MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3
SHA3-384 hash: ea7318581d1851a467c7964b23c13d5bb0ebde6c3191dcd8f71117c0c10eb625f655035508f2f523ed230c105d443780
SHA1 hash: 65a00528ae5625d469b39081a42d803e1798726c
MD5 hash: bb30b3471d6bff1755ff9f9add1b8d1d
humanhash: sierra-illinois-autumn-jig
File name:d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3
Download: download sample
Signature QuakBot
Create hunting rule
File size:348'112 bytes
First seen:2020-11-06 09:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4833859d9df0e403c253c8a799426c16 (47 x QuakBot)
ssdeep 6144:Lmrao/6vdwjie1qCOYFpXD36g3pPnx5b9XP0+Bha//v:Lmrao/6e2eQxopr3pPnt8akv
Threatray 777 similar samples on MalwareBazaar
TLSH B374E02EDF278991E2613BF642C60BE94D33B8A93132561A4DC616472DEE3DC3D13798
Reporter JAMESWT_WT
Tags:Pivo ZLoun s.r.o. Qakbot Quakbot signed

Code Signing Certificate

Organisation:Pivo ZLoun s.r.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 30 00:00:00 2020 GMT
Valid to:Oct 30 23:59:59 2021 GMT
Serial number: FD8C468CC1B45C9CFB41CBD8C835CC9E
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: FF49545409D4DA5FDC04B7E9A21183C843ACC5B90DDE211C2B8D37859EFC42F8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.4354.18357.20569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 02:01:33 UTC
File Type:
PE (Exe)
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2y6nwnei6an2he2muglyoflbpapzyzl376a5ymmsna6xu3doa3jq._file
Verdict:
malicious
Similar samples:
12a59869c0e78eed60e76adc9c592ba8b9f3d2835f19d4c46e7a458739d6aedf
QuakBot
4e21f2eefe25c07034fe9a8dc009cf05b33fd4d94979200921cf61f6efd15654
QuakBot
5401646f0c0e59d051a7af22287139db248b5b95087c228a9e7380fcd6cedb75
QuakBot
6a25eecf4c09687ee9eb25089d656e75b86b83464b681f08d14d7cd9fa468a6d
QuakBot
a1093cae5947b010c760dc1e04d9ac932b45dfe46f67b38b8f5b37c807084261
QuakBot
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
QuakBot
b67267d494ea23d58a61c127eb8e32b274878c3dcfa6586e344604397f7a457b
QuakBot
b8ec99ddd578b8799a7a6c85231d7545ee54707846136114a3373f2b09f4a2ff
QuakBot
cdd0849cc7c21652c39ffdbdc039bc211b2044003c97c6bd964fca15012bd4d5
QuakBot
d5f719a5fb651053def370762beb99e78cf222f02d57ddb185b574dfe91627dc
QuakBot
+ 767 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201106-qkztjje5hn/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3
MD5 hash:
bb30b3471d6bff1755ff9f9add1b8d1d
SHA1 hash:
65a00528ae5625d469b39081a42d803e1798726c
Link:
https://www.unpac.me/results/e468ac92-60b0-48d3-bc1c-8c2571c48150/
SH256 hash:
d7de5bd1763a59af28b2cdb28468c419d3ae977c953afeb7266bf566baef37bf
MD5 hash:
c8859265ce1fce12d299eb7da245d102
SHA1 hash:
675eda11e861123e3cc6412c32fa217e6c87274c
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e468ac92-60b0-48d3-bc1c-8c2571c48150/
SH256 hash:
47a802bccfab2ec23561d8adeb886bc938c91b765af77cd4e3ed25d9cf3a751b
MD5 hash:
62f6306ade36542ad204147a63cab80b
SHA1 hash:
04a826c06c5dd996b0556be01ce89ee230c2e089
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e468ac92-60b0-48d3-bc1c-8c2571c48150/
Parent samples :
d63cdb3488f01ba3934ca197871561781f9c657bff81dc3192683d7a6c6e06d3
b67267d494ea23d58a61c127eb8e32b274878c3dcfa6586e344604397f7a457b
afb04ccb08e70f8364ab5550702d3700ec8a4e288f784d9d3a0c2d87731f9241
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
00518aa68c49a0a26130ddd74c227bd8bc39511ca59b57fd1ac5b2c40932bc5f
55e044458184d43ce58b0c4ed30012ffea51c9f2318f670351c7ced786bc9098
9bdcba646b1d23d407beed7aaf077b177fdd260b1a6974940817c67952fbc097
07fd3129e86fc448eb752a68f4e7e24aec3bffe0c1223a6f9d7a3b3d507e6d14
4c79778a10d1b6eabfa425cc031041eceb47e06c7499069607b13975158dc481
16e8dd4d681393a757e3420dfd00187ce7bca1aaf0f792c33bc6bc68693b936a
5d6aa5ee7c6b17615f2840c7ce21cd8449ebd66664be2cfe996187c6e67f53d7
bfb5a74c26316210ab08a6a5e5a5ca141064a9e06962fc07d4b647ed2dffbe74
8109257615124835d77bf857ba60bc516ae9319daf92444028663653358ca3ba
adb77964027061ba4f007c8d125b5da4c332a83058dfce27229674f79c60d674
141a9a4d70ec62c5716f6daf01e5e068525217f06551076fac102a88fd66f3e8
5dee81f839ef4b7e681bfe9dc08efd092c286c5c69fd3bff279ca4deea225b9d
520b6a248e5caf2e361bef4fc425524053e6e45bdd012b9ce6fd808d2f16e37a
17a7dfacd8cbe5f72678b555686a95384e33d1ef4d7c08178937fa8e0da580c3
100ecb0548437822834fce5bd2cfd4eb40c22e90cb2fd013d77d967c7a13054a
78ee8b4f784a925697988c36c75004a752f6ba0f04189451c65909716091fc69
9a3e68ff897ae34d1353411f041d28da65a8813284371e58d36054e364d708ac
3b8ef052038d49eb5dd8922178781abebbac9ab240fdc6217e759441ca6894cd
e500c4bac91c72d84eda077e40c8fe2d0b208d96cf20afa087a587a2d91faa92
7a6f78fe16ceb595bbca244a09faf2a484fa10cf8c9832d3fd81ee29fc944538
aab1b81444cfa91a3b30ebeee77190e9a553e0f50dea9219900f3eaf9f1db041
165696c8e9809f88f42ea30ecf479739325a63e398f50e06205d8c05ba679fe9
88227726f54585fec223503ce81fccb48374446ac860e7b198776fff6866c91a
81fe223734031264739575dacad134efc09f2c813bb6f29d157d68de49dd321d
42eeb4d661dfebac7e841847c4ae0b9643e0b77324e9ef10be4df4159520f3be
dc9667424c7d6a7d3aa75fe33f01c13c3f5295480e89db78600c7f28ef977f1e
14d660ccf1c5fcca2901c9af7049394463ff3cc094974d95271184c93d55d311
a7aa237fdef6605a6d7e396c64ae831211358416caeeec255bf7b0d26b85d9b8
60131eaf79f1934020fc13ac9c7f02c855cdd8b2abfe00eae324f4e6f150866c
27d9a1f73efa976505ef317f1c74c7a325761017aa385d217cab6df2c5d3ee9a
c929200d0410ea735f4094a8217b50f8ca68880a8c5991c95c76912bd2e0434e
7f1f5839e5b466f9120116195752d65126514b024ba635100da06cf23a624547
74196416a7f3a4f7422bc237526fa90a840945732629821831027e119e75906d
0897c2f3d203f2c3ad538a5b91b71f5c5c41b9bf7184900c27d667dcd82401f5
b433d37dee81f3bca6220435a9738b837c67f96eccf0c76fb45c251441bbf1b1
27c3678a902db5c188bba8d49f32f7e829b47a1a2ed2c49e10039b4c170385c3
c53e1bf27a23d7e2bf0d7f7e820d03409cf7020fd2b06fc53d12884766695dad
a8f97463173ac6b52512291172d465d490547d3e94e0055890f51c4e82e4fb60
85fe3c966a534f455f71ed91ab9619f7d393ab4ac493981e6e05999403d37f44
60c64cb07036a6dc7c25695c091f1bc78edf53b7057686cb914b1d0706d78be8
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments