MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d74b00dde228d80e09d1c2a9144216de68b8a89ac1966dacfcae8e9dc3f52738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	d74b00dde228d80e09d1c2a9144216de68b8a89ac1966dacfcae8e9dc3f52738
SHA3-384 hash:	453a6f9821b17395bc4d161884fee99ee6a555fceb6f3b6278d077e7509c3017c1f899b054bc0cd468824438fcd1d809
SHA1 hash:	e14b9563eb241c7582dfc4cfdfdab1d960b2c5e6
MD5 hash:	5bbbf314b9a3de15e51ea38187c3c3c5
humanhash:	high-crazy-lactose-item
File name:	PH-1577391140.xlsb
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	234'993 bytes
First seen:	2022-02-14 15:22:53 UTC
Last seen:	Never
File type:	xlsx
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	6144:LbT98S2VO5qcLLQ6014NGa1sWZcMIFtspIIK:3qS2k5TLc601RAcJFpIK
TLSH	T14534029FF2CC691EC39FB53A827958AB5B85441FCFD2202E128577811D7857B0E4EA0E
Reporter	ffforward
Tags:	EtterSilent Qakbot qbot Quakbot tr xlsb xlsx

Intelligence

File Origin

# of uploads :

1

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Malicious

File type:

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

Has a screenshot:

False

Contains macros:

False

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/241405/

Detection(s):

SecuriteInfo.com.Heur.20277.24902.UNOFFICIAL

TwinWave.EvilDoc.XL4DataopItWasGoodLivingWithYou.20220118.UNOFFICIAL

SecuriteInfo.com.Heur.28184.8124.UNOFFICIAL

TwinWave.EvilDoc.XL4DataopItWasGoodLivingWithYou.20211109.UNOFFICIAL

SecuriteInfo.com.Heur.15973.32289.UNOFFICIAL

TwinWave.EvilDoc.XL4QakyFeaturingNothingNowhere.M2.20210611.UNOFFICIAL

SecuriteInfo.com.Heur.2591.31407.UNOFFICIAL

TwinWave.EvilDoc.WorkingOntheXL4HTTPWideNightMoves.20211201.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Searching for the window

DNS request

Creating a process with a hidden window

Creating a file

Sending an HTTP GET request

Sending a custom TCP request by exploiting the app vulnerability

Launching a process by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

OOXML Excel File with Excel4Macro

Link:

https://app.docguard.net/d74b00dde228d80e09d1c2a9144216de68b8a89ac1966dacfcae8e9dc3f52738/results/dashboard

Document image

Image:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

macros-on-open regsvr32 regsvr32.exe stripped

Link:

https://www.filescan.io/uploads/620a73d854047500bb53fbc5/reports/3f531959-45b8-46ee-98d8-d78a0fa31c1b/overview

Label:

Malicious

Suspicious Score:

9.9/10

Score Malicious:

1%

Score Benign:

0%

Link:

https://www.malware.ai/gui/files/?id=26463031-a0ce-4d05-9a45-0bab463909e5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d74b00dde228d80e09d1c2a9144216de68b8a89ac1966dacfcae8e9dc3f52738/

Threat name:

Document-Excel.Downloader.Heuristic

Status:

Malicious

First seen:

2022-02-14 15:23:09 UTC

File Type:

Document

Extracted files:

33

AV detection:

10 of 43 (23.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=25fqbxpcfdma4corykuriqqw3zulrke2yglg3lh4v2hj3q7ve44a._file

Result

Malware family:

n/a

Score:

10/10

Tags:

macro xlm

Link:

https://tria.ge/reports/220214-ssf5nahfa7/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Process spawned unexpected child process

Malware Config

Dropper Extraction:

https://judgebryantweekes.com/R4uDKgmAJJY/9i.png
https://lawyeryouwant.com/LACxAeU53/92i.png
https://passmyielts.com/PvYsQMezfHK/93i.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d74b00dde228d80e09d1c2a9144216de68b8a89ac1966dacfcae8e9dc3f52738

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

Cape

https://www.capesandbox.com/analysis/241405/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample