MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f
SHA3-384 hash: 606570170eeaccb988835161216af0a0d01c4ec8e6177ebf67d293c8a337e07d2aac93c890635d674afdcf39c3893f12
SHA1 hash: 1e185f4a0ee125efdda2543e6f8f0f2f60929794
MD5 hash: 10bfddea67b45ba4b8439f1fb5147796
humanhash: oranges-spaghetti-idaho-winner
File name:coercible.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:760'832 bytes
First seen:2022-10-11 14:31:06 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dc4e58cc3b4290a5b1fb2b2659f5959d (4 x Quakbot)
ssdeep 12288:e+4QHixeljmtjVFJcPp+cygICZoxlSr9o6q65UZXJMeGbX//9OT:5DXjmtjVD3cygICZwSJo6q6qZXJM5T/m
Threatray 1'516 similar samples on MalwareBazaar
TLSH T17EF48E33A1D084B7D12A1E78BD7B9268482A7D206F74A94B2FE41E4D4F399C13E752D3
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:BB dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318991/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/63457e6333e66132ed02adca/reports/61e6639f-4ca4-4e7c-a510-9ff8b0c5ecc5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d641686f-a52d-4370-8f28-724e6dce8524
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1088146
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 14:32:08 UTC
File Type:
PE (Dll)
Extracted files:
70
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6qerp7mpxgpgq5waisneijm3qm2jmcnwqfyghl2pv4vnd6r35pq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
7777f5f15907b512286ed4758a02048a6674ad1b3d5056b866c4c823807dc6fc
Quakbot
80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172
Quakbot
9ef5f5a55db078bbcf60cb9750349ab35f3ef88e8c5574f23fb77a485d0ba603
Quakbot
efd8c729d110e2374f5b445d501162fb8d798611aff72608e8bf86efaf092486
Quakbot
+ 1'506 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221011-rv9z3shhd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
6a8557dd3d30a13393b317d60dcca6c980b29b97ad9a070e19bef819633292af
MD5 hash:
b6ce472fb49a23b4787540b4edc3b88e
SHA1 hash:
3ec548cba5da9df50ec771c823805538bbf294d2
Link:
https://www.unpac.me/results/91dcfb47-b110-4d16-869c-1c64c3b1e1d3/
SH256 hash:
537b22ad09363d900b3289592bc0e1beec974553ad8710617583899727ee074b
MD5 hash:
b8859fa0eeadb759ff87e7b31dea463e
SHA1 hash:
d557ef9eb4e799d0dfb7ed189bf7f243c071b2d8
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/91dcfb47-b110-4d16-869c-1c64c3b1e1d3/
Parent samples :
5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f
d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c
SH256 hash:
5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f
MD5 hash:
10bfddea67b45ba4b8439f1fb5147796
SHA1 hash:
1e185f4a0ee125efdda2543e6f8f0f2f60929794
Link:
https://www.unpac.me/results/91dcfb47-b110-4d16-869c-1c64c3b1e1d3/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fa048bfec7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318991/

Comments