MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e
SHA3-384 hash: 83ead0bbda392acd480818ee67eebafd8be8ee8ec77d2cd479f96502421afb50abf94a3bf50f8d59b54cd110a8205c2b
SHA1 hash: 83e4f7fc534ab1cb705632450ce106af09b7a8f7
MD5 hash: e506d7b80f4c009471a8f3553a122618
humanhash: lemon-lactose-london-virginia
File name:SecuriteInfo.com.Backdoor.Qbot.3214
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'070'560 bytes
First seen:2020-10-19 16:55:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82c23e1ee79c35a4b779a3040d232a07 (54 x QuakBot)
ssdeep 3072:hU2P4gYgzuBeXRTZnDNNlJ06KEzGZV8uv793SVHrgCuo2zh2kB3dCrMOr3HhYvex:hJ2gzwETZnl1Kj0sSwo2zzOxmveVqI
Threatray 616 similar samples on MalwareBazaar
TLSH 4335D0D0E3A07C09E9633AB18771C6710C797C6BC570EA9F147A3316E5B32416B92B6B
Reporter SecuriteInfoCom
Tags:Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Backdoor.Qbot.3214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495743
Signature
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: QBot Process Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
Detection:
qakbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 16:57:04 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yh4cfgcdo5jjesj32ilpvoky3eyxesyfcghbd7zrxcdqdjqpjapa._file
Verdict:
malicious
Similar samples:
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
QuakBot
70c7a48f3dfb41c0137b736bf5f3071bfd550eb8dee8fc6b3c5a075adbecbdbb
QuakBot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
QuakBot
a739a0a87d4fa6002cb29851f089a26cdd1df36e9d32dace7385bb31151a0732
QuakBot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
QuakBot
b92c0aafb4e9b0fc2b023dbb14d7e848249f29e02b0e4cd8624ce27e55c9ac4c
QuakBot
bfb48416b0557ef0d47177d809287384f47d0bf985504ee9b243d7161293364e
QuakBot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
QuakBot
c537e20b181e0bd13cc919d2decb053e56aad510f0c4011d10454ce8a2339037
QuakBot
e2d5f4c171dc88b453be93a2b940a815143657952863fe6daf32bdd01ed1577d
QuakBot
+ 606 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201019-tln2hf2cv6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
bf6f3e04249cf4a34f7556636c679ff1c78e2414fd37868eef6d100cb7282fae
MD5 hash:
df598a3910b9f05031cdf890b7f46d13
SHA1 hash:
0cf9d9322c4f984cbf917b6e58afde58721f6ff7
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f69184d9-9604-448e-a45b-bd3026b1b433/
Parent samples :
c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e
2dc8c6d4a258da90c8264ed93eea388c46f2e0206604a62d1325ed0c80eae78d
9d3d2f050b18db0f64de13e177451eafe444a0efae7ca187a8e19fada9bab69a
3ad143fe091e2398207ac89ed82cc31f5bee574def93abd938e001b35898fbbc
aaa0da1c0fb9454c515f728a3f1f96522acbec7e19af77d4b29dbcb429989b06
664772bd38ffaf9acb17b9485747ba706d7ddf1d8374f8fd6594251d1df85be9
9f90bdf9ba391e45d111d84c6f59f074410928c306feef877ee9e1a2e0668f16
0d933e515644aa66a7966a9b130c0dfea79387519ffece98c9b532beb465c0f6
27d5472270d1f4e22dec38a609bd1ba13da98f0402da00854356a434dd35e9f7
e55c191f081d06d46846f73db4d847c3a08da2a517b70ee119f2586c308ebd1d
d3d383c69c158752996ccacaa56ddbdb43622ae9c09881a5748619127081550d
235568c5852d8e14ba67dc20a3ec55ea149102a31e91de23e9a0195694b4a023
e7f59c4c54d50daafd2a75a679887f45353de0ffec9b01bebdb3c07bf99ee648
2bdf1c126de8c061c5f06b07848f4a8cd739d65775b15523689d3640c5782cbe
0c2785c84f3b4698ce6b2b45293c04b108d89c224d65aac5fe17a41aeaa3370b
6d591e0b8cadc9b48c8dd2d10b71d5ef71807c2a209d00dbebbc92ee86d5c3b3
1dbca928e5e4c046ed38226be564a4f9d42954105d59fa5e126d9027fe0071e8
31fab81e147c18646273b5ae04cefbccfab355800e6b247de513cb494e0cfd26
a1797622ac302556748e768a266c38a661c64fa4dc5644c5b671e075f6d60b07
ff04c2946ed2b1a35e2df86e483046e7789c89d024fb1bfed62aa008ff83801d
b91a1b6bebb18aeb5f8be1f1d68041b370de1c5e081786f283698932ed6ae1af
608eb9fb00e7ca6e5e892af6ef0186c1bcd21238284e7dfe217e178b1dcc9a26
c7d441730268513a93810fb4249f534259fd9d330ea7605ffc6c6b20ff528a73
4501f4605ab99f013c75de4c2ee39bba7632479ab28733de38bc5c7ad78dfac0
e3a9d373d1b1702563c2d233f45ecd5a6c04af88bb950b5d273ac75374c1b4d6
308c0bc34011d739fe7546bbef874c6267e77a7e1bea698380bd9602971e00b8
bc42b5ac4bd1c089c3db960be4011cb25e170573236444df0e6861eab87b4243
676c897d933e6d0123b54f1be67690aa7a02a93622a29bc77e2cfc0d34ade3bd
39aece13ac26b4bbe6fda8a7338482f28bede5d089dfb5ab0d0e3803d878d36d
0b759c4168882c3fdf101507c2a5cb246244f792eb478b5a5195433a0a8eae69
SH256 hash:
effaf55bb65ff215be6de34c4bec0614c09461d2e938054501a5ca923984ea17
MD5 hash:
772cd1a51dcaf447cf1f0efc93b45f2c
SHA1 hash:
1e4f6c152bee3e711f0dd80e95d1a8a7c0e0b0ea
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f69184d9-9604-448e-a45b-bd3026b1b433/
SH256 hash:
c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e
MD5 hash:
e506d7b80f4c009471a8f3553a122618
SHA1 hash:
83e4f7fc534ab1cb705632450ce106af09b7a8f7
Link:
https://www.unpac.me/results/f69184d9-9604-448e-a45b-bd3026b1b433/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1f8229843775292493bd216fab958d931724b05118e11ff31b88701a60f481e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/73021/

Comments