MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b111a710a0a9f11092e94035e9609266d1a69b4aa7031c6d67528ee106d36216. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	b111a710a0a9f11092e94035e9609266d1a69b4aa7031c6d67528ee106d36216
SHA3-384 hash:	9b091614a61f05aa1feb4ce522c30264ef4aa2dd5dec890469e28aec53bcd5000fef7885703ca78c6963a120ef13e8f9
SHA1 hash:	6d59672e81a0235148f55c71ab5063c560649fbe
MD5 hash:	a1e08555284c0b288a8c36a4348f7dac
humanhash:	zulu-kitten-kitten-xray
File name:	coit3.dll
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'752'205 bytes
First seen:	2022-04-08 13:34:31 UTC
Last seen:	2022-04-08 14:34:46 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	680b9682922177224183342c299d809f (7 x Quakbot)
ssdeep	24576:nKtpZm23yqec9S5hZqT5/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb
Threatray	431 similar samples on MalwareBazaar
TLSH	T1A9859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	k3dg3___
Tags:	AA dll qbot Quakbot ta577

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/262161/

Detection(s):

SecuriteInfo.com.Variant.Zusy.420298.14925.26791.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe greyware hacktool keylogger overlay packed replace.exe

Link:

https://www.filescan.io/uploads/62503a0cbbd90911a297f11c/reports/f8d9a452-b697-41f3-a558-f13cb89fb104/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06738532-0e01-426c-b91e-c87cc6c01ace

Result

Threat name:

CryptOne

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/973200

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Suspicious Call by Ordinal

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CryptOne packer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b111a710a0a9f11092e94035e9609266d1a69b4aa7031c6d67528ee106d36216/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2022-04-08 13:35:10 UTC

File Type:

PE (Dll)

Extracted files:

140

AV detection:

22 of 42 (52.38%)

Threat level:

5/5

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220408-qvnamsdbd4/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

bf04523fce7b0628926817e18c96d5f48ed6188bf6e0cdda5393f23b8e774eff

MD5 hash:

866f69e6f561dc350287f9c722a6aacd

SHA1 hash:

a5b086b997f025fda7e64d8e4ac068c9dbe1a1c1

Link:

https://www.unpac.me/results/af2e50cc-4b08-4ba8-9676-bd353eff2aa2/

SH256 hash:

9c0c05d82606cd1794128205143710209b69d1d1a451f15404bc577a78f0a3fb

MD5 hash:

cd720781c3c7e6afcd59765fafeeef7d

SHA1 hash:

820fb3bb4768f98489d1cb05dbc5599e6d443991

Link:

https://www.unpac.me/results/af2e50cc-4b08-4ba8-9676-bd353eff2aa2/

SH256 hash:

b111a710a0a9f11092e94035e9609266d1a69b4aa7031c6d67528ee106d36216

MD5 hash:

a1e08555284c0b288a8c36a4348f7dac

SHA1 hash:

6d59672e81a0235148f55c71ab5063c560649fbe

Link:

https://www.unpac.me/results/af2e50cc-4b08-4ba8-9676-bd353eff2aa2/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b111a710a0a9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b111a710a0a9f11092e94035e9609266d1a69b4aa7031c6d67528ee106d36216

File information

The table below shows additional information about this malware sample such as delivery method and external references.

15cc1ec8769f2bff81d4d9ffb02f5ae2b957355149bcb5931c9b8c1cfc0e4fa1

Quakbot

DLL dll b111a710a0a9f11092e94035e9609266d1a69b4aa7031c6d67528ee106d36216

(this sample)

Dropped by

SHA256 15cc1ec8769f2bff81d4d9ffb02f5ae2b957355149bcb5931c9b8c1cfc0e4fa1

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/262161/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample