MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cd900111f019f32112eba2c1ce1ecd9345d05f5d9a8a617c4a609d77cf2f95b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	9cd900111f019f32112eba2c1ce1ecd9345d05f5d9a8a617c4a609d77cf2f95b
SHA3-384 hash:	0658f1d74ca0d4002a237f6c39c1cab50e2e0fea16d33aa3bc86d026a47ecf7961ea0a34f55a49171f796c70a15e9564
SHA1 hash:	9266ced16696c10983b7252a2a1a53f6d5c9efbe
MD5 hash:	b316d485fd16aceca470c36e55540133
humanhash:	uniform-idaho-happy-mockingbird
File name:	Item.one
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	116'904 bytes
First seen:	2023-02-07 14:19:53 UTC
Last seen:	Never
File type:	one
MIME type:	application/octet-stream
ssdeep	3072:RgS2EJbyYeMYkKkyX3DWvLLATir569RgSwfg:QhjZrHDgQkFo
TLSH	T109B3D026B191864ADB29413A09E77FB4B373BE029591571FDFB62E1C4DF0284CCA468F
Reporter	pr0xylife
Tags:	matanbuchus one Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.OneNotePkillExeExtDetonationRulingTheNation.20230125.UNOFFICIAL

Verdict:

No Threat

Threat level:

2/10

Confidence:

50%

Link:

https://www.filescan.io/uploads/63e25e141c9cbf7d62566a93/reports/0d4b9ca5-2a86-41d5-b56a-b871a1932223/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9cd900111f019f32112eba2c1ce1ecd9345d05f5d9a8a617c4a609d77cf2f95b

Result

Verdict:

MALICIOUS

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9cd900111f019f32112eba2c1ce1ecd9345d05f5d9a8a617c4a609d77cf2f95b/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ttmqaei7agpteejoxiwbzypm3e2f2bpv3gukmf6euye5o7hs7fnq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230207-rne65acb36/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9cd900111f019f32112eba2c1ce1ecd9345d05f5d9a8a617c4a609d77cf2f95b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	onenote_file Create hunting rule
Description:	Microsoft Onenote File

Rule name:	OneNote_magic Create hunting rule
Author:	Stuart Gonzalez

Rule name:	onenote_maldocs Create hunting rule
Author:	Stuart Gonzalez

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample