MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c
SHA3-384 hash:	7b378e9088cd315a13ddd1afdc3ee4971bc2a4c8660dd4711e190ec64df225201fdd4c60cb309ec2d0479b0b750730cd
SHA1 hash:	0dceb0340a96c63fbc5488033e8f5abd173ad6ff
MD5 hash:	08ee0c261de8093d6f2d05037c816cda
humanhash:	south-four-utah-sink
File name:	estates.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	589'312 bytes
First seen:	2022-10-13 12:24:23 UTC
Last seen:	2022-10-13 12:32:06 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dfae673057da43365fa35a4d0cac66e0 (1 x Quakbot)
ssdeep	12288:gLmguJrVM/orN2iSIOg3bOwu/Q2JZXJMeGbX//9OT:yBoVkOqIh6wuowZXJM5T//9Q
Threatray	1'524 similar samples on MalwareBazaar
TLSH	T15CC49E23EAC084B2C6621D78BC3BA5589439BD612F34595B3BD91E494F36BC12FE5383
TrID	47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	boi_cyber
Tags:	dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

2

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319927/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.18583.525.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

Modifying an executable file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger packed

Link:

https://www.filescan.io/uploads/6348039f67135c9da246c623/reports/7af09789-d247-437e-851c-5c08b3b52a1f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a59f836-3735-4ee9-be5d-6f3ce51f0080

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-13 12:25:08 UTC

File Type:

PE (Dll)

Extracted files:

38

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2csjbg26cmx5ftb36ta2wgfftdh56vnfgfbw2fsebfmrdvrexsga._file

Verdict:

malicious

Label(s):

qakbot

Similar samples:

5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f

616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88

80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172

9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c

+ 1'514 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221013-pllvsadhc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

0a8fde9f08da2d0f7a03bda2ffc7253e1d9701075dd8b47b470f70959f8771d0

MD5 hash:

cef87d7ad45937291b410d897d2bc1f9

SHA1 hash:

8b30b4061a1eb59f7664cb7cf4131b6ba504fd23

Link:

https://www.unpac.me/results/74f4f25c-daae-4111-aa4b-488a58d0a644/

SH256 hash:

537b22ad09363d900b3289592bc0e1beec974553ad8710617583899727ee074b

MD5 hash:

b8859fa0eeadb759ff87e7b31dea463e

SHA1 hash:

d557ef9eb4e799d0dfb7ed189bf7f243c071b2d8

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/74f4f25c-daae-4111-aa4b-488a58d0a644/

Parent samples :

5fa048bfec7dccf343b60224d2212cdc19a4b04db40b831d7a7d79568fd1df5f
d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c

SH256 hash:

d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c

MD5 hash:

08ee0c261de8093d6f2d05037c816cda

SHA1 hash:

0dceb0340a96c63fbc5488033e8f5abd173ad6ff

Link:

https://www.unpac.me/results/74f4f25c-daae-4111-aa4b-488a58d0a644/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Qakbot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/d0a4909b5e132fd2cc3bf4c1ab18a598cfdf55a531436d1644095911d624bc8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/319927/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample