MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff
SHA3-384 hash: 0b210c49fd05d5e7074f3dcd9e9f33018c53a994ae907fd01642f5c7b9b81059b753646699ad74566ab61482ef0b6042
SHA1 hash: 80fbb9754fafb19e15bf271be86955f465829121
MD5 hash: 43d25377aa21d8cbab3a32c02ee765c6
humanhash: lithium-minnesota-ack-helium
File name:187737.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:790'016 bytes
First seen:2023-02-09 16:58:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e62ccf1e5c561da53ca2f798bfd5b608 (5 x Quakbot)
ssdeep 24576:/H81smt4vyVjXe1ikZdtjMsc7MscXMscktkTNd8uB:kefBtkf8
Threatray 1'936 similar samples on MalwareBazaar
TLSH T1D4F43A2AFA0191F9ED1200F2950FFBFB54342B394C65CCDBE2441EADBBB5D60511AB1A
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter proxylife
Tags:dll obama239 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/362917/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll
Link:
https://www.filescan.io/uploads/63e52657c7ca3840b5a16cd6/reports/8e92a7a1-bcd2-4ae5-b658-8d18aa5e8e06/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/10eacbf2-2af6-45d8-a463-de9ff59aaeb2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1170274
Signature
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 803062 Sample: 187737.dat.dll Startdate: 09/02/2023 Architecture: WINDOWS Score: 48 37 Sigma detected: Execute DLL with spoofed extension 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 WerFault.exe 3 9 10->18         started        21 rundll32.exe 12->21         started        23 WerFault.exe 14->23         started        25 WerFault.exe 4 9 16->25         started        27 WerFault.exe 9 16->27         started        29 WerFault.exe 16->29         started        31 2 other processes 16->31 dnsIp6 35 192.168.2.1 unknown unknown 18->35 33 WerFault.exe 19 9 21->33         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-02-09 16:59:06 UTC
File Type:
PE (Dll)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmptqsp5rr7nchpeicdtpdxx7nfe6bqo27kseliejijna7a4j77q._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
022d1d6da141529bf2f6357fa466603d8544b4151d0d4534cd51c3e05d1dd1d5
Quakbot
057a01850c142230544710ea363b2af54cd5ddbf299a103e10e9d3cbbee6f021
Quakbot
26a5c35034800e786a979358b4cd86cc15ddef9abdf711fd2d3cd38ba59ee4c2
Quakbot
4506cd463975098bdcad837059aefb8bfee00200e1eae25c6ebfaff14f564f2c
Quakbot
69fc127cf404c0a8126d1489b099d67bef28852d47c0854d85d0df1ea9d7e903
Quakbot
70d8f263a41bc7606968ed192e027338c7ff63a1dc80675b039cfac2861bcebc
Quakbot
73c6b431eb5a92719ba406a765d011aa709234af3675e9de4eff9c5f9edd3fe3
Quakbot
e0258e4d45a488bfa45356a5bc55080d7ecc273cd0c1cb7556960427fba9c23f
Quakbot
e1f670924bf0dac3e239d0acb5d9cc8fc83c9d8f927dbf758ad01a0bdffdbe63
Quakbot
f89369a40c56332a7dcdd526491216f9125697221b9655c0dfb7a418e183b496
Quakbot
+ 1'926 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230209-vhdynacg5x/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff
MD5 hash:
43d25377aa21d8cbab3a32c02ee765c6
SHA1 hash:
80fbb9754fafb19e15bf271be86955f465829121
Link:
https://www.unpac.me/results/1b865a01-654b-4dc8-97b2-4e0955bc3a26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb1f3849fd8c7ed11de44087378ef7fb4a4f060ed7d5222d044a12d07c1c4fff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/362917/

Comments