MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuakBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4
SHA3-384 hash:	e3d68e434fdbd403e4eb6d9d48f89860d0e97b0967ed252fe1df4ab685735312fee6892b7ff8d78667ebd1a5870067b0
SHA1 hash:	e714bd551bb951cf5d1ec9d0de27af5d13c9ae68
MD5 hash:	0e18072675b31a57c1e4e103ac52d4b1
humanhash:	colorado-artist-ten-six
File name:	0e18072675b31a57c1e4e103ac52d4b1
Download:	download sample
Signature	QuakBot Create hunting rule
File size:	1'090'528 bytes
First seen:	2020-10-25 18:33:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c1e35a855d20d45e9c84f5bd029dd388 (154 x Quakbot)
ssdeep	6144:WRawthaHqZIMRD83d5kFICdy2cs1NbDEWZ31EylEgf9RItjKkuGInR+HlZzmr6ML:WR2qZtOzxn2cZ+aKTrUhulLhJ9FCeh
Threatray	726 similar samples on MalwareBazaar
TLSH	B33512D3F9BC8471CAEE287B8993523C9A9585E85D05D01B0778A5BDBDF3300BE9244B
Reporter	seifreed
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/76501/

Detection(s):

Win.Packed.Qbot-9781416-0

SecuriteInfo.com.BehavesLike.Win32.Generic.tz.13628.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Threat name:

Qbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/510245

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Qbot

Behaviour

Behavior Graph:

Download SVG

Detection:

qakbot

Link:

https://mwdb.cert.pl/sample/c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4/

Threat name:

Win32.Trojan.QBot

Status:

Malicious

First seen:

2020-10-20 07:20:30 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zdmnvscbvzdybbj5jydxezmwpjk3uuzhzr5gbf72rdnrd4e4zdka._file

Verdict:

malicious

Result

Malware family:

qakbot

Score:

10/10

Tags:

trojan banker stealer family:qakbot

Link:

https://tria.ge/reports/201025-t19wpglvz6/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Qakbot/Qbot

Unpacked files

SH256 hash:

c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4

MD5 hash:

0e18072675b31a57c1e4e103ac52d4b1

SHA1 hash:

e714bd551bb951cf5d1ec9d0de27af5d13c9ae68

Link:

https://www.unpac.me/results/cce26580-faae-4050-b881-2bb743489d39/

SH256 hash:

b2245e70317ec7dcf7eeec79ce69303c70c9e8ce0e735f58be4a3cbd9a1aa32f

MD5 hash:

1cdef31263a0d2d690a3234795b357da

SHA1 hash:

6d9987126a98e89d72cc6ffbdf62065b3a319abe

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/cce26580-faae-4050-b881-2bb743489d39/

Parent samples :

