MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac6e0692344b93b9f4e147ddac09b597ca51e268d4002174ccaa6982f57eb46e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac6e0692344b93b9f4e147ddac09b597ca51e268d4002174ccaa6982f57eb46e
SHA3-384 hash: 1fdcde94cd2ec748b5795ec561d07b80a97f2cb102aa107d2f2c7f6687503646ec594078854662a7dc4d06d120091f2b
SHA1 hash: 71ab68867f3a3945158f3183a312aac4bd89bfe2
MD5 hash: 711f31ab27f8b6aeb0531543e8310a0d
humanhash: alaska-arizona-mockingbird-tennis
File name:711f31ab27f8b6aeb0531543e8310a0d.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:261'592 bytes
First seen:2020-11-25 17:52:58 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fcb7e66723aeaab780b1c2b44639282c (1 x Quakbot)
ssdeep 3072:73BNzcIx2gLs5VVnvQYyLTUQHPH3MkKiXy4o+4z774L4yFpeQjLrmzht3WaM0l:7fXgB9yLTUQvH3nKiXtozvYpewrkRMa
Threatray 1'332 similar samples on MalwareBazaar
TLSH 4144AF79BA12DC12E6682BB062C36FD81E879AD93510510F59F15F9CBEEA3847C13BC4
Reporter abuse_ch
Tags:dll Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105673/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/547281
Signature
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322747 Sample: xJzEqkgXO4.dll Startdate: 25/11/2020 Architecture: WINDOWS Score: 76 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Qbot 2->37 39 Machine Learning detection for sample 2->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 2->41 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        process3 signatures4 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->43 45 Injects code into the Windows Explorer (explorer.exe) 8->45 47 Maps a DLL or memory area into another process 8->47 15 explorer.exe 8 1 8->15         started        18 regsvr32.exe 11->18         started        20 regsvr32.exe 13->20         started        process5 file6 31 C:\Users\user\Desktop\xJzEqkgXO4.dll, PE32 15->31 dropped 22 schtasks.exe 1 15->22         started        24 WerFault.exe 20 9 18->24         started        27 WerFault.exe 9 20->27         started        process7 dnsIp8 29 conhost.exe 22->29         started        33 192.168.2.1 unknown unknown 24->33 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac6e0692344b93b9f4e147ddac09b597ca51e268d4002174ccaa6982f57eb46e/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 17:54:15 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05fc949a1d235d88ebf502b47633eb9d6bd5661153869a6a596b853719af919a
Quakbot
204d220c365234d042f104b9d3f31c78f6aec0baa208a8ed5832340c63b0e252
Quakbot
53df5bb98b96c6a2be5ff6236ab930d8ae6e7ecff953adec7e93c3978c9a81d7
Quakbot
90828f1b7e4b93c6b19b11167ec12c2a81fecf73ca18cd6d17ea1696f7709bf6
Quakbot
acaf0b60acb73370b7ebf96ecbfd947da545dda84413333ca918cb46cca87f7e
Quakbot
c87c90e4ca093cb6ee55d605f08d1f679df35ebfe7943ffeef41ab1d2e7e39a0
Quakbot
e0d2dc14d215014e1ebd9828a29a77de5e384a4a178ae785a915756501716e32
Quakbot
e425a05ee8bd5ee32371857078122e04790578a16ca2c3b68bb89e41f33d04a2
Quakbot
f0e89069b78233ed90b2760d5909a7bde373b6787372770a443ba43bcc0b16e4
Quakbot
f8577b751ea68e1e0b746aaceddcfa6e537f855af60aa9dab9881c8c39a3f662
Quakbot
+ 1'322 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201125-fn8l6qafcs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
ac6e0692344b93b9f4e147ddac09b597ca51e268d4002174ccaa6982f57eb46e
MD5 hash:
711f31ab27f8b6aeb0531543e8310a0d
SHA1 hash:
71ab68867f3a3945158f3183a312aac4bd89bfe2
Link:
https://www.unpac.me/results/df9077fc-0c8d-4da3-bf1d-f9090b725194/
SH256 hash:
2f90d572b1d449a524086d7f667183d3f65652ac255890e0e6b6a45b5462ae71
MD5 hash:
917f657d8a3dc25dc5b8219511624fbb
SHA1 hash:
32363973a8d01bfcf8d844ef37ca350d4d3b206c
Link:
https://www.unpac.me/results/df9077fc-0c8d-4da3-bf1d-f9090b725194/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac6e0692344b93b9f4e147ddac09b597ca51e268d4002174ccaa6982f57eb46e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

DLL dll ac6e0692344b93b9f4e147ddac09b597ca51e268d4002174ccaa6982f57eb46e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/853445/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105673/

Comments