MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88
SHA3-384 hash: ac4eee2d72b0165ccf79020274954ed1b645fbe20b9b6a31758c42e773c6479d36fcbe40970d6e36eb61205880e5c767
SHA1 hash: 431dd17f86d4d34254310ee4e872b07461d17e52
MD5 hash: ea8c8dcc622789e8fbd459ececb76eb5
humanhash: island-texas-double-delaware
File name:popish.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:760'832 bytes
First seen:2022-10-11 16:11:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dc4e58cc3b4290a5b1fb2b2659f5959d (4 x Quakbot)
ssdeep 12288:e+4QHixeljmtjVFJcPp+cygICZoxlSr9s6q6xMZXJMeGbX//7OT:5DXjmtjVD3cygICZwSJs6q6yZXJM5T/c
Threatray 1'519 similar samples on MalwareBazaar
TLSH T1ECF48E33B1D084B7D12A1E78BD7B9268482A7D206F74A94B2BE41E4D4F399C13E752D3
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter pr0xylife
Tags:dll obama212 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319010/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.19864.24378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/634595d3aab5b3e31a6a83a3/reports/bd782e5f-3521-4973-90e7-27efdfe7da13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f830bb1f-6e4e-445a-b261-b7ac64879263
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1088152
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720745 Sample: popish.dat.dll Startdate: 11/10/2022 Architecture: WINDOWS Score: 92 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected CryptOne packer 2->27 29 Sigma detected: Execute DLL with spoofed extension 2->29 31 2 other signatures 2->31 8 loaddll32.exe 1 2->8         started        process3 signatures4 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->35 37 Writes to foreign memory regions 8->37 39 Allocates memory in foreign processes 8->39 41 2 other signatures 8->41 11 cmd.exe 1 8->11         started        13 wermgr.exe 8 1 8->13         started        16 conhost.exe 8->16         started        process5 file6 18 rundll32.exe 11->18         started        23 C:\Users\user\Desktop\popish.dat.dll, PE32 13->23 dropped process7 signatures8 33 Contains functionality to detect sleep reduction / modifications 18->33 21 WerFault.exe 23 9 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 16:12:08 UTC
File Type:
PE (Dll)
Extracted files:
70
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfvfgh7xfmy42743mcj33gg3gq72ikihcj64qj3dkootj5e2j2ea._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
470754664a7e32f09d0ce3b5d17446aaaa9363f3d4d387fe272e2435851a351e
Quakbot
5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f
Quakbot
80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172
Quakbot
9ef5f5a55db078bbcf60cb9750349ab35f3ef88e8c5574f23fb77a485d0ba603
Quakbot
+ 1'509 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221011-tngq3addan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
6a8557dd3d30a13393b317d60dcca6c980b29b97ad9a070e19bef819633292af
MD5 hash:
b6ce472fb49a23b4787540b4edc3b88e
SHA1 hash:
3ec548cba5da9df50ec771c823805538bbf294d2
Link:
https://www.unpac.me/results/4c97e135-d28a-4213-af4e-9a8ce2af7dfd/
SH256 hash:
015b68c57f31681e021cda49ddcf5c3ada0a9b1facff009a8ce4561fc9061fa2
MD5 hash:
49de64d05b765f404fad96b2f868d253
SHA1 hash:
20624d919418ae9009cfa0ed86448c7df762f810
Detections:
Qakbot
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/4c97e135-d28a-4213-af4e-9a8ce2af7dfd/
Parent samples :
616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88
9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c
f742d9cf58174e30f3af525e7917ccf473b8f1f5ba43f9c0d1f111a02cfb02dc
SH256 hash:
616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88
MD5 hash:
ea8c8dcc622789e8fbd459ececb76eb5
SHA1 hash:
431dd17f86d4d34254310ee4e872b07461d17e52
Link:
https://www.unpac.me/results/4c97e135-d28a-4213-af4e-9a8ce2af7dfd/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/616a531ff72b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319010/

Comments