MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63deda6fe8af221a650f6ba6a2ee6c7fec17f10bc5e063c9b0aaee4981a01150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63deda6fe8af221a650f6ba6a2ee6c7fec17f10bc5e063c9b0aaee4981a01150
SHA3-384 hash: 5d4fdf28124712cba1b17dc4e49b66e0af2a0c7013192f1843385875c82ff12bec875ea97afbfb5ad0093c9403a62b14
SHA1 hash: 445447a8cd34df42d7fd786a164389cf8e5f82db
MD5 hash: a372400cbff205def639e4db62ef17b4
humanhash: lemon-wisconsin-missouri-texas
File name:44459.8061394676.bin
Download: download sample
Signature Quakbot
Create hunting rule
File size:842'752 bytes
First seen:2021-09-20 17:28:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fcecb109cd51f9ec6659a40269cd21c6 (5 x Quakbot)
ssdeep 12288:p0yOZOB93YJh6kwi4eYHc+12GPUhW1brsZCesX/OkSAIV5TQi/c+FI2PXekp5:p0yWQFViB7IOcesPIVVZQi/csIbk/
Threatray 115 similar samples on MalwareBazaar
TLSH T19E05D01A7ED6E191C83C5D7988E1C8E67238BC686D28961739E53F3F29F30D1584909F
Reporter nokae8
Tags:dll Qakbot qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189536/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.9029.17381.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bd8f763-55f5-49c1-9e9f-764457fda029
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/854303
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486733 Sample: 44459.8061394676.bin Startdate: 20/09/2021 Architecture: WINDOWS Score: 76 45 Sigma detected: Schedule system process 2->45 47 Sigma detected: Regsvr32 Command Line Without DLL 2->47 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        process3 signatures4 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->49 51 Injects code into the Windows Explorer (explorer.exe) 9->51 53 Writes to foreign memory regions 9->53 55 2 other signatures 9->55 14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 cmd.exe 1 9->19         started        23 2 other processes 9->23 21 regsvr32.exe 12->21         started        process5 file6 67 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->67 69 Injects code into the Windows Explorer (explorer.exe) 14->69 71 Writes to foreign memory regions 14->71 26 explorer.exe 14->26         started        73 Allocates memory in foreign processes 17->73 75 Maps a DLL or memory area into another process 17->75 29 explorer.exe 8 1 17->29         started        31 rundll32.exe 19->31         started        33 WerFault.exe 20 9 21->33         started        43 C:\Users\user\Desktop\44459.8061394676.dll, PE32 23->43 dropped 35 explorer.exe 23->35         started        signatures7 process8 signatures9 57 Uses schtasks.exe or at.exe to add and modify task schedules 26->57 37 schtasks.exe 1 29->37         started        59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->59 61 Injects code into the Windows Explorer (explorer.exe) 31->61 63 Writes to foreign memory regions 31->63 65 2 other signatures 31->65 39 explorer.exe 31->39         started        process10 process11 41 conhost.exe 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63deda6fe8af221a650f6ba6a2ee6c7fec17f10bc5e063c9b0aaee4981a01150/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:29:07 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mppnu37iv4rbuzipnotkf3tmp7wbp4ilyxqghsnqvlxetanacfia._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
gozi
Create hunting rule
Similar samples:
1507546bc27652090971bbe5c661030092c57d966d0bb38fc8444f96c669fe2c
Quakbot
153862cb79a2312f54a2307460872006138a649cdac6525df1d04c093c8b1454
Quakbot
224c62bcaf9e4eb208ea49c9727edc7cadfbd58c6209595a66a636627f43d085
Quakbot
3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
Quakbot
64213217559da3cb3ef610ea0fa328e6d64ce829511306b8f12c008b61aed07a
Quakbot
75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
Quakbot
90cd52a9005b6139c2fa84f9b139daff9c77be4dd38ecaf07f0f616612e7a205
Quakbot
a94291cc6f39425c30d1152a83ae122c0c8f10c8bf2f77c94542bbb30203aa94
Quakbot
bd09c02a8064de5f44d409eae767cfaa743c154edf967986f87ffb703467cf62
Quakbot
e73c6e159f026873f92f0b451fa4ada471dbe788d959fdca0c4eaf76af95529f
Quakbot
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210920-v2kkjseff2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
f9ea1a3395ce21186b7831c27ba4ed7ffe17f648591a572c849c511fd8ccbaa9
MD5 hash:
d11018c503936091732cdfde169499dd
SHA1 hash:
2a2f632131b85ef43c0fc3d129e6f8c1ae24aebd
Link:
https://www.unpac.me/results/40bd6968-ed9c-49a4-8bd6-e36f24e74219/
SH256 hash:
fb5d11d5c995e6c675bc5411539ef577ebedbfe988901a0b80dc687d88e05bc7
MD5 hash:
3ef3543f3be00171cc9bded26d7672ba
SHA1 hash:
598bca9dddaa8a4ca0021450fb140e1816921cee
Link:
https://www.unpac.me/results/40bd6968-ed9c-49a4-8bd6-e36f24e74219/
SH256 hash:
63deda6fe8af221a650f6ba6a2ee6c7fec17f10bc5e063c9b0aaee4981a01150
MD5 hash:
a372400cbff205def639e4db62ef17b4
SHA1 hash:
445447a8cd34df42d7fd786a164389cf8e5f82db
Link:
https://www.unpac.me/results/40bd6968-ed9c-49a4-8bd6-e36f24e74219/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63deda6fe8af221a650f6ba6a2ee6c7fec17f10bc5e063c9b0aaee4981a01150

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189536/

Comments