MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750
SHA3-384 hash: 9f44e960f9442ea5916a59c70f7dd0983a2d3ad21dcaad8690a0ca3c567e15795fe27b6aa2dc2d8806e4f01e1ae62834
SHA1 hash: f7d9ff8ce2e6f05e2aba7200b0c57e2519d01261
MD5 hash: 4407e947cee11df396747fa7d4679c36
humanhash: edward-nebraska-fish-nitrogen
File name:ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'090'528 bytes
First seen:2020-11-10 11:17:00 UTC
Last seen:2024-07-24 20:11:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep 6144:8rnZIv8nfVIgRD83dykFICdy2RseNbDGyZ31EyVEgflH0tjKkaGInR+HlZzmP6Mj:8uofVhOsxn2RUYeKLPUhulLhJ9FCeZ
TLSH 233512D7F9BC8870CAED297B8993123C9A9585E85D05D10B0778A5ADBDF3300FE9244B
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Qbot-9781416-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529817
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314007 Sample: Giql6NWV50 Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Qbot 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 7 Giql6NWV50.exe 4 2->7         started        11 Giql6NWV50.exe 2->11         started        13 Giql6NWV50.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Roaming\...\eijxagy.exe, PE32 7->32 dropped 34 C:\Users\user\...\eijxagy.exe:Zone.Identifier, ASCII 7->34 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (overwrites its own PE header) 7->46 48 Contains functionality to detect virtual machines (IN, VMware) 7->48 50 Contains functionality to compare user and computer (likely to detect sandboxes) 7->50 15 eijxagy.exe 1 7->15         started        18 schtasks.exe 1 7->18         started        20 Giql6NWV50.exe 7->20         started        signatures5 process6 signatures7 52 Multi AV Scanner detection for dropped file 15->52 54 Detected unpacking (changes PE section rights) 15->54 56 Detected unpacking (creates a PE file in dynamic memory) 15->56 58 3 other signatures 15->58 22 eijxagy.exe 15->22         started        24 explorer.exe 15->24         started        26 explorer.exe 15->26         started        30 4 other processes 15->30 28 conhost.exe 18->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:19:35 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrzwrplvcqwxylajscar3xhusyvmlrx4ilb2jnuenx6yaqr4e5ia._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201110-lsa4sg9j3a/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750
MD5 hash:
4407e947cee11df396747fa7d4679c36
SHA1 hash:
f7d9ff8ce2e6f05e2aba7200b0c57e2519d01261
Link:
https://www.unpac.me/results/106d65d6-7b82-43e0-a3d7-9bd5c2bde9f9/
SH256 hash:
78c5a96607a03a1307a29c9489e49ac5910ca6edd605d4efce226a54ea87b76e
MD5 hash:
edb8a157a75736acffd86fe6a057b433
SHA1 hash:
ffaba2d93b5367957367681b7a276dac1406f0de
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/106d65d6-7b82-43e0-a3d7-9bd5c2bde9f9/
Parent samples :
4f1566795077320406ae3ded8622923036b8531c9cde840a6540c66a366505dd
ac7368bd75142d7c2c0990811ddcf4962ac5c6fc42c3a4b6846dfd80423c2750
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
77e8872e2c9a68dceed90a1e59d2805019963759747a1134be407f5bc14ce28b
58593fd5fb90f5fd420e3dcf0ed7e1fb5fcb5a3ac89acf685acc7d4c0e7df9ff
bf2e0f665eac44398fdeb7e3dc2451a9230686f6b8f0b18bb656d6a1bc8aad4e
d8be99a67635ce711c3d165e4e5ad8aad798bc398c92f8be924b5dec534063f0
54a201fb84a5b1c713037f0d687812aa96cd9029c933d9c316c1f035a9b3597e
SH256 hash:
70f8edb2076e9b292e18bf771ebd16743a11a2d37f562aaf1e5866e4dab98276
MD5 hash:
de4af510e42dcc60e03b7e5df12ba846
SHA1 hash:
3c7239c16e4107f7b9c9973d978f3284f37ed826
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/106d65d6-7b82-43e0-a3d7-9bd5c2bde9f9/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments