MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfb03d7fc0d96a912aad1956dadd103251afab4f416ecfccf94cbadf6b7aeb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfb03d7fc0d96a912aad1956dadd103251afab4f416ecfccf94cbadf6b7aeb60
SHA3-384 hash: 8dec4a2258c7d2d758f62c833f1bde14ed08d5dac94c997cb19747261757d08f2a363644f1a05c86bc3e62a1facdb067
SHA1 hash: 517199047f6b7efa38719761c59b789b5fcd22ef
MD5 hash: a99ea3fe82d84c097753a3fbf7ce99ba
humanhash: pip-victor-early-florida
File name:titrated.dll
Download: download sample
Signature Quakbot
Create hunting rule
File size:753'664 bytes
First seen:2022-12-12 22:47:21 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f181b947d0531cbd123f4eb06366bb2b (5 x Quakbot)
ssdeep 12288:aeY5BmFRiqAoWyeDngR2wLBd4qClKqttnwd8QxD68gvg8xEcmXXtFWs/:1go9WngRjClKqrJNyc2dFJ
Threatray 1 similar samples on MalwareBazaar
TLSH T1A0F42602EDC55F6BC93EA17209DF89611AB6C8447F128A27B7AC1A263423754BFD371C
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pr0xylife
Tags:1670829462 BB10 dll Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345660/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21477.1183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6397afa3485d8463dc414ad6/reports/b6b8f377-4a83-43e3-aa3c-b93a20e1fc9a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/824f37b2-fd7e-47c4-b364-905ebbb908aa
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1133106
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 765830 Sample: titrated.dll Startdate: 12/12/2022 Architecture: WINDOWS Score: 72 38 123.3.240.16 VOCUS-RETAIL-AUVocusRetailAU Australia 2->38 40 108.6.249.139 UUNETUS United States 2->40 42 97 other IPs or domains 2->42 46 Yara detected Qbot 2->46 48 C2 URLs / IPs found in malware configuration 2->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->50 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 7 other processes 9->18 signatures6 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Writes to foreign memory regions 11->54 56 Allocates memory in foreign processes 11->56 20 wermgr.exe 11->20         started        58 Maps a DLL or memory area into another process 14->58 23 wermgr.exe 14->23         started        25 rundll32.exe 16->25         started        27 WerFault.exe 9 18->27         started        30 WerFault.exe 7 9 18->30         started        32 WerFault.exe 9 18->32         started        process7 dnsIp8 36 C:\Users\user\Desktop\titrated.dll, PE32 20->36 dropped 34 WerFault.exe 19 9 25->34         started        44 192.168.2.1 unknown unknown 27->44 file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfb03d7fc0d96a912aad1956dadd103251afab4f416ecfccf94cbadf6b7aeb60/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 22:48:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6yd276a3fvjckvndflnvxiqgji27k2pifxm7thzjs5n62325nqa._file
Verdict:
unknown
Similar samples:
3a92fe612cab618d0f12481ba7b62b46717a654275b460f5edbdba12b64ada6c
Quakbot
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221212-2q4bvadc37/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
bfb03d7fc0d96a912aad1956dadd103251afab4f416ecfccf94cbadf6b7aeb60
MD5 hash:
a99ea3fe82d84c097753a3fbf7ce99ba
SHA1 hash:
517199047f6b7efa38719761c59b789b5fcd22ef
Link:
https://www.unpac.me/results/0b881950-fa90-4fdc-8d3e-4dc3de98f81c/
Malware family:
QBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfb03d7fc0d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfb03d7fc0d96a912aad1956dadd103251afab4f416ecfccf94cbadf6b7aeb60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345660/

Comments