MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
SHA3-384 hash: b9875a5e4f75da9379c0d2a0722bf3981152a90c7772a25d182205c6899174e76e263341c60dd891024a15999512f08b
SHA1 hash: f62a31eb33e26cabdbd3ef843bd19c95df47dcdb
MD5 hash: f1fb3abb2393f77b6192945aa277151d
humanhash: paris-april-ceiling-whiskey
File name:f1fb3abb2393f77b6192945aa277151d
Download: download sample
Signature Quakbot
Create hunting rule
File size:914'432 bytes
First seen:2021-06-16 15:57:30 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 299f6f1d2b8a3e164da0e6578d1fa5ca (4 x Quakbot)
ssdeep 12288:jhFr6SSWqOdUuVAXJaBbWdsrHOYQYpPGFEQ+TYxd3JE3MX/Pu6ULos:jrnemAXJ9+OBPyQ+TYb/yo
Threatray 1'504 similar samples on MalwareBazaar
TLSH FC158E72B2A38C37D1733A7D4D4B63A4982ABF413E3BA9462BE41C4C5F396413925397
Reporter malwarelabnet
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c631253c-69f4-4a6c-bc71-52b9272e66ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 15:58:12 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow6z4wa5jdzqjpwhz6hqp7cwsn2qdzt2k6gtgjjjcw2fl7bfa3yq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
224c62bcaf9e4eb208ea49c9727edc7cadfbd58c6209595a66a636627f43d085
Quakbot
3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
Quakbot
3c40784862d5a82b93baaa62432b2903048c5fcfaa9d3d31cebb96ae4980ddd4
Quakbot
5cf03d4c4ed5a25dc90ecc5b2b4624c808b901a308e1eac4881e87460eff05ab
Quakbot
71bb9ec22752238b773f5103e0089f85488eacb73f1b7fb3a3625ae9dc606c3a
Quakbot
80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705
Quakbot
a94291cc6f39425c30d1152a83ae122c0c8f10c8bf2f77c94542bbb30203aa94
Quakbot
b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0
Quakbot
c5db8f1fd3c0c9e620a614cca194af7f1c1066c30e1cd79a948e039b644db0f6
Quakbot
cdb955547f9718c2755a828c8b3d5a4baa2e97f31ba77fadef01e78abb8f3b68
Quakbot
+ 1'494 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/210616-w9k7n5ghdn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Unpacked files
SH256 hash:
b65def31cc2dd055ed79d8e9f7104125dcebe3b60b5daf62fd7e47829f2d3732
MD5 hash:
29593ae9cbdfcd4ca4eaf0e9ac469521
SHA1 hash:
d7befcf43555b87ef767b8540af726d3fe747520
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1661b921-fdf8-488c-abad-9a3935c3af1b/
Parent samples :
a94291cc6f39425c30d1152a83ae122c0c8f10c8bf2f77c94542bbb30203aa94
75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
224c62bcaf9e4eb208ea49c9727edc7cadfbd58c6209595a66a636627f43d085
3b4d7f8036918c75267ca13980ac17419652c12d968336013808b04151b47455
SH256 hash:
75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1
MD5 hash:
f1fb3abb2393f77b6192945aa277151d
SHA1 hash:
f62a31eb33e26cabdbd3ef843bd19c95df47dcdb
Link:
https://www.unpac.me/results/1661b921-fdf8-488c-abad-9a3935c3af1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/75bd9e581d48f304bec7cf8f07fc56937501e67a578d33252915b455fc2506f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments