MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c
SHA3-384 hash:	bad84ef2275064c2672e21fb87d8e4cd7d1b6475f2972119f5c9ef32b5cf153aecf88f834411557bda78a084293f3cde
SHA1 hash:	41142c72f3f37fad22b01c6bd9eaf572551ff465
MD5 hash:	25d8d740a5611fb6ab2e6df583c24a00
humanhash:	summer-batman-high-echo
File name:	cossacks.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	760'832 bytes
First seen:	2022-10-11 23:50:44 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dc4e58cc3b4290a5b1fb2b2659f5959d (4 x Quakbot)
ssdeep	12288:e+4QHixeljmtjVFJcPp+cygICZoxlSr9p6q6xMZXJMeGbX//7OT:5DXjmtjVD3cygICZwSJp6q6yZXJM5T/c
Threatray	1'521 similar samples on MalwareBazaar
TLSH	T153F48E33B1D084B7D12A1E78BD7B9268482A7D206F74A94B2BE41E4D4F399C13E752D3
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	mossdinger
Tags:	dll obama212 Qakbot Quakbot

Intelligence

File Origin

# of uploads :

1

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319092/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.11658.23902.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

Modifying an executable file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/63460166f2794c622d289abb/reports/7e92479b-4271-47e1-aec8-3f5bd6159861/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9505476d-6a1c-4ca2-927b-09d2b7237cb4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-11 23:51:09 UTC

File Type:

PE (Dll)

Extracted files:

70

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t25wqtytgz5iw6axw6d2kn2psbzpsm4nmv6ckvad3gi7kd3m5aga._file

Verdict:

malicious

Label(s):

qakbot

Similar samples:

5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f

616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88

80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172

9ef5f5a55db078bbcf60cb9750349ab35f3ef88e8c5574f23fb77a485d0ba603

+ 1'511 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221011-3v5adabff8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

6a8557dd3d30a13393b317d60dcca6c980b29b97ad9a070e19bef819633292af

MD5 hash:

b6ce472fb49a23b4787540b4edc3b88e

SHA1 hash:

3ec548cba5da9df50ec771c823805538bbf294d2

Link:

https://www.unpac.me/results/3f217dd6-edd0-4462-b6db-c6fee6db8522/

SH256 hash:

015b68c57f31681e021cda49ddcf5c3ada0a9b1facff009a8ce4561fc9061fa2

MD5 hash:

49de64d05b765f404fad96b2f868d253

SHA1 hash:

20624d919418ae9009cfa0ed86448c7df762f810

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/3f217dd6-edd0-4462-b6db-c6fee6db8522/

Parent samples :

616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88
9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c
f742d9cf58174e30f3af525e7917ccf473b8f1f5ba43f9c0d1f111a02cfb02dc

SH256 hash:

9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c

MD5 hash:

25d8d740a5611fb6ab2e6df583c24a00

SHA1 hash:

41142c72f3f37fad22b01c6bd9eaf572551ff465

Link:

https://www.unpac.me/results/3f217dd6-edd0-4462-b6db-c6fee6db8522/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ebb684f1336/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via drive-by

Cape

Cape

https://www.capesandbox.com/analysis/319092/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample