MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84a0c818da5d2624e3c7cf0543cb8c6dbc1e90759681fdf87fe2aedd1950347b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84a0c818da5d2624e3c7cf0543cb8c6dbc1e90759681fdf87fe2aedd1950347b
SHA3-384 hash: c91d19b1e268fa3528bbddb11a99d56d2cf7093b3ed61f8dfc37f915825b69f7bfff9c5660a0be5a4ec394dc8f2d10db
SHA1 hash: 3f19636f09bcb728e7f348f195c80b28db3eb402
MD5 hash: 604cd6de76c9fc7e2175925a86400fa8
humanhash: kilo-may-golf-uranus
File name:Emotet_Qakbot.bin
Download: download sample
Signature Quakbot
Create hunting rule
File size:811'540 bytes
First seen:2020-07-21 14:22:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 30b3e5bbf1c385f09b653bc6a5533572 (2 x Quakbot)
ssdeep 12288:RZfWAYeHxPCW4vdXQGnPDNeYMuOXuUPtpjvCPaPsb0zn888888888888W888888j:RNWEivZQuPxeXuSpjvzP1S
TLSH F905F3027A4AC3B3F84489364490016B2913BDD4F7D1E592AF64E54D99BCFA73CB8B1B
Reporter lazyactivist192
Tags:Qakbot Quakbot

Code Signing Certificate

Organisation:EZIOLHHGQANMUKKAHE
Issuer:EZIOLHHGQANMUKKAHE
Algorithm:sha1WithRSA
Valid from:Jul 15 07:44:29 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -3ABE7E73750D6B58B41E0B1273945FE1
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: A186576176D2D36831A85B886963184398F1ECE4B7E4B8D463A29749A5278CB9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30207/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APV.3495.3440.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/393345
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249034 Sample: Emotet_Qakbot.bin Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: QBot Process Creation 2->61 63 6 other signatures 2->63 7 Emotet_Qakbot.exe 4 2->7         started        11 Emotet_Qakbot.exe 2 2->11         started        process3 file4 51 C:\Users\user\AppData\Roaming\...\nqrot.exe, PE32 7->51 dropped 53 C:\Users\user\...\nqrot.exe:Zone.Identifier, ASCII 7->53 dropped 65 Detected unpacking (changes PE section rights) 7->65 67 Detected unpacking (overwrites its own PE header) 7->67 69 Contains functionality to detect virtual machines (IN, VMware) 7->69 71 Contains functionality to compare user and computer (likely to detect sandboxes) 7->71 13 nqrot.exe 7->13         started        16 Emotet_Qakbot.exe 7->16         started        18 schtasks.exe 1 7->18         started        73 Uses cmd line tools excessively to alter registry or file data 11->73 20 cmd.exe 11->20         started        24 nqrot.exe 11->24         started        26 reg.exe 1 1 11->26         started        28 9 other processes 11->28 signatures5 process6 dnsIp7 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Detected unpacking (changes PE section rights) 13->79 83 7 other signatures 13->83 30 explorer.exe 1 13->30         started        33 nqrot.exe 13->33         started        35 conhost.exe 16->35         started        37 conhost.exe 18->37         started        55 127.0.0.1 unknown unknown 20->55 49 C:\Users\user\Desktopmotet_Qakbot.exe, PE32+ 20->49 dropped 81 Uses ping.exe to sleep 20->81 45 2 other processes 20->45 39 nqrot.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        47 7 other processes 28->47 file8 signatures9 process10 signatures11 85 Contains functionality to compare user and computer (likely to detect sandboxes) 30->85
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84a0c818da5d2624e3c7cf0543cb8c6dbc1e90759681fdf87fe2aedd1950347b/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 14:24:08 UTC
File Type:
PE (Exe)
Extracted files:
92
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsqmqgg2lutcjy6hz4cuhs4mnw6b5edvs2a736d74kxn2gkqgr5q._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot evasion
Link:
https://tria.ge/reports/200721-954zd44kb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Runs ping.exe
Loads dropped DLL
Windows security modification
Executes dropped EXE
Qakbot/Qbot
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
190.220.8.10:443
66.57.216.53:993
173.175.29.210:443
72.255.200.69:2222
24.229.150.54:995
81.133.234.36:2222
86.4.44.48:443
92.104.210.253:2222
71.56.53.127:443
174.85.133.130:2222
201.170.83.26:443
5.15.81.52:443
187.207.185.170:443
67.248.210.221:53
67.246.16.250:995
212.126.109.14:443
69.11.247.242:443
207.255.161.8:32100
69.92.54.95:995
104.235.72.17:443
200.113.201.83:995
82.81.172.21:443
74.134.46.7:443
151.73.125.195:443
188.24.214.244:443
188.192.75.8:443
24.165.87.61:443
216.163.4.132:443
174.34.67.106:2222
86.175.7.7:2222
72.142.106.198:995
68.190.152.98:443
47.24.47.218:443
73.217.4.42:443
96.244.45.155:443
72.240.245.253:443
130.25.130.19:2222
35.142.12.163:2222
98.240.24.57:443
95.77.144.238:443
67.8.103.21:443
80.195.103.146:2222
72.142.106.198:465
66.26.160.37:443
72.177.157.217:995
173.26.189.151:443
96.18.240.158:443
93.114.122.202:2222
207.246.71.122:443
144.202.48.107:443
45.77.215.141:443
173.173.1.164:443
100.40.48.96:443
76.106.25.207:443
74.222.204.82:443
72.88.119.131:443
108.30.125.94:443
100.19.7.242:443
172.78.30.215:443
66.208.105.6:443
95.77.223.148:443
72.190.101.70:443
24.183.39.93:443
72.228.3.116:443
24.139.132.70:443
68.200.23.189:443
172.242.156.50:995
24.202.42.48:2222
72.204.242.138:443
72.204.242.138:20
108.45.29.12:443
68.174.15.223:443
74.193.197.246:443
96.56.237.174:990
64.19.74.29:995
70.168.130.172:443
81.106.46.63:443
100.43.250.74:995
189.236.166.167:443
68.4.137.211:443
76.187.8.160:443
86.126.97.183:2222
24.90.160.91:443
76.86.57.179:2222
201.103.155.111:443
24.234.86.201:995
75.183.171.155:3389
98.148.177.77:443
173.172.205.216:443
98.116.62.242:443
74.215.201.122:443
173.3.132.17:995
73.226.220.56:443
207.255.161.8:32103
75.137.239.211:443
68.49.120.179:443
5.193.178.241:2078
206.51.202.106:50003
82.127.193.151:2222
207.255.161.8:2222
207.255.161.8:2087
24.152.219.253:995
41.97.138.74:443
104.173.119.54:2222
80.240.26.178:443
207.246.75.201:443
199.247.22.145:443
199.247.16.80:443
173.90.33.182:2222
79.114.199.39:443
80.14.209.42:2222
24.164.79.147:443
70.183.127.6:995
47.153.115.154:993
184.180.157.203:2222
87.65.204.240:995
217.162.149.212:443
50.104.68.223:443
195.162.106.93:2222
67.165.206.193:995
200.113.201.83:993
103.238.231.40:443
84.232.238.30:443
78.96.192.26:443
47.153.115.154:465
98.115.138.61:443
24.42.14.241:995
189.160.203.110:443
188.27.76.139:443
207.255.161.8:32102
49.207.105.25:443
193.248.44.2:2222
190.63.182.214:443
179.51.23.31:443
74.135.37.79:443
208.82.44.203:443
71.210.177.4:443
83.110.222.11:443
187.155.74.5:995
50.244.112.106:443
193.23.5.134:443
78.102.138.103:995
2.50.47.97:2222
201.248.102.4:2078
41.34.91.90:995
72.204.242.138:53
46.214.62.199:443
201.127.27.88:443
68.46.142.48:443
72.29.181.77:2078
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84a0c818da5d2624e3c7cf0543cb8c6dbc1e90759681fdf87fe2aedd1950347b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
Emotet
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/30207/

Comments