MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2071407cf960fa166ac47d86f4a92b64873cd8c37a4ea416e80488c5f327c8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Quakbot


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash: c2071407cf960fa166ac47d86f4a92b64873cd8c37a4ea416e80488c5f327c8f
SHA3-384 hash: 7c856f6723a74849afd2b42c581046d2e40edfdf664f17cfbfe003922726ad6d8f9e619320979019ee6abbea8af28559
SHA1 hash: 09554bdd6197cb848ce2bb69cd353c1d34bafc2c
MD5 hash: 75ea2aa8c2a3503ed39fd807de9fe0a3
humanhash: carolina-glucose-fanta-purple
File name:PERSPICIATISM.iso
Download: download sample
Signature Quakbot
File size:169'984 bytes
First seen:2024-03-06 16:12:36 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 1536:ebnS9bCgj6dJEkgOzOk3+oLGzFjO8n2dtkosu31M:9EDzPJL2mX
TLSH T129F3E685AB83EDE3D929073489FE43153336FA80179247133A2C65352F67BD0AE97786
TrID 88.5% (.NULL) null bytes (2048000/1)
11.0% (.HTP) HomeLab/BraiLab Tape image (256000/1)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.1% (.ISO) ISO 9660 CD image (2545/36/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
Reporter proxylife
Tags:iso Pikabot Quakbot

Intelligence


File Origin
# of uploads :
1
# of downloads :
196
Origin country :
DE DE
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:document.rtf
File size:3'172 bytes
SHA256 hash: 66bcb4ff2b542638fad440578934d815d2aa17242e623055d775a5017e9094a4
MD5 hash: b165a780f5d3061dceb7baee37c44a50
MIME type:text/rtf
Signature Quakbot
File name:edputil.dll
File size:98'156 bytes
SHA256 hash: 905a3a144f94a38ac6059759879caec19cff446b98c24bb2035b3293330e03b2
MD5 hash: 4b46474e51d8687190e4e539b6691f9a
MIME type:application/x-dosexec
Signature Quakbot
File name:Open_Document.exe
File size:11'264 bytes
SHA256 hash: a70d52eda892edc073932b462cc367cdbfbace3f4196857d8d4fa869a13de792
MD5 hash: b947cca7f485f6c1156f4d02e8c9874f
MIME type:application/x-dosexec
Signature Quakbot
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cmd context-iso lolbin overlay rundll32
Threat name:
Win64.Trojan.Pikabot
Status:
Malicious
First seen:
2024-03-06 12:59:40 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_EXE_in_ISO
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments