MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c703d53e5fb36f0f7627955d8b6084152f4e06b843d61faa43802f5e23be902f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c703d53e5fb36f0f7627955d8b6084152f4e06b843d61faa43802f5e23be902f
SHA3-384 hash: bb30dd7d131ca1c8ecc98f5aafa325c513681c19f704a994d9a0fb79e21d805bac334a05358f00bb00d9e37ca640e02e
SHA1 hash: 10ee71040c6e3bcd83643d28da2e4d22582470dd
MD5 hash: d82b034f2cbc67106ad3f97c6dbc151b
humanhash: oklahoma-twenty-zulu-mockingbird
File name:c703d53e5fb36f0f7627955d8b6084152f4e06b843d61faa43802f5e23be902f
Download: download sample
Signature QuakBot
Create hunting rule
File size:263'632 bytes
First seen:2020-11-10 11:26:31 UTC
Last seen:2024-07-24 21:21:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 303f89b8f429d52fa9a67ddad2dbfa52 (160 x QuakBot)
ssdeep 6144:RdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5cMKD:Rd1rMBgFjxRtwM/dfNOvJ4i
TLSH 0344E1C2A3E84044F6A752B74073C3543A217D5DA83EAB7F19F170DD1E31AA2AD2471E
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Generickdz-9785977-0
Create hunting rule

Win.Malware.Qbot-9785979-0
Create hunting rule

Win.Malware.Qbot-9789148-0
Create hunting rule

SecuriteInfo.com.Trojan.QakBot.11.11733.4101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529365
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313780 Sample: h86czqHJ8P Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 Machine Learning detection for sample 2->37 39 2 other signatures 2->39 7 h86czqHJ8P.exe 4 2->7         started        11 h86czqHJ8P.exe 2->11         started        13 h86czqHJ8P.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\...\yeuikhso.exe, PE32 7->29 dropped 31 C:\Users\...\yeuikhso.exe:Zone.Identifier, ASCII 7->31 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Detected unpacking (overwrites its own PE header) 7->45 47 Contains functionality to detect virtual machines (IN, VMware) 7->47 49 Contains functionality to compare user and computer (likely to detect sandboxes) 7->49 15 yeuikhso.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 h86czqHJ8P.exe 7->20         started        signatures5 process6 signatures7 51 Multi AV Scanner detection for dropped file 15->51 53 Detected unpacking (changes PE section rights) 15->53 55 Detected unpacking (overwrites its own PE header) 15->55 57 6 other signatures 15->57 22 explorer.exe 1 15->22         started        25 yeuikhso.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 41 Contains functionality to compare user and computer (likely to detect sandboxes) 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c703d53e5fb36f0f7627955d8b6084152f4e06b843d61faa43802f5e23be902f/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:32:31 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4b5kps7wnxq65rhsvoywyeecuxu4bvyiplb7ksdqaxv4i56saxq._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201110-7x92nwe1ba/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
c703d53e5fb36f0f7627955d8b6084152f4e06b843d61faa43802f5e23be902f
MD5 hash:
d82b034f2cbc67106ad3f97c6dbc151b
SHA1 hash:
10ee71040c6e3bcd83643d28da2e4d22582470dd
Link:
https://www.unpac.me/results/27c644fb-ff19-41bd-b24b-5628e9ac94eb/
SH256 hash:
bef5df928745642533777831436971c4a9b3fca9040213a02291e0df392f5ae8
MD5 hash:
0c7d77c8d6be8acaa126f99099af3f5e
SHA1 hash:
5e6890585af46e77b423510e7748c39e8ba1c460
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/27c644fb-ff19-41bd-b24b-5628e9ac94eb/
SH256 hash:
7c28358a57f5d17f48eb2acdda4f224a4f2de0726c9ebe836dafa5b47aeaa458
MD5 hash:
cc3eb4300384d591e40bad122ea74612
SHA1 hash:
bd9d4e7ce852a2e3555720a0b2ecca5c448679be
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/27c644fb-ff19-41bd-b24b-5628e9ac94eb/
Parent samples :
037d8b7946f740cc7d4f72b8e133766c3f5ca14136970777c14e846e704fa870
46c407bc6a89726389f73de450a801d6d14a9fb97447f2fd449514cbcf33baad
85aa8419001ffcc0dac6a29548dc0438c05261b842d625ae64b0382768775f63
162a0d1651250cab75ba0219b85763bdaf5af3398b5dfed0a8d35d53bd920616
495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6cc593d0f6262ff2e9b
67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270e61656f8101d77ca4e
b5e167293b5978ad7aa100c846e91e42cc1a8da04cb8603b823a11eba692ddd6
d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa9e60abf04c3ea5059b
d394623d69c8cbac395b6197210ae622fb98293d2cfcd62e12db0c0724532f82
7609aa4b5a20ea9ddc569ba304b1c0b54e6404f462ad065e267b9c942ec0854a
803f5ccee236fa9cb7703fb57e93d4f4583a4ba3c8df245e2f811b667d0cd0fc
52325608446612fb3ceb993f414a28ff1890286744dfb3c2f1087dc28c9f986f
b77890bcc87700d14b1290431212d1a7ecc883d57de22b549a89c5e9a650765b
1807e9ffd0691baa7afbef30b3f4c1186750817bcd3e8167be2c00a6e09d3295
01110780e65a94296dffd67db662296c987d24323b6e1c2ef760dd7057123a6f
9ab75fa1b1c139dcbb7b40be3015dbae29beff182738aec2a1a77f4d34e140a5
ed9d23fb4478a0f803bb8f33cf3fd6fa71f967be6316608f1470f87ad51cfc71
2ab7c6d98734eadcba791947a1811f08381e923b4762af9c52532a05ce08e5b6
f64800204e656c873d5e33b4de022a24be18465b5a06affa1f1140bb28b8fef1
553018ba2e50232e48f77ab4aeaec561983010fcb5b7cec41bd875656cccae8b
98fec009d2ce7d28c7a4fa4da8df368d2de815f32b35ccde3c5b21b587e5bff0
51d0b952b0a0c6d946ba4a4bf6702a8fc705f81ea6882a99928637ab3a5a8dc2
4318551718b0f22bd477fad486b1d23ffd2d576fdde3896eee8a9c4ebbc13a3a
3f4f3662e3a09ec59403ed283ba4ed9a77dfe6ca357af42493bd398e8a9d67b6
586fadf3271fb6d65cff2c1943913b5e68a26c2d90f0f52004d207760db189e9
cc23217fda36f3741285faf5de87431a7c88f174ef917464bc49ff406142d8c5
28d6c579a7bd5c6d90232ff0b785507577d322e102d5b9063865714f84a332d7
de11cf6bbb6e3b9150d63c126ecd46e82f8801d37b2e46bbdbf33729b8ae0203
972fb4092f04ba1bbdc82d137f36ac43bcc66375fa3d6dabf33197e61c8ff9d8
b4987bdba419f7bb380d45a81f47f2073f758972f20457de523c3e6d59599b72
c703d53e5fb36f0f7627955d8b6084152f4e06b843d61faa43802f5e23be902f
640172df9ce18ae567f1de3ef7db22bba77763f7e5f7e4e7cc4348dd0ee8816d
66d35d6414a49e4bdfcb94ec145f7af9f9ce32e75ca29568b51d48a25abb87df
e68f2bf5c182681dab42c7c6ff4cbc280f6828b5760e00f755dff4c9e3a4d064
c20ad36b4bf4e442fd1f4b65c183fcf5581607b315484347977ea89aa807b4aa
7b023a29e60cf740c590492d57cc36df3c1554e0a7a8e30e3669cdc4499001b5
38878c53b23a5ad738694a6eb9282933a161869bfeaaabd27a867640fec4d769
11cdb03678a501002944d7e94a4acd464dd6c9922bfb82aa732c3aa40e630aa0
9714dca3ed09bb1f392d738deda87bbcb31a72b2eddc3219093376b384d2fb39
