MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c6b6e4585e5fec1a4fdbfb3c225aa9dbdc229c6dc56d4408f1842efb17b1918. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 3

Intelligence 3 IOCs YARA 10 File information Comments

SHA256 hash:	5c6b6e4585e5fec1a4fdbfb3c225aa9dbdc229c6dc56d4408f1842efb17b1918
SHA3-384 hash:	69f61ed88378ac6b252ec6894c351f3e2b5952318f2c8407a7370489b30f341238d1ab0e2b002176def09e097d73d12f
SHA1 hash:	1930af103cdc630cb703288d74b40e999f943734
MD5 hash:	28c01ad12570441dd1cd90629c73e6a3
humanhash:	fifteen-maryland-missouri-washington
File name:	Detail1.zip
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	487'661 bytes
First seen:	2022-10-27 12:04:54 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: PG1
ssdeep	12288:fwyBbu2VrYkEMcvyGNl5OAKPhHVrzkcOnY:YydumrYRNlMhHVrzk1nY
TLSH	T1CEA423C636D37670F0D425CEB33B6F15B23422460DAAAA6DB431C148752EF2D8E6B4E5
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	pr0xylife
Tags:	1666863975 BB04 pw-PG1 Qakbot Quakbot zip

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

File Archive Information

This file is a password protected archive. The password is: PG1

This file archive contains 7 file(s), sorted by their relevance:

File name:	diagnostics.gif
File size:	30'090 bytes
SHA256 hash:	8bdd0b1fbdd26f5c7346fe03bc5eb7bc85f6899b9a5843940c355aa4b350bb6f
MD5 hash:	92536608448eb9815943b55e866de57b
MIME type:	image/gif
Signature	Quakbot

File name:	earns.png
File size:	38'304 bytes
SHA256 hash:	5b0a4615d4408d2bf27607cd5eb75ba021f08dcaa2e137fb84a8efd0fad9190f
MD5 hash:	05ea5ced7dc7f37eed471932e7dfe2ab
MIME type:	image/png
Signature	Quakbot

File name:	invisibly.txt
File size:	181'897 bytes
SHA256 hash:	5e97efdf9189d72b6d516f6e06c9e10b98b768afea5dbde9c8ba10905d108400
MD5 hash:	4cf633b5699eaa0a27d5c8a10416e4f8
MIME type:	text/plain
Signature	Quakbot

File name:	cueing.dat
File size:	643'400 bytes
SHA256 hash:	e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331
MD5 hash:	2b9b0bfbf52742dff63a21cfd9fc496e
MIME type:	application/x-dosexec
Signature	Quakbot

File name:	bares.png
File size:	5'826 bytes
SHA256 hash:	034f70cc78d5f9dda1eec6ede28e7d3973bd149e1642fd62e2f598226415f224
MD5 hash:	c5dac68594b509f4df8b25f764d65b0a
MIME type:	image/png
Signature	Quakbot

File name:	Details.lnk
File size:	1'765 bytes
SHA256 hash:	0500274a2ec6746725b8884b00ecddc69ec027424dc13d1ea51b56a42bfad326
MD5 hash:	f34544dc907708feb456d5d221d6cdec
MIME type:	application/octet-stream
Signature	Quakbot

File name:	aries.cmd
File size:	314 bytes
SHA256 hash:	83bd3135be3d6ca1f64c52bdd7ac1a4a39c82103d62d05a2b0e1b77d3d5e6d6e
MD5 hash:	9ab39e70f07816ed93685be7589c800a
MIME type:	text/x-msdos-batch
Signature	Quakbot

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.PKillPWZipISOAllTheSmallThings.20221024.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5c6b6e4585e5fec1a4fdbfb3c225aa9dbdc229c6dc56d4408f1842efb17b1918

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c6b6e4585e5fec1a4fdbfb3c225aa9dbdc229c6dc56d4408f1842efb17b1918/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lrvw4rmf4x7mdjh5x6z4ejnktw64ekog3rlniqepdbbo7ml3dema._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5c6b6e4585e5fec1a4fdbfb3c225aa9dbdc229c6dc56d4408f1842efb17b1918

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PassProtected_ZIP_ISO_file Create hunting rule
Author:	_jc
Description:	Detects container formats commonly smuggled through password-protected zips

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample