MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c
SHA3-384 hash: 10a1045a0a4dfc9c608537f0d71481669878b14142d1d8f8bbe1241ee7a14002a62432c3b744496dc03f676592fe37cd
SHA1 hash: f94737abd71b7c187f6bf2745a109571eeccb487
MD5 hash: 096721752a2f6682cf22f3ffc371551b
humanhash: six-nineteen-december-autumn
File name:user.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:528'384 bytes
First seen:2022-12-23 01:35:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d0ce5a8d5d0f4fa36cbdd8035bad1ebc (4 x Quakbot)
ssdeep 12288:eihnctArBgRprvbiIIAuz19neslchZCJxE:nnqAyprvbiIIAuRJlch8vE
Threatray 1'876 similar samples on MalwareBazaar
TLSH T1BAB4E02171E391B4EC9B42B1211D5F3DEFBC7A204677989B4F9804C52F249E2EB3625B
TrID 31.0% (.EXE) InstallShield setup (43053/19/16)
22.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.SCR) Windows screen saver (13097/50/3)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter pr0xylife
Tags:1671725928 BB11 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
IE IE
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63a50602779e491a53b2e059/reports/176fd6ab-8d16-4ed0-83cf-83728ed29024/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ea76bc2d-000d-4256-b1c5-51fdd4ef8e48
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1139730
Signature
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 772460 Sample: user.dat.dll Startdate: 23/12/2022 Architecture: WINDOWS Score: 48 37 Sigma detected: Execute DLL with spoofed extension 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 21 9 12->20         started        23 WerFault.exe 2 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        31 2 other processes 16->31 dnsIp6 33 WerFault.exe 3 9 18->33         started        35 192.168.2.1 unknown unknown 20->35 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 01:36:06 UTC
File Type:
PE (Dll)
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrmqb62yvxz6rmegzfix37c552xpwxtl5adanohjhqqvaljp4rga._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
0e1f44187d73e706600e63c7ffb8132be360e44962a4f6ef2e34f53cdd8681b2
Quakbot
1a979befbb818957b361b695fa34543f521a654ac7567ef79a22bb382b1ee0b5
Quakbot
26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212
Quakbot
28938e9b7dc8ba1641a245277c4f1ef95ed148984a8cce2e8b1c07e6ff5f740c
Quakbot
2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241
Quakbot
3ed5e52842ec4004ce42f7055ec1b9e8c70185037dac72293fe7e4e2c18c208e
Quakbot
5d111ecc2ea0919b641b48a6e0d907466557ebec1a6f5369da93c44abeb16697
Quakbot
784a2827b5ddc82e69198aa9f6a5382c32716eb0263bc2a4f6fc500589c8a3ef
Quakbot
9c99d4c2d10e852395f892378225247f4e6eb2b5d9b9718e39127634e3acae3b
Quakbot
db333be4247b3cef1efefe762327112ca465de58a15a260033d03a7aaaf5cbb2
Quakbot
+ 1'866 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221223-bz81ksff39/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c
MD5 hash:
096721752a2f6682cf22f3ffc371551b
SHA1 hash:
f94737abd71b7c187f6bf2745a109571eeccb487
Link:
https://www.unpac.me/results/2c0b588e-d3c6-4402-b267-42a36e7d6e9c/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/845900fb58ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments