MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71e0434c0681d5d0af7a39194e999c2ed213f5059689548871f5a42921ea790d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuakBot

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	71e0434c0681d5d0af7a39194e999c2ed213f5059689548871f5a42921ea790d
SHA3-384 hash:	22eeb97fbd52ffc7e4afb400e28ca8fa6ea29dedc7cf3980c74587e75bf0d732345438e59c0e77057ed6b049f21cf40d
SHA1 hash:	e5298c785e16fee2d91484169996384f75be34a3
MD5 hash:	639b7423757f76e45394121aa586bef4
humanhash:	burger-mockingbird-west-queen
File name:	71e0434c0681d5d0af7a39194e999c2ed213f5059689548871f5a42921ea790d
Download:	download sample
Signature	QuakBot Create hunting rule
File size:	1'218'048 bytes
First seen:	2020-11-13 15:51:48 UTC
Last seen:	2024-07-24 15:44:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cca8d3f490bf0e00feae0568e0bcc049 (144 x Quakbot)
ssdeep	6144:y7RydfklZzmm+a0rkG6LgwLUIW2KXPqD8Qz+Xu+iPQeARoLwl:AWtmdvDk2UXPSj+XuJsPl
TLSH	5D45F142F6FCD4E2F1F91A784657532C64089DA88B21C15B67AC6F6CBCF22217CB6207
Reporter	seifreed
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Exre-9781425-0

Win.Malware.Qbot-9783629-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/71e0434c0681d5d0af7a39194e999c2ed213f5059689548871f5a42921ea790d/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-11-13 15:59:58 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ohqegtagqhk5bl32hemu5gm4f3jbh5ifs2evjcdr6wscsipkpegq._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/201113-nncnxnkbte/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Qakbot/Qbot

Unpacked files

SH256 hash:

71e0434c0681d5d0af7a39194e999c2ed213f5059689548871f5a42921ea790d

MD5 hash:

639b7423757f76e45394121aa586bef4

SHA1 hash:

e5298c785e16fee2d91484169996384f75be34a3

Link:

https://www.unpac.me/results/877d7600-b52b-40f6-9c87-bffbc7d1af62/

SH256 hash:

004eddee71cc32695fe945ddc1947513c4df15a833e845e4a3a68ca0988eb9d0

MD5 hash:

8a111b494c34295fa8023ee99eba74e2

SHA1 hash:

ec6676b93de59016c1cc800fa09f52b8829836f7

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/877d7600-b52b-40f6-9c87-bffbc7d1af62/

Parent samples :

