MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723
SHA3-384 hash: c3d537a7d1df78636b645b3c8f70bd2f2f5238ace0e78742d6010ebecb5573c427f956ac00abb68d44bde20a8acd9380
SHA1 hash: c2ac9f831346b85440cebcc282eff918366a8aa5
MD5 hash: eb64a061c3da07d7ce5f13eeb6c4adb6
humanhash: red-floor-mockingbird-wyoming
File name:a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'084'416 bytes
First seen:2020-11-09 21:58:49 UTC
Last seen:2020-11-09 23:43:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep 6144:IZ+3S9vyRiqI4RD83dRkFICdy20s6NbDUWZ31EyNEgfdlktjKkuGInR+HlZzmU6s:IZjwiqJOrxn20yyuK7UUhulLhJ9FCe
Threatray 852 similar samples on MalwareBazaar
TLSH B43512D7F9BC8471CAED297F8993123C968A85E85D05D10B0778A5ADBDF3200FE9244B
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.770944.13540.27624.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Sending a UDP request
Creating a window
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527491
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312836 Sample: 7lsnhmINEv Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 7 7lsnhmINEv.exe 4 2->7         started        11 7lsnhmINEv.exe 2->11         started        13 7lsnhmINEv.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Roaming\...\eukpsiv.exe, PE32 7->32 dropped 34 C:\Users\user\...\eukpsiv.exe:Zone.Identifier, ASCII 7->34 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (overwrites its own PE header) 7->46 48 Contains functionality to detect virtual machines (IN, VMware) 7->48 50 Contains functionality to compare user and computer (likely to detect sandboxes) 7->50 15 eukpsiv.exe 1 7->15         started        18 schtasks.exe 1 7->18         started        20 7lsnhmINEv.exe 7->20         started        signatures5 process6 signatures7 52 Multi AV Scanner detection for dropped file 15->52 54 Detected unpacking (changes PE section rights) 15->54 56 Detected unpacking (overwrites its own PE header) 15->56 58 2 other signatures 15->58 22 eukpsiv.exe 15->22         started        24 explorer.exe 15->24         started        26 explorer.exe 15->26         started        30 4 other processes 15->30 28 conhost.exe 18->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 22:39:11 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqa6siekghgkgj5dd3uhfisywnmnxutwgbdclzdb2rxvyzlnk4rq._file
Verdict:
malicious
Similar samples:
02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
QuakBot
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
QuakBot
12a33b4cbaa8523b49fbf03ce5ac773e1846660662a0ca67b7dae618606e6ae4
QuakBot
18a52a088f46ae8a4dbfc27760bdb3e22dda61ed353c8b8ff3dc16aaa1df4c43
QuakBot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
QuakBot
aab0cda9f1d257a3affd8ee4c8b7eb06369d598afa2a1daa3f0780851fc083cc
QuakBot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
QuakBot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
QuakBot
e187fbf6543d1993f0945c04ee520600b6493236bae169a020f9a10c547e249d
QuakBot
e623ccc3e7951238e956cd57702bc2375b0649d5d550fb4ad29e24f6b9323adf
QuakBot
+ 842 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201109-qqjkynt8ln/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments