MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af
SHA3-384 hash: 9c4b9e3444481b175cba3ec24fba966c70c025340f383a17586123a68e845c273db0c762882ca0220bda7bc59b1711a2
SHA1 hash: a1e5e508d886343e64e5e4644ddf7d17b853ba77
MD5 hash: 048de5ddf64cd5b9ea0c32eda5dbc871
humanhash: comet-autumn-may-east
File name:Dnchnf.png
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'265'882 bytes
First seen:2022-04-07 15:55:30 UTC
Last seen:2022-04-07 16:53:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f81bb82289ec73914a479a84abe90d22 (3 x Quakbot)
ssdeep 24576:WGSMYc5q4x3VBjY6dz0DUt39ZZzefHNQRWxT96L8aEUn5AefEdYSlPB5zRf+ev5m:a
Threatray 428 similar samples on MalwareBazaar
TLSH T16045AFB876047DDAE56F427BDE96ACDD13B6273289CB94CD8065B7C30963372EE02805
Reporter pr0xylife
Tags:AA dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261758/
Detection(s):
SecuriteInfo.com.FileRepMalwareMisc.9624.20587.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/624f0999d53a7479dad00a2a/reports/42758cf7-5c13-4b3d-b198-e2e1c5580bc6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/89b71986-7ff6-425f-a553-05256fe3e995
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/972542
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605027 Sample: Dnchnf.png Startdate: 07/04/2022 Architecture: WINDOWS Score: 64 32 Sigma detected: Suspicious Call by Ordinal 2->32 8 loaddll32.exe 1 2->8         started        process3 signatures4 34 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->34 36 Injects code into the Windows Explorer (explorer.exe) 8->36 38 Writes to foreign memory regions 8->38 40 2 other signatures 8->40 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->42 44 Injects code into the Windows Explorer (explorer.exe) 11->44 46 Writes to foreign memory regions 11->46 48 2 other signatures 11->48 20 explorer.exe 8 1 11->20         started        22 rundll32.exe 14->22         started        24 WerFault.exe 2 9 16->24         started        26 WerFault.exe 9 18->26         started        28 WerFault.exe 9 18->28         started        process7 process8 30 WerFault.exe 23 9 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 15:56:17 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0924d35df6c4c9d97df5da3bfd8ecf136979eaf9eef13e082a6337af5549d6e0
Quakbot
0ff53bc0243122381aa964067287c6128d75a565955f1e0a2f0f82b46428963d
Quakbot
60d4424bf0e6f70e66571a1d038780b9d8e91cb03e58dbec4de002619c1c12d8
Quakbot
871a845b4c4cd4f565f35152760c9f89c2fd8a43c4f0b18c7848798dfda0482c
Quakbot
89a1fc475c266fe386fa517eb51d7c00bcd4b0262bba095d468c5f4da51f312c
Quakbot
934cb585f33fe11bcd0e99f4df40de07eec50aae0c6d036527fc03fe6d7d0fc8
Quakbot
dc9e4fb434d9be18748858c4daa2744931a60c645ec913b76719b19e634ce665
Quakbot
eb14763a3242cfc46ea26a42f68dec0f08488b12adb9590aebd142844de903a4
Quakbot
+ 418 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220407-tdb3tsaca7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af
MD5 hash:
048de5ddf64cd5b9ea0c32eda5dbc871
SHA1 hash:
a1e5e508d886343e64e5e4644ddf7d17b853ba77
Link:
https://www.unpac.me/results/98c817d1-af9e-4463-ae95-caa607041817/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/73f5c306c33c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/73f5c306c33c980fcd85f185af9c2a2b7678eebda5b10ec072558bd74dd776af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261758/

Comments