MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae6f051dcb87c4515f9d4809c02dca07f452a03b19c4177a8717873a050d6e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae6f051dcb87c4515f9d4809c02dca07f452a03b19c4177a8717873a050d6e70
SHA3-384 hash: c13050d98083d40bf599aaf06412c0d482f78e915bcbadfb2a7fb61423b905b689ea2be50c00b84f7924cb15070ef31a
SHA1 hash: 667a1448d6ec375aa2149da1e753f3739ea2eeb4
MD5 hash: 7d05bc25816014bd1a26f038f9c8a1ed
humanhash: ack-oklahoma-mississippi-eight
File name:44616.6382774305.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:864'256 bytes
First seen:2022-02-24 17:15:22 UTC
Last seen:2022-02-24 18:53:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c1121acfcf8b9aeea983fd06a6c0a74e (12 x Quakbot)
ssdeep 12288:l9hhPVn6mBXIlb5oC7QMDkbWlV4AuBmzKT5NQMvNHgTJfnoHu:/XometXnD+WHTWT59O
Threatray 48 similar samples on MalwareBazaar
TLSH T11805AE1253724835DB3B4F38ED4B12A89C15FDF2F86898F5AED4A8687B386512C5B307
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244384/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.27922.25112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed
Link:
https://www.filescan.io/uploads/6217bd57a6f52d32f182fc5a/reports/645e8882-f54d-4afc-9ce9-7175d13f9dfb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bf5d6b3-584a-4ee4-89ee-f3ff53cae79d
Result
Threat name:
CryptOne Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945945
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578422 Sample: 44616.6382774305.dll Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected CryptOne packer 2->26 28 4 other signatures 2->28 8 loaddll32.exe 1 2->8         started        process3 signatures4 30 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->30 32 Injects code into the Windows Explorer (explorer.exe) 8->32 34 Writes to foreign memory regions 8->34 36 3 other signatures 8->36 11 cmd.exe 1 8->11         started        13 explorer.exe 8 1 8->13         started        process5 process6 15 rundll32.exe 11->15         started        signatures7 38 Maps a DLL or memory area into another process 15->38 40 Contains functionality to detect sleep reduction / modifications 15->40 18 WerFault.exe 23 9 15->18         started        20 explorer.exe 15->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae6f051dcb87c4515f9d4809c02dca07f452a03b19c4177a8717873a050d6e70/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 17:16:11 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzxqkholq7cfcx45jae4aloka72ffib3dhcbo6uhc6dtubinnzya._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
036c25ca8f8bfd424dc22bdacdfc1b1b101afd51fa60391253a757c075b62964
Quakbot
059a6c067f565735b25659c9537eaf1f4ce72f47ba325900f09872aea288bd0e
Quakbot
283fed02e9434975e43435a8748ab01451199a061da32e94e39128fd7745db24
Quakbot
532f5a32f685a1acdb7c0982bb4fd721852af1e9fb278bf5d0faa82a6741f3c8
Quakbot
67486db1b558b02235a0a8edaa7183ab707c3c8d12ec87231cd12445856e2398
Quakbot
790951787b259b98ea0f3b7face9c805643bd5e36b2d8a9d92d6d20a7107971b
Quakbot
af9ff6ecb351b6b63446c24677070b767b8f77b0a53feccdfde2c42c1205c258
Quakbot
be7e0c5b7566efa2d8b39bada9bd9e114f8ccc27c71327026f616e85bb2adb30
Quakbot
c1c8bacb9d1cbcef187da4adfde7761c91543e84223a37385fd5c25803e1d16f
Quakbot
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220224-vs5t5aefem/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Suspicious use of NtCreateProcessExOtherParentProcess
Windows security bypass
Unpacked files
SH256 hash:
8854051db65d8a8743b263d8f0349095222a4a035152a7958033e924148b22b5
MD5 hash:
9dad75a83c453b02a8a3dcd1825281d4
SHA1 hash:
6d8cca1fe2630070e02f095445a0c77be0a165e9
Link:
https://www.unpac.me/results/6d9be2e8-92ad-45fe-b40b-2333826f0772/
SH256 hash:
d43e0141811b4a4665c27efcf0ec1c62f9824db9303c279e6bd8c95276bcb83f
MD5 hash:
6235eaecef4d922cf80cc97f87d96681
SHA1 hash:
1a6c870b25feddb7328f202a13baff4331b3adf4
Link:
https://www.unpac.me/results/6d9be2e8-92ad-45fe-b40b-2333826f0772/
SH256 hash:
ae6f051dcb87c4515f9d4809c02dca07f452a03b19c4177a8717873a050d6e70
MD5 hash:
7d05bc25816014bd1a26f038f9c8a1ed
SHA1 hash:
667a1448d6ec375aa2149da1e753f3739ea2eeb4
Link:
https://www.unpac.me/results/6d9be2e8-92ad-45fe-b40b-2333826f0772/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ae6f051dcb87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae6f051dcb87c4515f9d4809c02dca07f452a03b19c4177a8717873a050d6e70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/244384/

Comments