91020b6ada47f05e9941da3d5fc747a4bdf088e30fdbf010b50ce9ccf0de0cc6
a7af3791a39b09053d1760dbddfbfa08a63e39349893215ac572efe60f63f6fb
091aeb6b9130213ab54c5e61ad4dfa059ca8a33889248d12f07ff9fa4d45a026
6c50059f2c2495d439e65155f1fe2179cd6bbf6f49a72e9b8184d5adcef4ff0e
2eb6ae6f2567dc3bb8e6cfba63593f8f827f2f97eec959825fe8466e1ca70e1c
f0a0c60b4db219ccb1a8531f55cd9f2efb559c3889605e174d38f72fde84da2b
a1dd12724c1323ae52913a7591c91fffa3646d90832b359038ffb4f08f568291
c4cee6ce82fa59f0b8cfe1bb188df433efa616ca43867abc33099becc3410f00
c4a8b6659d582cc68afb3a3375e962d7345252e8b7c718c376ce325488638d1e
9c0f36f7378f98a9bccaf96b6158a641471a2c71d298fb430a57128fab7e3c7f
ce6dc4e601c853d601e9323d27cee32af7f655e3a29515ff2120eff484913de1
157d36f50ed016b5eade0f1b8e35aa95090b7c71b8d8130e2a2da23826fd3b37
4b718b39e30d2c7549de2f16c86a6461cf4af21120fcf85c50a8be7e29522588
d4757044b206b22d85cbcea969ec2fac54170fa063f474705d3ee15b033823a3
cd489d4419856ce249111d38cb594227e9121750a50f1d3c74c396e337b8f22a
95b911691e93785d75097e9bf4bc2c36e4e19a036e151d8e569e06719be8519f
42cd987e407ae82bd2be3cd3fa2c9067a67dd479075135f31cb80419ec6236a2
5bc9bbfac8eebec0c1bbdb72896a1eef1e641cc20c5dc97a85a7dec36ccac010
571103ecc3730418d4278ac0aa0e3719ce4b4a597b4fd30377e30a0233e6fc19
24998c36b83d6f42a75649d299219be1a42e382da71049bdb67f417841bf52e7
69a11f306c099231e4f0b44287358f88d8456a700f857c2cbcf084accc197fe5
4529ac2694dd80d3cf6d9ed4b4bab8412cd44206dd680c829bce5cd3dd7a46ee
4104babcc38988d2c1c73bb89e34e80d071f1bde6eed83bb70ddc37758f87394
b23e156a32e42430d27664b751385c6189696e36aa78adc07f6c858f82690a6c
15bfe9de2e5b9afc8a19225ddf560e4300371832eaef145942cc36d48a9fe443
e8621af65a2c96f571e177852c0e16a26e9009ea7c5601bda580f78c1beacce0
a3ec35db5b047fce4aa5e0ab8b87223d52c28082e9c443b6932b81095b656577
2c0fa041a3346011d82bdf016f80ad04e3140a8d472fd85771107fdd3e07f3c4
8ad806c00061733f75fbe6b53a598a505b4488265ebfdad71e9bdade87d8208f
cc763f64ac2044f6eeeea0ccb6e0e1b01489477d267d021531e262e61ff2ee1d
a6a613497539a59a67f106b7e32d87092dd2ae35a6efc4dbefba1b33f00ceddb
c7711d552c7732dabf7815e0c1b4e3983a5d9e85a2287a4137d3dfa52c269935
19b343fdbfe9a905a4bd8b09e13aeab7b152d748298a351cff0a7831bccfbd1b
bf11a6c85dcc7caac822998e78bc98f4a05819c282c71c6ee96c66950bb4cde4
282e2d8ec52f33c23d33145d21df22c11d7cd1277a5f4a3f3dcc63322c100c44
65b6d61c55d2540ee57521247f6dbe434dab17f13781ed586b0c6ccdfa0b237c
28ca18ee3de1d107378b26a811e4f98a830e1ecd28035cb84907a0d515b0fc5f
8010f31900f70750494b36151e5cb9d45cb34387e2d37d29faf04e43c8d84991
dc2d5e25d2d8802deb7527e84678d4eb327fe6be698a2f8fa25017ea51b2f415
4f99f9be71b45b5393ebe0d3dbf6922db1e49becd337ba8d553839570ae56b5d
7083d160be4446179da97de38b7487f0797e71eed65c7b8e14d755337f26a129
7ea78946aa63674143a08a5de662a703d05cecc48ee5082600d59c8395d494df
58a2ffeb0a6f826e47f41de5d28b2a37b444f44675cfc74f9fb153863675ca1c
cbb8fe7f9212ba05a84c233f93dd837ac6ca82c6145a0202bc5f5f483c6344df
62cb54f61929de9949fad1258c5265f0b4d14facc63c7aa19eb7711766fac158
bcfb9a6bd51f07aa54b86883ef3bb3a95edb78baaafe3897f15257f8b66f1c9f
239785f227b5a421ea1e85ba927eee0666ecef1ea401bc9b7c51a3f2a334a726
00549af5f9274f6cd2de1906548045ca33f609cce5eea027d797280d4485e922
4a6b67224822496db51ddb712eb2a028e5f55f8145bc02f7208cb9c5f1b9de94
8e2129f3596365d89df765bd503ec6002def0f98d1d228fdfe2a81411a566323
003dcf634e84b8ddf41f0d6dcc20fa04dd752a3e7b6b8215eebce1f6a60b1a3e
44724e280f98463acfd180d4e8660b978600abb91cf73f3b40956b18734ca558
b9b9f11dd7fc4daed4f17819f754c4b6a00bbdb41936c532723fed373f371faa
b69d33dc2485bece76b57e95d38f004df4c5b390301eca0333b2f603139915d5
f8037c9e711194be28ea3108f1e7df6c69074dedb7cbcadc3d4ec464d4ae81a3
9f09e141107c4b264c46b770164c3ed11495abc81566680e9045c52aac1e3cd0
b560931e1453de5fc79b02cfb50f65cbae2e374a1b90043fabed0f7bdd143fcf
71e0434c0681d5d0af7a39194e999c2ed213f5059689548871f5a42921ea790d
ae79ac85a48dff0f43ab98d96afb9252ccb1418b6a446e00a599cb656e34f8d9
04703212f1ac76700b8b5393598ab1df8032263d53e20c32ac1ee8f73509f433
c131ea3d94d99068c1b4b4e4d3cc497ee591087ecf4894d9f9f1f5687538c9a6
19c5ec7149acc09319116972d0af951919db87897afeb3787a0bc144d2c35cfb
0e39ea1774246d093cc427bf3ac1d4e0c949b59a5426a39f43a63ffc657f5805
8a0781d4ae49c193d9a35a8d43cc93ff690b805618bbcce3c0c8faf41a93c1f3
0fad6f2f565db26ddca902185af6b2e2a58f274a7512cd1c01d1af79ea2ed068
23029ba6811d0fd53545cf0ad78b608e1c5849482a9ef56a2041a7319c81683e
40dff40e73148e4058d67fadcb3f86bb7eea163b13cca971b7717087ec0ae9bf

SH256 hash:

83a9c59d86a5400444ed6e2efdf23d278c349782c0906c57f8f84a2573014d04

MD5 hash:

58238f4df9fdb74811de8e18eb0b6fa4

SHA1 hash:

2a5965a7ff9f6b6a6e1eb607ed87ea80e50c6990

Detections:

win_qakbot_g0

win_qakbot_auto

Link:

https://www.unpac.me/results/877d7600-b52b-40f6-9c87-bffbc7d1af62/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample