MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43
SHA3-384 hash:	5a17ff7a8939e6260c07e835dc8c3a56d777c521424a352fd5602f45b6b9e814fa3912ec75b0dd36e0fa94f5d0fe3978
SHA1 hash:	ddfa12a3e648dbd0fd60f60f0ff0f0d944308d92
MD5 hash:	0c13ed40d1f23ab07e8e865ba5940a5c
humanhash:	florida-cup-arkansas-lithium
File name:	SecuriteInfo.com.BScope.Malware-Cryptor.Zbot.4213.30029
Download:	download sample
File size:	2'195'120 bytes
First seen:	2020-04-03 18:42:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dd051009b3fe629216b035ccf3fec77
ssdeep	6144:FUqZbXtDb604j/tATIxFQVRiN8wHoG3NUBoKyxdd:FnZbw/jzxFQ/irHhUBold
Threatray	408 similar samples on MalwareBazaar
TLSH	53A5D0A2593DC88AEDB77278352472D351167E7858A8A00D7F10870D0BBB2EA0F5F767
Reporter	SecuriteInfoCom

Code Signing Certificate

Organisation:	RRPMWXXGLEEPDYCRZH
Issuer:	RRPMWXXGLEEPDYCRZH
Algorithm:	sha1WithRSA
Valid from:	Apr 1 16:09:44 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	-5B9F8FA8B4D79F44BF2F82AF61905160
Intelligence:	7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	79B9AC7D290AADD1215CA5E04605B13230D477F7A7CE877045301B5B3ACD14E9
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Qakbot-7646363-0

Gathering data

Threat name:

Win32.Trojan.Qbot

Status:

Malicious

First seen:

2020-04-04 00:57:30 UTC

File Type:

PE (Exe)

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Verdict:

malicious

474d98ef89bc82d2bd36c0f7e8c0a6e6a9c4e2bdf89aef7bb21076f3512bff36

66581ef4403817dbb74f4eaa160d9b3dff00655688de916bdc9deba5bf32b555

6b8f15d8cc16aac54d12879554467d51fa79fc80d21580eb6e7c6e9198ed14ce

6db8186bb85e3dd446d86408b81725e268f375a06c49fcece7ddfb67171bceca

80f5f646063746ad84127922013eb0abe036cadbcfad846186d8c6c5410f5d14

90e9c74f78bb70df8cdb84b78e24d997eba83e74fefc04833e14e17b4add10ca

b01d04bb942340579b3b9e9223637268ba5cccc80c66d5b8ccf464c0cbdad8ab

e48c6802b94dcbe41c11188684ed0d7e0d73238ff637707eb1e3a639b7834044

ea4dcaac0b61ec7f40c3695c285e799aacefd8c825e8b119e64a268af7d7c4c7

+ 398 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSidToSidW ADVAPI32.dll::EqualSid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetTokenInformation
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHFileOperation SHELL32.dll::SHQueryRecycleBinW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessA KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::CreateConsoleScreenBuffer KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleA KERNEL32.dll::FreeConsole KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameA KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW KERNEL32.dll::QueryDosDeviceW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegCreateKeyW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegLoadKeyW
WIN_USER_API	Performs GUI Actions	USER32.dll::ActivateKeyboardLayout USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::FindWindowA USER32.dll::FindWindowW USER32.dll::GetOpenClipboardWindow

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample