MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e
SHA3-384 hash: f73fbeee0ce815ff0f4547260f15dcba4926c9d371979ef7f52fbed9f24ab0090d266d423c81c1b75a879acd70aee550
SHA1 hash: 47e2aca96868bc45c8b3877a184d18122420a95b
MD5 hash: 3efcb4b98bc34627f14f32487976d7ef
humanhash: west-tennis-arkansas-sixteen
File name:SecuriteInfo.com.Variant.Razy.737213.26984.18297
Download: download sample
Signature QuakBot
Create hunting rule
File size:959'480 bytes
First seen:2020-10-09 15:43:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26a69d12ffc2f1bc1c4a71f01c654d31 (7 x QuakBot)
ssdeep 6144:Sv4Jb6PYNgiQsyaxAUyetu9ITzmXG33wXd5FLY9C3DzkgJkw20zt:SgWPYe4ueQ9ITz8GnwXbFsWDzl+0zt
Threatray 586 similar samples on MalwareBazaar
TLSH BE15E001FD78DD06D2A52D7C4E2617B8AE8B78C4EC13605376AA5F2CBCF63A29C5E405
Reporter SecuriteInfoCom
Tags:Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69587/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486915
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: QBot Process Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 15:45:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x62iifvqkv7pbvdro7maskdtqt2h2c7zqvie52nsiplrmeutgzha._file
Verdict:
malicious
Similar samples:
07dc705da27544ca4d232515c665dff2bbbf6b0ab49fd07c602e20d6a512b4af
QuakBot
1d14f161830af09dbdfca9bbfa554cd9724f8af548495866b29bddf8b4d73a31
QuakBot
28a2431ffd24d8041bdbf471fcc3eebb98c9e53c980617e4c468f7ad9cdf9d31
QuakBot
5a407e99922b9dd18cef43136c16d9fbecd9de47e7895fc4aeb0772487339fc1
QuakBot
71f24bd6e0a181c04f0fabc5801480a4e3991d2fdf8b35a72b1e91c60ba3eb03
QuakBot
8b4b8a5cfdf150e134bf441bcabdb60d37508bfb973a038a610386341420317f
QuakBot
bda34889cc38db9ca6ff923907e9d1081c81cdf53e62ed5c0991ec9a3e74eef0
QuakBot
c14b93f3949b9cc4ba3163a23b5cfeb1d4bea17db91703c3cdcccccbb57d2058
QuakBot
da9694c6c6f520b9068714b76a3cfce6f4609072f8777be7efb4e1878a6c4feb
QuakBot
f3e3d35760f655af5a57029b73c2cc2f42d09de1a694b2eb22366a3e6c49a068
QuakBot
+ 576 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201009-fpv75tt82j/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e
MD5 hash:
3efcb4b98bc34627f14f32487976d7ef
SHA1 hash:
47e2aca96868bc45c8b3877a184d18122420a95b
Link:
https://www.unpac.me/results/dfe4876b-2875-4d38-97c3-2010ffb38931/
SH256 hash:
a29448ae480bc46253bd3c0d9c2467dd041cefd456bb5a7ec8f98c40c73451bc
MD5 hash:
acf407ae776dfb1332ea31bbbcc52bd0
SHA1 hash:
731176cbd6e6845081c9ed4bc039caf6b2e1bb49
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/dfe4876b-2875-4d38-97c3-2010ffb38931/
Parent samples :
bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e
e2d5f4c171dc88b453be93a2b940a815143657952863fe6daf32bdd01ed1577d
c537e20b181e0bd13cc919d2decb053e56aad510f0c4011d10454ce8a2339037
93062f1a1c0b4b04c62355d3ee310dcaacb301cd1980ce9ebef89fb3963a40ef
58228a52b83bbd17d6ac52cd52767ebfe01327787b218f9c41ad66c1702bb62b
85753f341c17caad8c49790a7b6beb6ddca9f6106c54ece912203e77baa9aa09
SH256 hash:
f4998678e4442b9ebf5d4d246cc8a4f19b185d01e0368c6122c778655a03aafd
MD5 hash:
74f233076f1abad4d209588fc406a651
SHA1 hash:
595b329c996b57d3f9ec524dbacefe64896375f4
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/dfe4876b-2875-4d38-97c3-2010ffb38931/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69587/

Comments