MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a395600eca0288b1a6c84746245439360e1e9a6e7277126ec0777d74dbc2222c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a395600eca0288b1a6c84746245439360e1e9a6e7277126ec0777d74dbc2222c
SHA3-384 hash: 73c52d816c09e0cc42d29ab198f496f30e685ef90f1a82029963cd4e7633cbfd42306ccd115eb6d27786bf790958fa89
SHA1 hash: 63ae1bc6e8ddc6ff3e92d8c9b8def6b120749aba
MD5 hash: 106b4adbd60d3ed9b382941f9e16a939
humanhash: oven-bacon-nitrogen-oven
File name:4818840.dat.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:345'552 bytes
First seen:2021-02-16 19:08:44 UTC
Last seen:2021-02-17 09:36:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 86fbdc19e7cee8cd7d94d1a822db2bf6 (21 x Quakbot)
ssdeep 6144:agOXktvhhOU35RJEesNr3wU7HuAmHKmlEwrPmRPWEpWFn2E6lyDe:skvhhOKJETRByqTwr03pdft
Threatray 128 similar samples on MalwareBazaar
TLSH 14747D396A1AD0A2D27C27B183C3EF541E67DAD53234441712B3DE183EB66A4BE36F14
Reporter James_inthe_box
Tags:dll Quakbot signed

Code Signing Certificate

Organisation:ADV TOURS d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-02-11T00:00:00Z
Valid to:2022-02-11T23:59:59Z
Serial number: d3356318924c8c42959bf1d1574e6482
Intelligence: 17 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 962518bfabcda183ed702c09a4ada754bf4da8af8244d7ee57fcf952fd929b8e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117416/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.1169.15.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/609373
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule REGSVR windows binary
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353719 Sample: 4818840.dat.dll Startdate: 16/02/2021 Architecture: WINDOWS Score: 96 48 Found malware configuration 2->48 50 Sigma detected: Schedule REGSVR windows binary 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 2 other signatures 2->54 9 loaddll32.exe 1 2->9         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 process4 15 regsvr32.exe 9->15         started        18 cmd.exe 1 9->18         started        20 regsvr32.exe 11->20         started        22 regsvr32.exe 13->22         started        signatures5 56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->56 58 Injects code into the Windows Explorer (explorer.exe) 15->58 60 Writes to foreign memory regions 15->60 62 2 other signatures 15->62 24 explorer.exe 8 1 15->24         started        27 iexplore.exe 2 83 18->27         started        29 WerFault.exe 20 9 20->29         started        31 WerFault.exe 22->31         started        process6 file7 40 C:\Users\user\Desktop\4818840.dat.dll, PE32 24->40 dropped 33 schtasks.exe 1 24->33         started        35 iexplore.exe 5 153 27->35         started        process8 dnsIp9 38 conhost.exe 33->38         started        42 img.img-taboola.com 35->42 44 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49755, 49756 YAHOO-DEBDE United Kingdom 35->44 46 10 other IPs or domains 35->46 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a395600eca0288b1a6c84746245439360e1e9a6e7277126ec0777d74dbc2222c/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 18:12:45 UTC
File Type:
PE (Dll)
AV detection:
19 of 48 (39.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uokwadwkakeldjwii5dcivbzgyhb5gtooj3re3wao56xjw6ceiwa._file
Verdict:
malicious
Similar samples:
02b7bfe067ff1bad4d91ffa222b08868a587c1c0b90ca945ac3798a3736a5aa6
Quakbot
032bae01808a8d28883604be98f20a3964be2e2d53e598e83acff15887bb4417
Quakbot
0ea6564393fd9d17cd3153e67a46181b10d9a5fdada9203c23f6278c23916386
Quakbot
11d92a8bbd12d0f4634904ccc0037f58e99ab9d71e8341930a25564b3f2dec78
Quakbot
60daac95bcce2b3021bb614a8fff918ac978e2f86e11ccaf9e8e50a1273f8d72
Quakbot
64cfb10817f12511be4941e97e4eb396194a0f7ab84e6ae33618e7d10f1f252f
Quakbot
7b338c9afc864fa9b2cda3591c494e9ac81d0a4e54161ffa966a10005c634528
Quakbot
d59e2f51017cbdba301b87bf66bcda4b2db53e98acd39e25744b9afa4649c117
Quakbot
f40bd7fcec5745ecbe463b8854854b5de6f6b770548fd9f24b864a93a14633c9
Quakbot
fc7a4edf9d9984d4a53b4296f0d0160436144bc5631b8c5b445a86f3bfa9ff61
Quakbot
+ 118 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
bbfd63584a96d6e8e700eab340c4d2d685c504feee9e1966d8e050905c34c686
MD5 hash:
1705ed295dc007e6aada354df0eab708
SHA1 hash:
e6b64c2b5931432492908eff74514e184197f50b
Link:
https://www.unpac.me/results/a3016f4b-4814-45f5-abce-35387f2bbebe/
SH256 hash:
a395600eca0288b1a6c84746245439360e1e9a6e7277126ec0777d74dbc2222c
MD5 hash:
106b4adbd60d3ed9b382941f9e16a939
SHA1 hash:
63ae1bc6e8ddc6ff3e92d8c9b8def6b120749aba
Link:
https://www.unpac.me/results/a3016f4b-4814-45f5-abce-35387f2bbebe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a395600eca0288b1a6c84746245439360e1e9a6e7277126ec0777d74dbc2222c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:qbot_bin
Create hunting rule
Author:James_inthe_box
Description:Qbot Qakbot
Reference:https://app.any.run/tasks/b89d7454-403c-4c81-95db-7ecbba38eb02
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1014395/
  
URLhaus
https://urlhaus.abuse.ch/url/1014396/
  
URLhaus
https://urlhaus.abuse.ch/url/1014398/
  
URLhaus
https://urlhaus.abuse.ch/url/1014399/
Cape
Cape
https://www.capesandbox.com/analysis/117416/

Comments