MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce
SHA3-384 hash: 64abfd8a0704d04cf1a2085fc4f25526ff929f68b1986ac3c87ef5a4a331b5e3cbfb911b59bcac26b682f6383f7ae20b
SHA1 hash: f4c91f31fabe007227b3b80a21612d45b5c3b6fd
MD5 hash: f7d8d1f90db508945c5fb0140bb45a75
humanhash: connecticut-gee-oregon-east
File name:acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'084'416 bytes
First seen:2020-11-10 11:17:28 UTC
Last seen:2024-07-24 20:12:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep 6144:/R/2biH4IXqIgRD83dhkFICdy2MsWNbDmqZ31EylEgflJ+tjKkmGInR+HlZzm56s:/RxfXqBOPxn2Mc2IKT5UhulLhJ9FCe
Threatray 976 similar samples on MalwareBazaar
TLSH FA3522D7F9BC8471CAED297F8993123C968A85E85D05D10B0778A5ADBDF3200FE9244B
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529801
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313998 Sample: CYI9f57avr Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Qbot 2->49 51 Machine Learning detection for sample 2->51 53 2 other signatures 2->53 8 CYI9f57avr.exe 4 2->8         started        12 CYI9f57avr.exe 2->12         started        14 CYI9f57avr.exe 2->14         started        process3 file4 35 C:\Users\user\AppData\Roaming\...\lehzkb.exe, PE32 8->35 dropped 37 C:\Users\user\...\lehzkb.exe:Zone.Identifier, ASCII 8->37 dropped 55 Detected unpacking (changes PE section rights) 8->55 57 Detected unpacking (overwrites its own PE header) 8->57 59 Contains functionality to detect virtual machines (IN, VMware) 8->59 61 Contains functionality to compare user and computer (likely to detect sandboxes) 8->61 16 lehzkb.exe 1 8->16         started        19 schtasks.exe 1 8->19         started        21 CYI9f57avr.exe 8->21         started        signatures5 process6 signatures7 39 Multi AV Scanner detection for dropped file 16->39 41 Detected unpacking (changes PE section rights) 16->41 43 Detected unpacking (overwrites its own PE header) 16->43 45 2 other signatures 16->45 23 lehzkb.exe 16->23         started        25 explorer.exe 16->25         started        27 explorer.exe 16->27         started        31 4 other processes 16->31 29 conhost.exe 19->29         started        process8 process9 33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:22:16 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsy2evrnepgqnwqeufchclj2b67hu7bxzv2tfixqtbuahzcfktha._file
Verdict:
malicious
Similar samples:
02b6b1f134e188ec672b2fa5a4c7013b77aaf4474fd0f99d31162625a45a5289
QuakBot
18a52a088f46ae8a4dbfc27760bdb3e22dda61ed353c8b8ff3dc16aaa1df4c43
QuakBot
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
QuakBot
279c511ba3dd0151e5c969eeb34924fbdb4707d0ccd4d0ac36dc9f63324a7582
QuakBot
3ca3e5b6d16a79254fc3a225630ba6ccce14af026d05a7d07d52035f556c2743
QuakBot
73d8eec4558786e302ac9d8d4252a60eebdf4f66eec9925b58d437dbaa5d826e
QuakBot
96e21a6d02770fdff74ac912154f8c7c7a934d7236360485920c8550fa0050a1
QuakBot
a401e9208a31cca327a31ee872a258b358dbd276304625e461d46f5c656d5723
QuakBot
cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5
QuakBot
ce42bacf0b5fc43144e33f10aeb9de744de818f85dc44da62b05e64204c42580
QuakBot
+ 966 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201110-p9yd3ac5m2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce
MD5 hash:
f7d8d1f90db508945c5fb0140bb45a75
SHA1 hash:
f4c91f31fabe007227b3b80a21612d45b5c3b6fd
Link:
https://www.unpac.me/results/8c3dd1d1-d485-4231-8384-27bbda8d9fa3/
SH256 hash:
52967f6ba913e7e9d7e4d2fdfa5cae1b60c6eb7043c919f1cb37b44e9470a851
MD5 hash:
10f0b4055e20a263a0b027a3e681c810
SHA1 hash:
110a5bd1db6b78ee9c5ca0c2a74c6d8ee3da6c88
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c3dd1d1-d485-4231-8384-27bbda8d9fa3/
Parent samples :
acb1a2562d23cd06da04a144712d3a0fbe7a7c37cd7532a2f0986803e44554ce
b644206586b6aa00d023a65da373503824e68a032890d4ca99f8532257d07dc1
056d2928fb23fd229cddb9b79ac084e58e3340c4c8e4a403ceb81d149749892b
063e0c71b3ede4a7d8a8cd1d1e35432b2e3ce0bf1dfd58c266e93ea91b8895fa
5b2a3d67ecebd9a22fc7452f012273a7e5ed5b6331096505aa44f1ac8696c35f
SH256 hash:
4534d68aad77d5cec80d61eeff7586cd03110f8a33ae515a4c5fa8fbc8ad8bef
MD5 hash:
ceb5db1e6f2f84e545eeaef36d12da2c
SHA1 hash:
00d32aa48b3e1d87395f3d97cb1119f9e1b7c36d
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c3dd1d1-d485-4231-8384-27bbda8d9fa3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments