MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691
SHA3-384 hash: d485434289b1fae14e9ee35f592d8b3d6e5c5b2999e9fe824ae983ceec1350ac575ed6db7259be31896e62c3b35612d2
SHA1 hash: e21be6605ac1a0b3416df5e266a20c5b9581f4c3
MD5 hash: feb4484f965d53e26a67141c97c3ca19
humanhash: sixteen-pip-burger-georgia
File name:8sdsfd2sd.exe
Download: download sample
Signature Quakbot
Create hunting rule
File size:666'950 bytes
First seen:2021-02-02 18:51:04 UTC
Last seen:2021-02-02 20:27:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0451a14c6dd290039b64df1a7a79d43e (2 x BazaLoader, 1 x Quakbot)
ssdeep 6144:xKxqEDbq4lljdpR44G+inOczu3ERBQwOpKABQ:IVlzpRU7u3oBQwOG
Threatray 2 similar samples on MalwareBazaar
TLSH 3FE47D2476AA56EFFD5B847A76458255B4B37284432BEDFB41E0D7213A03BE00F3862D
Reporter ffforward
Tags:BazaLoader BazarBackdoor BazarCall BazarLoader kegtap

Code Signing Certificate

Organisation:GlobalSign Timestamping CA - G2
Issuer:GlobalSign Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Apr 13 10:00:00 2011 GMT
Valid to:Jan 28 12:00:00 2028 GMT
Serial number: 0400000000012F4EE152D7
Intelligence: 12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: C977923C771E1A66C925A2B6F501732E678DC9887AFE6BFAAC039D1D9A71F0EC
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691.zip
Verdict:
No threats detected
Analysis date:
2021-02-02 19:14:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0440069b-d8ca-4f0f-ad23-4e80dcfaadd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115219/
Detection(s):
SecuriteInfo.com.Variant.Razy.832836.2739.11507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/597112
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 18:52:07 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tq6p5th77oq74wy3ngsxqtr5fazkgwxl2cmy562iq55ooztqq2iq._file
Verdict:
malicious
Similar samples:
3e48c6326181bf9fe5cb074a0c7dc955a3e5d23c9f77195e319cf88cafdab447
Quakbot
e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
Quakbot
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210202-ttpscpe5w6/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
BazarBackdoor
Unpacked files
SH256 hash:
9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691
MD5 hash:
feb4484f965d53e26a67141c97c3ca19
SHA1 hash:
e21be6605ac1a0b3416df5e266a20c5b9581f4c3
Link:
https://www.unpac.me/results/c143cd99-5a8c-452d-9a7b-f7912a29f4f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe 9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/988264/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115219/

Comments