MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71fd7986dd41906e1e868f60a1b89d9d591ea261c45a65848d94b07a0378e31b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71fd7986dd41906e1e868f60a1b89d9d591ea261c45a65848d94b07a0378e31b
SHA3-384 hash: f8828bf440de55e9b5267d940904b1f24d8e33ab34f0e2f8b6d4c927fd144467d403dff8e94d888f78d1f3331cef2528
SHA1 hash: a1ff7b01bbff503a0087c502c1a353956b808a38
MD5 hash: f5e796292b2cd1008a449a1608c87e5e
humanhash: bakerloo-jupiter-xray-friend
File name:443136048108796.dat.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:859'136 bytes
First seen:2021-05-06 16:41:11 UTC
Last seen:2021-05-06 17:55:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f8b50da2e330b5dea32ae4760264b148 (3 x Quakbot)
ssdeep 12288:+LR2XCmohgp+8RhuxTyAK4X+PAj6iMRbM+bevd6CR/Vr8m+BzcoKCxeEJuBnitAZ:+FaCz8nAO42HzoseEJuBPOu+99z
Threatray 1'388 similar samples on MalwareBazaar
TLSH 8405BF22F2A1CC37D27326789E4B52646D39BE50F93899862FD41E486F343D13B36297
Reporter James_inthe_box
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151766/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/714390
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to detect sleep reduction / modifications
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 406121 Sample: 443136048108796.dat.dll Startdate: 06/05/2021 Architecture: WINDOWS Score: 92 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 10 loaddll32.exe 1 2->10         started        13 regsvr32.exe 2->13         started        process3 signatures4 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->54 56 Contain functionality to detect virtual machines 10->56 58 Injects code into the Windows Explorer (explorer.exe) 10->58 60 3 other signatures 10->60 15 cmd.exe 1 10->15         started        17 explorer.exe 10->17         started        20 regsvr32.exe 13->20         started        process5 signatures6 22 rundll32.exe 15->22         started        36 Contain functionality to detect virtual machines 17->36 38 Uses schtasks.exe or at.exe to add and modify task schedules 17->38 process7 signatures8 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->46 48 Injects code into the Windows Explorer (explorer.exe) 22->48 50 Writes to foreign memory regions 22->50 52 3 other signatures 22->52 25 explorer.exe 8 1 22->25         started        28 WerFault.exe 23 9 22->28         started        process9 file10 34 C:\Users\user\...\443136048108796.dat.dll, PE32 25->34 dropped 30 schtasks.exe 1 25->30         started        process11 process12 32 conhost.exe 30->32         started       
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71fd7986dd41906e1e868f60a1b89d9d591ea261c45a65848d94b07a0378e31b/
Threat name:
Win32.Trojan.BunituCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 16:41:02 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
03f3b96850249c01f6eb4bedf27f9a1835f56d258b19146c0486b4b42d0c5687
Quakbot
1a57dd305adb1ae4449a0baa9ee76a1b79477d7e7ad380319429f22fc9e96978
Quakbot
4b0e369110e96165597a539d484ffaf84ed54a7761fd07540dc1d6fc848639a7
Quakbot
627ff5c6fcd538aa53d68149ab497f233ac741b1930acee12d9f549453cce664
Quakbot
6fbcea3566bf29fc80e928a90356345460c85fc5f982ee684d4775c0120d59eb
Quakbot
7ca94f5975a02a4dc3cfe92b40e266a2a3f38639ff71e20e09e8d0343b6a5ecb
Quakbot
800b599cd553bef6b90c76c70a428eff132c90c825ece59cd65c80d36400fb66
Quakbot
9ce80728e138acf98b2ba563eff9f0f83aed90335c938b996606406dc188a874
Quakbot
d7ea3c08f5a6606204c797feb32a08028d70700b84fd5092fd51440f8426da64
Quakbot
e81e0da6fbb11aca6fc2735b2a479ab51fc743d02c259f201c27a266b794850c
Quakbot
+ 1'378 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-17hpyad842/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
d801c0315fe7000b64afcfc5d99e02342ba23a13458b1072c5b4dba0172fffc8
MD5 hash:
f344c6876f0660597f9dafeda976126b
SHA1 hash:
1128e8a4c4f415d7e32b7a6f71f358184281c0af
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2b78dbdd-4e29-47bf-b1b8-8fbc07ff9ac4/
Parent samples :
71fd7986dd41906e1e868f60a1b89d9d591ea261c45a65848d94b07a0378e31b
38b3ad4fa2d18bfe9e1d04c5fd24b06bcfcaac5f4ac376bfcfba23f45900f9d0
SH256 hash:
71fd7986dd41906e1e868f60a1b89d9d591ea261c45a65848d94b07a0378e31b
MD5 hash:
f5e796292b2cd1008a449a1608c87e5e
SHA1 hash:
a1ff7b01bbff503a0087c502c1a353956b808a38
Link:
https://www.unpac.me/results/2b78dbdd-4e29-47bf-b1b8-8fbc07ff9ac4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71fd7986dd41906e1e868f60a1b89d9d591ea261c45a65848d94b07a0378e31b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/151766/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 17:07:34 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0012.001] Anti-Static Analysis::Argument Obfuscation
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0051] File System Micro-objective::Read File
8) [C0052] File System Micro-objective::Writes File
9) [E1510] Impact::Clipboard Modification
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
13) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
14) [C0040] Process Micro-objective::Allocate Thread Local Storage
15) [C0038] Process Micro-objective::Create Thread
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process