186e1dd70b65fe81532ccf8139e2f12b44a9b43da7cdf71af539db86a4af7040
9438713539f36469775fe748a348ba32b679f106862d56bb038649e1edc0c3f6
312de05d5cc0f1aba9b5f4d786e6723912efc5e6cc4c9707603a743355d29bd6
241619c6e274c1b974df7de7390817d5fad6483c7220ef4dff02cde061fc7ad5
7a18c6d9ed031c789aaeadf130243e3492cc6c0b42d4b35c0b9714fc14eaf75e
cc66d88343dcba412c4697d97cca6453b4e36ccd0723e92adb079e0f24e4cfc9
e9769ee807fec1d67357f0db651f0f8b15d0175e3ee202e3e2e9289927d86196
773d5944669d57a3f4c6efd3532711ee3f580a952915a1f4edd968e4a011bd93
db1e27ede507d93eded6eaa8ed741d46ef537f25e03f00116fd39cd5986f79fb
167b4108333e01cc76859232c6eb8c2be6cdb3597c0a727967b82d1a540d9aec
c228dea9953fc8e5764c3e724282ca6049e2a33c76a069033c4139d830e1a376
b574dd864fb57fccee4a70c2bc615a76f4857f806472f2ab5948198b71705eaa
600fe9a499a7653c159e99154281623ea6854d4f749ed7066999b3a18b10d485
9211b695d0c3772487ad69992965d24f632a563439c7cc64112703578b268313
56d3606bcae5b9ca6750f6ddd55ed813705040312d2d225f152a794159a2cb8e
205bce31e90caea0f3ef82a0bfb30f276f69fcbbcea5c2ff5d857a573e88eff8
dcc24b1c64ffaf77fc6f7c8620040f791eacf497aae59d4c6eece46f3d917224
931ef63229ac0e635b98f711b4cb066349f6343708a2fc242a8bcedc4c0b0dc5
acea7e7f8c7a18d5ac8a8f01c233e693640dbfa1c9491b828ba6441418c9b6f5
7773d705ced4730f4defb3273abf299ac1805bec76b6af40dd95cc6f8c831575
5a049bc8ad32cdcd443448729f14d5687699f095b3a607f3a46c972466cfce87
bf7d72794c2b731ebc6597f3a57543b78be4cc376ff6653d978f60a74cd7914a
0cb540f5d1ef254616e76d60ce82e1b8a6d98e0aa20e1a33e27372ac1243f61f
ecefa69b9bf12a12f40c12750e76b55caa7326b8f81991360d691b6236e656a0
70ac0172d884569cf670b2f84d6ebbc93a31a9c3deb8980c36b1fa2f50ff3658
2494ef373a5340d8131b3ec6e3bd369ba10b1a25ed57f721d3af3838abd29e6b
c9a9ea3431c11dc8ddb152083894cf7ab723f1a2e2d3f5ea6fc6f60f4b024eb2
3b0441ddacd43061660e910cffb1a49e2ddcf263a3a9290c44cdfeeb2e9cf3d1
e9c4506ca2bd16b2ae543d7bc5889f31ecf23790bacfb1055cfcae0133075a10
cef864fe607248f0479c1dc248904fb2f0a3f7c99dab50b0874aa1634cfb5214
cfe41da607b002bddc7e4127366afd9c0f82a94c5079b7ab5193affda9bf8512
e05a03698a7669913462a3e5f31f8939765b1846b8558a159186fa4efc3b3e49
2fe5a52810bd903cb44bdc892cf79d98c8d0ee9552ecca73c2107157930420e1
e0479794ca592095fd4cf66047538fa64a7e2243ee695a6565d609689ad850a7
ae7d426b176a3529715d6c61f9623b43d028de70adb029bf8c5631c093971089
1a3505864d201117a60dce71569dc3a2a202d581eaf7d09cf7446c04a1372585
7b531c1059a9de5a0abbda7508aa9824109ea60ce017609f88cef2cb12148056
27bc44bf07823b3b4fbd537ecf89177ce5c99f6aac3008562d03509e5d8d9a1a
3753e15036bb0d7fa8cc5140e0bb3fb08a982f3e33de942b2fa58d85dc7e31b9
36d00329f6b083f41fdf8029af77c05cc6192d91199f08b7d6e59a31d2610e87
2da827083294924a55a02b1b91b04cf649602131dd64bf4d815303ff7ccb9717
4693845dc0c2284c3c449484a3117340b5e946728b13d72ea2f2dd5b9d4af229
ec402a5c1c9f7caa286a371ad5a7ed770c24fd4f5d81828a4b30b0f092c362c8
60eb6e0665cd309be603a9bb8ed0a4c0c539479c21d9311c54fcbca0e6309588
d363a049deb596b347d55d08abf5b6ad5e30a6abcda51320bd6e6146a7a317f3
de6285f6ce1a087131f47cefed3ee0c826de4d93900af28e2f40230129212630
5621748f908ce8d2d4b1cc2d161584ae6fde0c443a3d99674161865b392f2281
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments