MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec
SHA3-384 hash: 3f27148df1f3b2fb0616c8d3e6d1fd99a61e9cd710b1aa601afd0967289fc9b32572890703986b8adcaac80eda951751
SHA1 hash: 1f33182c46d587c40e642874ccb6001bdc86bba5
MD5 hash: a10a2c494cac5eafccee74cc73648646
humanhash: bluebird-green-white-sweet
File name:dxv1.ocx
Download: download sample
Signature Quakbot
Create hunting rule
File size:818'105 bytes
First seen:2022-02-14 15:24:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d8b6fe98d2b0a8d6f73ca1ea92363dc6 (4 x Quakbot)
ssdeep 24576:g74I8i4ZOpi+cQcFRnb9lgo+1TAaKBsXg:5i4ZYi+cQcFRb4o+1TAaKBsX
TLSH T1BC050B9DA3D01ACEB1DA28AC761833D90F960FF10A7EB073E1132C8516B51F94E66B57
Reporter ffforward
Tags:dll Qakbot qbot Quakbot tr

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241406/
Detection(s):
SecuriteInfo.com.Variant.Jaik.45546.19745.24588.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay qbot
Link:
https://www.filescan.io/uploads/620a7451289e2f3e4fd9b250/reports/134b5dc6-f32f-4879-a8c8-c9021b42f1e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9d6679e3-54b7-4f98-8658-ea2acd737b3f
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/939492
Signature
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571964 Sample: dxv1.ocx Startdate: 14/02/2022 Architecture: WINDOWS Score: 84 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 Machine Learning detection for sample 2->40 42 Sigma detected: Suspicious Call by Ordinal 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->52 54 Injects code into the Windows Explorer (explorer.exe) 8->54 56 Writes to foreign memory regions 8->56 58 2 other signatures 8->58 11 regsvr32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 3 other processes 8->18 process5 signatures6 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->60 62 Injects code into the Windows Explorer (explorer.exe) 11->62 64 Writes to foreign memory regions 11->64 20 explorer.exe 8 1 11->20         started        23 rundll32.exe 14->23         started        66 Allocates memory in foreign processes 16->66 68 Maps a DLL or memory area into another process 16->68 26 explorer.exe 16->26         started        28 explorer.exe 18->28         started        30 explorer.exe 18->30         started        process7 file8 34 C:\Users\user\Desktop\dxv1.dll, PE32 20->34 dropped 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->44 46 Injects code into the Windows Explorer (explorer.exe) 23->46 48 Writes to foreign memory regions 23->48 50 2 other signatures 23->50 32 explorer.exe 23->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 15:25:10 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker evasion stealer trojan
Link:
https://tria.ge/reports/220214-stl3ashfc2/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Unpacked files
SH256 hash:
1a0c09bb5f2ed0f38e1fd73a07c6e4051a2f2491c455f390dba0c486bc9e73f1
MD5 hash:
4427cc8ddde527d53b7a663360cadcf4
SHA1 hash:
8c11f52cdfdc806bd845bfb811a1eca8f402fabc
Link:
https://www.unpac.me/results/e0167e96-2bb9-4370-b259-d5479b9cc6e7/
SH256 hash:
ac7bc57a751a62e1a4093de927ba59eb5bd1c5176f80a5e6de136941559a0fde
MD5 hash:
680126503ad184c8225f04eff50eea58
SHA1 hash:
ce44bea3df13c42c857d3813976c48b318263d26
Link:
https://www.unpac.me/results/e0167e96-2bb9-4370-b259-d5479b9cc6e7/
SH256 hash:
aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec
MD5 hash:
a10a2c494cac5eafccee74cc73648646
SHA1 hash:
1f33182c46d587c40e642874ccb6001bdc86bba5
Link:
https://www.unpac.me/results/e0167e96-2bb9-4370-b259-d5479b9cc6e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

DLL dll aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/241406/

Comments