MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76
SHA3-384 hash:	6d43dba4a568576b3327fa8cdaa3f7b9994537599737b23844c6eb482768b772413e9a1ea9def6559522233260f6c27f
SHA1 hash:	1eff0d87c0d74f977fe3af45ea0c577ae3c6ac43
MD5 hash:	2f7c85d60e243cae6e4691e62584fec5
humanhash:	triple-venus-virginia-leopard
File name:	fours.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	432'640 bytes
First seen:	2022-10-27 18:50:08 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	fae84ade86333bc16f134b64e603e945 (8 x Quakbot)
ssdeep	12288:eqdD/sblafl4M/8toGXJZ6diNjfo8Ywr6t57AKC:eqdclafl4eGXuiNA8Ye6c
Threatray	1'688 similar samples on MalwareBazaar
TLSH	T11B94E040F4A3DFF2D1BD183800B6A3631B2956260B26C9FB53848B267E747D15B39776
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zalksec_sec
Tags:	dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/325100/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.16250.15346.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Modifying an executable file

Creating a window

Sending a custom TCP request

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec6e3563-ae62-40b8-8b7c-533ab5fd2030

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76/

Threat name:

Win32.Trojan.KBot

Status:

Malicious

First seen:

2022-10-27 19:15:52 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mk24wc7j4qxnkyum6c6ly6qvtlejm2ethsehpfwseapf5ngczj3a._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8

Quakbot

9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06

Quakbot

9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b

Quakbot

aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4

Quakbot

dae5768e9a2f692512613af462d3ea8d96ce9f38eee1c06ddc52cde8dec2e0a2

Quakbot

e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

Quakbot

+ 1'678 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/221027-xg1gdadae3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

2fba7e921adc55691fb135ba8e93dea7a0e2222b2de0ddf95256b009bc544252

MD5 hash:

d3213d62f1a8aee299902bbd095be750

SHA1 hash:

7cdd838813abb1d41a36492cb77df6568653898b

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/290d47ff-ede4-42ec-88a7-85000954e597/

SH256 hash:

62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76

MD5 hash:

2f7c85d60e243cae6e4691e62584fec5

SHA1 hash:

1eff0d87c0d74f977fe3af45ea0c577ae3c6ac43

Link:

https://www.unpac.me/results/290d47ff-ede4-42ec-88a7-85000954e597/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/325100/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample