MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f
SHA3-384 hash: 45fefa4dd6b30d65d8f04fad3f5e7e8bf4badbff00bb9816ac0f09c67c243e3a80093d9f2cf147bdcfd7d4f81c47100d
SHA1 hash: 8e0e803a3a6f73d754f0831ec30bcdbf37f9d311
MD5 hash: db8bced91ef1163e368f633db38250d6
humanhash: four-november-arizona-blossom
File name:information[2022.03.18_12-56].xll
Download: download sample
Signature Quakbot
Create hunting rule
File size:3'302'912 bytes
First seen:2022-03-18 13:43:35 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a084c8824a3ef55d5f4bc4fa0f09d431 (1 x Quakbot)
ssdeep 24576:dA/zNC+FzglNXPHKQ99+VJwua9YljmbRWs5ddFh0X/FjxATJjlSH1pPyo7oX1KrR:dT+FG0sHe4Ug1PhoAFXqKCF6
Threatray 323 similar samples on MalwareBazaar
TLSH T1D3E55B4142AC48FEEEFAC73528F795927BFB7ED691081F0385684D66096BC80F09A5F4
Reporter k3dg3___
Tags:qbot Quakbot TA571 tzr01 xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware regsvr32.exe
Link:
https://www.filescan.io/uploads/62348cbdb94fb38cb4a36e46/reports/351dfa4e-5d2d-49f1-a211-7efaced29646/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/959755
Signature
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592232 Sample: fYALWiHmo1.xll Startdate: 18/03/2022 Architecture: WINDOWS Score: 64 23 Multi AV Scanner detection for dropped file 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Sigma detected: Suspicious Call by Ordinal 2->27 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 1 9->17         started        file6 21 C:\Users\user\Wininetx64.dll, PE32 17->21 dropped 29 Drops PE files to the user root directory 17->29 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f/
Threat name:
Win64.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 13:44:18 UTC
File Type:
PE+ (Dll)
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
1afaa9ab2ee0c6e5a93b23b207295eb9c3b10d350c0bf190ea92abc0b5628837
Quakbot
1e65784e3a7c5257c84077c4cb3385efebe255dcb9158762ed15648ef2d8e697
Quakbot
538a6af386f29cac70e74c1eb885bae87b0ea6b487b0411db4f78ee8c2fea336
Quakbot
5b585bcc7ac833317be929b0cc62de62827de31567ac58f2c6e10644b3739e67
Quakbot
8f7701d2c28e11cab1b101e679722065262dfba823a87fa7d02216a6c5c17d44
Quakbot
9ae13c19261bfaabaaf173c24d895e19fa751373749f17058e288dc5c6a481a0
Quakbot
b814c645113619aba16234e892fd4cddf471a58c845fe18a0493a7ccd84b8de4
Quakbot
c184cc9ab735a9d8843dcde620b3075f99e2d54519fee2109aa01c06f27371fd
Quakbot
c2919ef3ccf9cc5805a282d96326a28df6236801953c39bb582b7b181a058ebe
Quakbot
e8a2a3c6874dbaa04dfc60b58b5b1b677fbc33f6d2c08eb509f40b05df0d58be
Quakbot
+ 313 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tzr02 campaign:1647520511 banker stealer trojan
Link:
https://tria.ge/reports/220318-q1tdvahhh8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Process spawned unexpected child process
Qakbot/Qbot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

Excel file xll 8905c6a9311e45c528b1b9e56367a2fc55f2fd4af124e02d407acfa9ae23f93f

(this sample)

Quakbot

DLL dll 439c08613d68fddce3758d3da282aaec527751daaaa120df3cafbf03208a6f6e

  
Dropping
SHA256 439c08613d68fddce3758d3da282aaec527751daaaa120df3cafbf03208a6f6e
  
Delivery method
Distributed via e-mail link

Comments