MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuakBot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248
SHA3-384 hash:	d539b6ee709fdf5439f86921e32d5a64c16182b24bf08836c2c860524aa1cee8d09aa1ad17e8352619ecad97f292866f
SHA1 hash:	c2bab520986e695965303feb8566fe29f1d53fff
MD5 hash:	b4fbf52b87a1d3621fae00cf4ef353f4
humanhash:	iowa-mountain-william-sink
File name:	bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248
Download:	download sample
Signature	QuakBot Create hunting rule
File size:	271'872 bytes
First seen:	2020-11-14 18:28:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	015974618e9105226f001019d35e62e5 (1'506 x Quakbot)
ssdeep	6144:DLfhdM/bXZswyIyO6t0nh7lqoDKOAP4Pshaos:nvKbXWNmVHelmEaos
TLSH	3144F12324759436F81647F68DA6D2B10D6E7828AE3145CF2FC85308472E9F28B777DA
Reporter	seifreed
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Lupus-9787367-0

Win.Packed.Qbot-9791227-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-11-14 18:31:31 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xu27xku3k3elvwtpomnqtoo3ekl6z3khho54s3jvl7rewq652jea._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot banker stealer trojan

Link:

https://tria.ge/reports/201114-nhelw342fx/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Qakbot/Qbot

Unpacked files

SH256 hash:

bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248

MD5 hash:

b4fbf52b87a1d3621fae00cf4ef353f4

SHA1 hash:

c2bab520986e695965303feb8566fe29f1d53fff

Link:

https://www.unpac.me/results/bb2ff31c-1f3e-436a-9eea-adabd684585b/

SH256 hash:

fb80bb311db84a697359f90cd4d30289e78a8c92536ab8b695a0b09b4e64cf0c

MD5 hash:

06f1d5e7ef4c5b87911da035ad6b94d3

SHA1 hash:

1d1ba165d55151ee048d6d9e05392ff2e4efd2e7

Detections:

win_qakbot_g0

win_qakbot_auto

Link:

https://www.unpac.me/results/bb2ff31c-1f3e-436a-9eea-adabd684585b/

SH256 hash:

a704748cdceb5e5f96cd6e131ac644f90a4afe03db1c793970a2336c4a5dea77

MD5 hash:

1724a458d86ec5b7aeda2b0e96176d66

SHA1 hash:

ef53ef5f37d66a0789677dc690d3fdc5d19103e6

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/bb2ff31c-1f3e-436a-9eea-adabd684585b/

Parent samples :

6ca8c7e8acaec97b05aa175a11e2e474621706a320eca4b1b0096d6a150c162c
d9ea9dc5a145e58531ea7b29cd4e38bbc8c36011590f3fada67f54829d6bd118
8f29ad62267629b927d763f557e10e3d4ed3b77c118c02bb143e51d4b4063d2b
38966308974a1973a0ff01395612965813e52cd3c4929e11b32027a5dd461dd9
5a6d7886458e2bf4e05af49a375c0df110893c72568a7f9fd804bbf889e81535
8df12f8055512ff01c690e1b45777fab03eddaf60845afbfadaa3b3d225e3aec
8460eff35d8d6196b16f1b67cfd1557176138962ce63c1eeb0553a700c84c923
789d5cbf2f1d5cf98ab6c8ed84f472786559f6f1dc8cabc5ddbd48b6f25cfe39
bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248
c135fe92da22d209e22fc7c9ad83d2456f9f783874b1c9ed9be87fed650510e0
2372c12bf9bb289210f9be4cde76110e2848dd34d3c345df8991698b5f024741
0bda4b37e2a0a89a0272b0a5bc87cc25de33ba4ebf4e4c4b35f5094a455c01c9

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd35fbaa9b56c8bada6f731b09b9db2297eced473bbbc96d355fe24b43ddd248

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample