8e718fae
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4b88197-9855-4b51-a941-2e2c1df7d9e1/
SH256 hash:
5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1
MD5 hash:
1f14204ba00d4c5c0738f92d3beb79fa
SHA1 hash:
94c7a9c82dae78e269e02702c06f4fc6ec984dae
Link:
https://www.unpac.me/results/b4b88197-9855-4b51-a941-2e2c1df7d9e1/
SH256 hash:
361231aa8a213f60ea73be0fa534bf3e7c3855c6ae0b9940b71771c7f07414ad
MD5 hash:
bf7ebad66bd4316cd18058c06b4e28f1
SHA1 hash:
5ad652b73077bef68509b344dde1c61e40e6e8c3
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4b88197-9855-4b51-a941-2e2c1df7d9e1/
Parent samples :
1d14f161830af09dbdfca9bbfa554cd9724f8af548495866b29bddf8b4d73a31
da9694c6c6f520b9068714b76a3cfce6f4609072f8777be7efb4e1878a6c4feb
bda34889cc38db9ca6ff923907e9d1081c81cdf53e62ed5c0991ec9a3e74eef0
1ba4eff0ed556a21a26581b4a59961e33513f5321e5f0310e6d606d5ec95e99e
4b96a68d53022f8246c8e798433f266fdafbbc8902a96713e50eb66548ac3c8a
8ff931fa10085fa391e62db803ee3adc136d0601c1752f685c0951a461ff809f
34a8bdd80f0d5bb6f2f38716cf2d9bf1d0358d1c3778c83c8b7b7bc742b858e8
35b85458c2b654476280aef26c1bde35bbb7a48465a618ae589b9f2e6e305ea8
259b98411afd13efe4d06e088b7d2af806e98d923700237716208e018354e550
acacfdd7a0da6ee94b8c1bff2d71bf406d01a422959f23731d63a485acedf982
b0d5100e6d6af0bff8c9e282989d74930a2878a08410ae27ff2daa96132e3896
e28fd94d327ccd4e1107dc540b1c05cbc824b08a8b40202a6d711384a2de7eb3
fdde58beb1ddc17ee64524912a0db54e7b4bf2ae57cce64eedb01e56c856f582
0dc710737c12ea1c1215fbd39e00347649fff1fb0e512287c86873f66a9f0a35
5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1
034c86795739f7edeec14f4b982b017ecea1c9476bfa304a05de10ebbbdbe425
c520e5788c6cdec1d819803bc214f04a2006ebf0dd3ebfbd56dc5b3a91b38c8b
f0329494b1a9a26aac06e2606c95e31167035d8f576ed8773664d7578913cf36
7601edb9feedd3052966f1988a603ff7019ec4e7db98571b48a1de61483f21e2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68825/

Comments