MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb
SHA3-384 hash: c075c6a1499ceb48fb9365933448f1129d7176c44d91feb419df18e12ae53c97e2f15244b9d3c68bf383cb8139575b1c
SHA1 hash: bf70138b2d32c6aaf29000c389306e29873e6aa4
MD5 hash: 00bc2ebcd398d56fb8c03137295bca65
humanhash: virginia-foxtrot-fix-solar
File name:0810.gif.exe
Download: download sample
Signature Quakbot
Create hunting rule
File size:4'286'528 bytes
First seen:2020-10-14 15:05:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5685e96e5d3d298fc87bd448972c45ef (2 x Quakbot)
ssdeep 6144:Rm4QP9G+wgVFGOyD+Tl/GJu18SVTtQ/OpoN3f2cfgJOSo/DR30G:RmHA+wg9yD+TVnTXQGpg3flfgJs30G
Threatray 607 similar samples on MalwareBazaar
TLSH FF16D097BD810E02CBA75D73CB7CABD886639D0C0650A85CA12FF154FA3E4F2359626D
Reporter James_inthe_box
Tags:exe Quakbot

Code Signing Certificate

Organisation:NJNJAZGPLIIQOYTNBB
Issuer:NJNJAZGPLIIQOYTNBB
Algorithm:sha1WithRSA
Valid from:Oct 9 13:52:30 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -0F8FC094C3D4E147B3D2DE23EA6A95B0
Thumbprint Algorithm:SHA256
Thumbprint: 934E0733B8D79B685ACF3FD042C5CAB421BBF2741D5DD5B40DC42E5F5DD8FA71
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Malware.Razy-9775322-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491192
Signature
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298088 Sample: 0810.gif.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 Uses an obfuscated file name to hide its real file extension (double extension) 2->37 39 4 other signatures 2->39 7 0810.gif.exe 4 2->7         started        11 0810.gif.exe 2->11         started        13 0810.gif.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\...\ghvic.exe, PE32 7->29 dropped 31 C:\Users\user\...\ghvic.exe:Zone.Identifier, ASCII 7->31 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Contains functionality to detect virtual machines (IN, VMware) 7->45 47 Contains functionality to compare user and computer (likely to detect sandboxes) 7->47 15 ghvic.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 0810.gif.exe 7->20         started        signatures5 process6 signatures7 49 Multi AV Scanner detection for dropped file 15->49 51 Detected unpacking (changes PE section rights) 15->51 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->53 55 5 other signatures 15->55 22 explorer.exe 1 15->22         started        25 ghvic.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 41 Contains functionality to compare user and computer (likely to detect sandboxes) 22->41
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 15:03:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
Quakbot
0d0d997a7c42c11b60cb1e265b015f2559719f640c2adf1c1bf8b85a434a0d0d
Quakbot
2a9ab4b103557c2e45afb9b59ae9243866209cf755fc3435f717439df0871488
Quakbot
45493d88dd9d1670f48aee096d0ca99110337ffbd4d538dd39b2ef3a13cafa63
Quakbot
5e2d7b990c9f6667311a44f7fce078a5bd3e033965db4a31c177bb84b06e8540
Quakbot
70c7a48f3dfb41c0137b736bf5f3071bfd550eb8dee8fc6b3c5a075adbecbdbb
Quakbot
78749911faeac0032bb0c8562761fa6ee3fb85f37e099f5169d9dcc29c8024bd
Quakbot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
Quakbot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
Quakbot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
Quakbot
+ 597 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201014-myqerl37gj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Unpacked files
SH256 hash:
65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb
MD5 hash:
00bc2ebcd398d56fb8c03137295bca65
SHA1 hash:
bf70138b2d32c6aaf29000c389306e29873e6aa4
Link:
https://www.unpac.me/results/e7d724ee-489f-4e48-89c5-fddd9d5e89f6/
SH256 hash:
59927f3e1cc9ddfeaa92fc954cc7c1f1beb3c174609e3c0b5635d2cf6c8ed73d
MD5 hash:
22a1f7cf90a0139909ddd436b9e84e3c
SHA1 hash:
a503f4d72211a90c6e110f3f37bf17bc907fbca3
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e7d724ee-489f-4e48-89c5-fddd9d5e89f6/
SH256 hash:
4d1469176d3b3c0acae50ab1fe4064f1bc344ed069d1254a37b76695203ec1f9
MD5 hash:
0d19287994c882bfecd96100bcc6a0ad
SHA1 hash:
155b2e583a639dacec267ab7912f0d24ebd33c17
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e7d724ee-489f-4e48-89c5-fddd9d5e89f6/
Parent samples :
53ffe9bebd26484b58c29c9ed5700881086975057f9379bcffc1ebf40f7cedb6
65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65b51df2848d72b401f437607b5a0bc607ed2d4a9b59a3a4712cbf8af08f12cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/70841/

Comments