MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash: aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd
SHA3-384 hash: 48958f2d642598b77b5e15e5ea2baf8f2130ffbdbfa1169d5b752b5470645a5b1e98fbb5c6c3fbdaf9e5713838e589e3
SHA1 hash: 2d688dfee28f75553bc1d3633f891d2e70e0408b
MD5 hash: 08e52afbefa423fb9f1ea0af88a4880e
humanhash: potato-oscar-mango-twelve
File name:plan-515372324.xlsb
Download: download sample
Signature Quakbot
File size:159'199 bytes
First seen:2021-06-29 22:05:34 UTC
Last seen:2021-06-29 22:43:46 UTC
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 3072:q9VlUBWA6CFvA7bpKCxAVIKa8d/p4DqLdb1luxVymd1xXPtLrC/:q3liWA6FVNYa8dh4exQxVyWxfta
TLSH 50F3020DD310A4D8D667303881037CDD591A756BB8C3FE4F2AB97E99A6020DB36CE71A
Reporter @malware_traffic
Tags:excel macros Qakbot qbot Quakbot xlsx

Intelligence


File Origin
# of uploads :
2
# of downloads :
558
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
plan-515372324.xlsb
Verdict:
Malicious activity
Analysis date:
2021-06-29 22:04:00 UTC
Tags:
maldoc-42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Alert level:
100%
Document image
Document image
Result
Verdict:
MALICIOUS
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
Hidden Macro 4.0
Detection:
malicious
Classification:
expl.evad
Score:
72 / 100
Signature
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found abnormal large hidden Excel 4.0 Macro sheet
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Behaviour
Behavior Graph:
Threat name:
Document-Office.Backdoor.Quakbot
Status:
Malicious
First seen:
2021-06-17 05:49:51 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro xlm
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://khangland.pro/v8gEDeSB/sun.html
https://jaipurbynite.com/stLdQs9R53/sun.htm

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_Quakbot_xlsb_20201023
Author:abuse.ch
Description:Detects Quakbot XLS
Rule name:ach_SmokeLoader_xlsb_20201112
Author:abuse.ch
Description:Detects Smoke Loader XLSB
Rule name:buerloader_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:dridex_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:quakbot_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:silentbuilder_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:UAC_bypass_bin_mem
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments