MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuakBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b
SHA3-384 hash:	f35414b2e5c8a9f3d3a0824abaefd4ccae6a66e5df644836e1bdca657d2ac2c6d090b6659c4f4fdbf16719a4c543551a
SHA1 hash:	0d7dbda2d156aa572f0346a5e4c1e7ac881aa9e4
MD5 hash:	2fc18c09d383d3801713f3af80bf634d
humanhash:	lemon-indigo-september-east
File name:	6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b
Download:	download sample
Signature	QuakBot Create hunting rule
File size:	231'440 bytes
First seen:	2020-11-14 17:58:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bfd8e4ad065f2b300d17297f543f190e (3 x QuakBot)
ssdeep	6144:7YRfUIKGH8ZQCE39H4HFCQw/4LbJ2BNoGtr7:MSm3GHcF/cbwBjJ
Threatray	1'369 similar samples on MalwareBazaar
TLSH	C734F19043AD63DCF41A91FB8054CB634544BAD9E9633FCF4D8581E40A2BAF9DB93709
Reporter	seifreed
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b/

Threat name:

Win32.Trojan.PinkSbot

Status:

Malicious

First seen:

2020-11-14 17:59:31 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mn2ihdt43gaut57d444eezpimb6b4zckx7vmyfbdp4336lzsvjnq._file

Verdict:

malicious

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/201114-x1mmwbpwge/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Qakbot/Qbot

Unpacked files

SH256 hash:

6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b

MD5 hash:

2fc18c09d383d3801713f3af80bf634d

SHA1 hash:

0d7dbda2d156aa572f0346a5e4c1e7ac881aa9e4

Link:

https://www.unpac.me/results/ba936f79-de60-421e-938c-7e6e2ab2c5f0/

SH256 hash:

49ffc51dec2def329d3f972a03f60ac5d4a180f5a69c3d2a0adbbf0c16ded738

MD5 hash:

30b2c6a2f5d7f7c5480dfd7bc7534e65

SHA1 hash:

d56d5e9e2c0b88078e494bfb37d43ce5ad126d13

Detections:

win_qakbot_g0

win_qakbot_auto

Link:

https://www.unpac.me/results/ba936f79-de60-421e-938c-7e6e2ab2c5f0/

SH256 hash:

408c6261d3fe607be9533196651bfc481fd9cdf6ca53e67ab555a1cd584b5fd2

MD5 hash:

64bdd45abf6db36b5ab2aaf210fc2de5

SHA1 hash:

e2c56be94728a17db37fe6d1699d2d53e3720e6a

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/ba936f79-de60-421e-938c-7e6e2ab2c5f0/

Parent samples :

6cb75c332da3645c1a3febb0cd3721050d935458dba93cfc6fcd18b6224f68af
96f3ce81be9c325cbcf7a4d6ac1d9f853786f438e14c7ac2efab1f3a9f92e17e
dce8c0a91515f298034dbe9d3db8d391a3989b3f878a64be5548a29f71ff3fa2
4ef6244713f63fbba1b41434adf98b4d62ca2095641505252591eeba9ddc252a
2b8eb8d6cfc169a994f3cf64d13c519969796e67fcfc8d677c159c3f51098603
701f1480dd42b05dcee4b5c3bd4c5baeff138c7b0a31003471a691b7f41465f5
b969ea5cd3135f19f58c1358509301373fa318f7d14248dfa4cdc6592e2aab88
fd838d99c76785f287c2088b82ea9d5d39dcb3dd8f0ad6af19b20167a544bb5a
bbd7c6b69b24afae38e8bb8dad1d1b05d0cd692add80cadc409bf02c9f41ada3
0387dd1d6d022e64582227a6a3edc92bf2b4ce4742bd948fb5a293c4d19042c0
bee777bdbb59c3120bc7739f233ac06f45f2b7f538c343e0be94c61de5071c0f
4cf82d583d9b0a153239079f9a0058ef4b2e6c6be2f0123b9198c561ffd42364
29e227af74dd7f3b308cab571f0b9db60a18745802259119e13fcaf353d18e67
4bf66097567db93b546d2b672c0c5065921582f13284d9eb68847309b00204cd
4dedb88eb83be1c251bf6334bbb2e1c1ca97f9983e54f2838e2f717001d4e266
eb9df43f0a8cd991657ff6034bb5daf779e8aae976b1a9e2c77a88991a015084
ee692f16050292a1c8ce5f4102e2d3e394d107e9e1b2d6315ad3cc0acc9865b5
bd7ae73fc5365d137acde6d2793a6bd12046d651cc53b4554dabbf0f782a0238
b844fa5e0fb285b30c46e7d4d384c87e7284e3560d68530cbaa1991862b82913
b0298ac579dada46528e0971fa161f422523141cbd327098eeb24c5b0f514af8
bb2cc0cff5a632b708f8c1643d7599d6866024dec5206a1b88069ffc119f8c32
6bbb48104c5bb62141fc25770483777820d3c9e8cdecc962d8ea2a3569aa5fdb
56d529f84f59923d5169bae5e6c2b9f476aea1faaa58a85d38ba8e8551dca502
39d6cd237b99668d5018f346f4d71fae6cf2f085ca36d6d008d43fac5eccaea0
0f579a0fb58adcbae4da44603c3c2548aeda4de6b1ba82357c72d34dc71279ab
6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b
f8f4b44d49ad632d96582d49f2f481f7bc1766c45a394cae0ddb4c703b10e56d

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6374838e7cd98149f7e3e7384265e8607c1e644abfeacc14237f37bf2f32aa5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample