MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8272de1a6c56484d5f751b07b03dae537206417c5c61547cd18fe117811b1414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8272de1a6c56484d5f751b07b03dae537206417c5c61547cd18fe117811b1414
SHA3-384 hash: 146042b7e3fc0bf0c762955075dc18196ad58ed02cd9a13817bc7d69bec8a47f9621b1be85f33e84000aca68b5983424
SHA1 hash: d9716e48dffe8a9cff10845373e3e5bea17995f0
MD5 hash: 421ff435d982e0d1b7b90a0c83c1cf5a
humanhash: asparagus-fish-helium-delta
File name:process.0xffffdd8a688534c0.0x590000.dmp
Download: download sample
Signature Quakbot
Create hunting rule
File size:233'471 bytes
First seen:2021-04-18 17:25:23 UTC
Last seen:2021-04-18 17:58:31 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 3072:yaCpHSJ7GXpDKfk0sFFqr9l+LeJyT4dX0ZtLA0B2TBfhQQjwRKkrkOB2oO:EzXhKfkygiyTTvB2TBpljwsLOBLO
Threatray 108 similar samples on MalwareBazaar
TLSH BF34BE32B09399B2C0724132A3DEDB6BDBFDA7250271DC9BD78C19457F24946E2312DA
Reporter cbecks2

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/137847/
Detection(s):
SecuriteInfo.com.QakBot.21479.8358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/685292
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 391595 Sample: process.0xffffdd8a688534c0.... Startdate: 18/04/2021 Architecture: WINDOWS Score: 60 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Machine Learning detection for sample 2->38 14 loaddll32.exe 1 2->14         started        process3 process4 16 cmd.exe 1 14->16         started        process5 18 rundll32.exe 16->18         started        process6 20 rundll32.exe 18->20         started        process7 22 rundll32.exe 20->22         started        process8 24 rundll32.exe 22->24         started        process9 26 rundll32.exe 24->26         started        process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 28->30         started        process12 32 rundll32.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8272de1a6c56484d5f751b07b03dae537206417c5c61547cd18fe117811b1414/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjzn4gtmkzee2x3vdmd3apnoknzamql4lrqvi7grr7qrpai3cqka._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
05eb78d99eee2cefa5e2dcd2113583e4e35a32806d1b842c3569a2045783392f
Quakbot
1387164d5353f32d77912b968065d5ce8b1a4e2c208838925f32556745301fb8
Quakbot
1bbeafc55ebf403a0ebbb672035e358b36377c370cd37cab7df1088c083770bf
Quakbot
5cf03d4c4ed5a25dc90ecc5b2b4624c808b901a308e1eac4881e87460eff05ab
Quakbot
7262fc8f73299cfbead27493ad24bc60688d4fa3b3e3a676b639dbe170c8334b
Quakbot
80cfabe6a394c7737a22d5ea72c604fb65fb6b66e979e848d07507343fbdb705
Quakbot
b12073d6fb10eaa5c2d201c069693f72a45f53df4239ef34d5e4608a084603a4
Quakbot
b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0
Quakbot
c5db8f1fd3c0c9e620a614cca194af7f1c1066c30e1cd79a948e039b644db0f6
Quakbot
faf8c2bc67d3913406f66f4a735774828f9455850fce085585b42c5b16f5b539
Quakbot
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210418-7ksyapnbzj/
Behaviour
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/137847/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 18:08:19 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
1) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
2) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
3) [C0021.005] Cryptography Micro-objective::Mersenne Twister::Generate Pseudo-random Sequence
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0019] Data Micro-objective::Check String
6) [C0060] Data Micro-objective::Compression Library
7) [C0026.001] Data Micro-objective::Base64::Encode Data
8) [C0026.002] Data Micro-objective::XOR::Encode Data