3ca3e5b6d16a79254fc3a225630ba6ccce14af026d05a7d07d52035f556c2743
cbea93d2d24af4fa47dfa9e359a44452f31bff6d65f194cc720684e48a2c90f5
ce42bacf0b5fc43144e33f10aeb9de744de818f85dc44da62b05e64204c42580
73d8eec4558786e302ac9d8d4252a60eebdf4f66eec9925b58d437dbaa5d826e
96e21a6d02770fdff74ac912154f8c7c7a934d7236360485920c8550fa0050a1
18c4314cf758c6745a883c8281c46307e0101974e1d3604fb59b0e806725e5d0
74e832a79ffdd9830db4eb1acc11150a3be94d1ea3665138c9454bd066dd0f95
198f84cee0dae79cda9db5518ba28e2b23000f2fb5735b0dad188bc5972a5afd
ff996f55536de7a67bd73ad8bc3d79a2b39fbacf097c4c506fc7ec0093892588
279a8de5e39df1db685c2c3f3a7ef24ce3a080f485ef4258f3af544ba3f0a170
4dece4f8f1843e688841d1af9c4bf04ae4750c45ab6ab1aee6c8e584882fa6e1
3ce99c8cb67713268cb97548c173ebbd2e9a78b8d2e2a313aafdf84fb1bb109f
3a170ddf4a5187f7bdb2ebe0d2bb50f1628efe9aa17cb79691fdc7b639c20983
f807aeb37f1d5ae92f3c526b1671f6de8ee9071a6b095f1578d535574445d935
80409175a0c0b823892302d5fe864b8cf8e7adcf7c3224cdfc42d3440089f56c
d1ae43466c5c168ce5f6b08a8b1cebed1c50c4e830f5d4d8edb3b0a1707637ba
48a5c7982d3a0aad3a316d391be806bf4518a3914e6304ca23791b1a96f7a696
333e420c622641ce1d0e90836e2d6de9512a8668f36b29bcee286d0dc0362ad4
c648cdade25de484dd01fb660e5b6a0b5c04ce2f8e39fc3003d66f7ceecf8ba3
55b595b2b235716148d0d97ec9e206b5236ef4eb50fc319076d7dfe12e9f31f8
3889e86218b5cd959cc18ea5c14d669b72abf79e16553c250f783f0570da5325
c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4
e765e101f19ac53b1ac1796e8df871a3317c139d2cf9963f0b9ce4877c6a34b4
18e515b87f2113e0cb01aee82cde91912f49ef2bae35a25370d4450f760f4c8d
e7ee18860de04ba320ca073bc31af13d7ad12243b6e50ee56e203e082d4fe2bd
d09d81afbfbf62c6c9ec7deb3c05c699b909c4272698eee14fa21fc09b13c747
efaf18151dcff71f99c514983e1422c7a55db5bdaaac3c01577154f7602f8394
a3326f70eec68273df75df9e431840627ac8c1c4f04be69e6765389effa3170c
2ce0e3f6bcfd706d3b2776301557a2dc3848a2327ad7466f84d8001f15004690
ac7b9830f90d43ca657e76d9d61fd9efbee50ebe1ad5862e35ffdecb7562ebf9
80d310a88b41d69098d4ad67bd64724933bde084e7a55ebde5e3c73664e49e5e
3657746febac3e11b3a87644b383881675bc2059157a82023d4b5b1cd0b09e3c
d67dd0956d44061123dd00a1146c932dde86ccf903912f96c5bec30a2f9c831f
e911a974637256342c4378618b9e0e62f1d77566520977f9f06d03a9f77c94dd
81d9bb47df5527528498454b8e3c657e799a9b253a14e73071bd4a00806456f6
1d4a1f599a48fa710927daeef32a4e509000d2c13cad1bc0b078be9ac0fa2fa1
d1398bbc8382f2b58a852161106c3a1af471ba4df0afe4f8043bd6d711e3abef
ba8b76fe44cfecb234e2ea47adc293fb4e8a7c62119776aab010c2c87500871f
88d2abc1412d8534cf237378933598cd02179225691a298c65e871e77a12de25
36332a5fe3b04f637b3a281c848df93631b6ffe81a969350a5ec73de4d442831
224a2648a7943386f7b3b6b9f22d87d8c7fec9466cffe24a77f17d7a621b8a79
12a33b4cbaa8523b49fbf03ce5ac773e1846660662a0ca67b7dae618606e6ae4
b47d309f16f635798176c9d24035d0bc145b580512adb81191f0ce8684b8b9d5
8d6d8351848925338ce65b442b5bc69872ee467c67e77692645549587eca04d7
43ba9c85b598b5cfcd1fdff00351fe461ab214b1a2b00efcf45f429b5893b0a1
7e0e9f3a1f1bae034cd67784a804dd40375c5b738f7083c9e337197a296425ef
d87d94fd2a6dc33fa5a443f18dc996b513d565d0edd88a88bb322c53f9111aca

SH256 hash:

05b166704a7d5584bb8a95179deb5c58c611b0e2709019a6c6a4b2d15981bd76

MD5 hash:

ba3d8627c678b25ea4c13624d2150650

SHA1 hash:

6051c8795f8f14b0a4b321317e3c16fa136c0e5f

Detections:

win_qakbot_g0

win_qakbot_auto

Link:

https://www.unpac.me/results/cce26580-faae-4050-b881-2bb743489d39/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8d8dac841ae4780853d4e077265967a55ba5327cc7a6097fa88db11f09cc8d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/76501/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample