MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8147651b1e8ce13e32578ec06753a4cb1a8ada46943f660753ee9749e87a96d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8147651b1e8ce13e32578ec06753a4cb1a8ada46943f660753ee9749e87a96d
SHA3-384 hash: bc45c463fc6e2f10231a8dc4745ecbfb355d73aecabda33afe278fc02bf178c6fccebbdde67fe51e0277bbbd4369b0f0
SHA1 hash: 6c2e2a199505c7b6a7d3d554e41818365625ebe1
MD5 hash: cd395ad83c4ca080c1bd9bce1341e01f
humanhash: kansas-grey-paris-asparagus
File name:rieuro.vnt
Download: download sample
Signature Quakbot
Create hunting rule
File size:3'115'520 bytes
First seen:2021-02-22 19:15:40 UTC
Last seen:2021-02-23 06:37:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9527ec83e065e31d95ef7014093b33cc (3 x Quakbot)
ssdeep 49152:PzcJdWxK4UVuSj7AKHWv/wHwEWtHqStTWNurykBGVXCS+g99lYt1Z3QuC2/aLEJr:ZxlUUHK2vY/WtHbykkwG9iHvC2/m+fOI
Threatray 5 similar samples on MalwareBazaar
TLSH 7FE502AD6284370CC45E80748533BD46B2B7562F0EEA967AB0D7BBD077AF825D941F02
Reporter malware_traffic
Tags:BokBot dll IcedID Quakbot

Intelligence

File Origin
# of uploads :
3
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rieuro.vnt
Verdict:
Malicious activity
Analysis date:
2021-02-22 19:20:30 UTC
Tags:
trojan icedid
Link:
https://app.any.run/tasks/122fc029-7bf3-4376-8244-c63b95c66e0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118399/
Detection(s):
SecuriteInfo.com.Variant.Bulz.362300.2177.19946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/614506
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8147651b1e8ce13e32578ec06753a4cb1a8ada46943f660753ee9749e87a96d/
Threat name:
Win64.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 16:29:40 UTC
File Type:
PE+ (Dll)
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3akhmunr5dhbhyzfpdwam5j2jsy2rlnenfb7mydvh3uxjhuhvfwq._file
Verdict:
unknown
Similar samples:
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
Quakbot
5fe990b47a89cb773beffa3a94bd2b48cd53fb7591af02d583d1783eeff7a442
Quakbot
af604815e1dc25a89516a4cda7af722d1285ef0e0a0b96e691fffa4a57282ed6
Quakbot
b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218
Quakbot
fdc5ae1a23f456d6edd75da1dedb29f1b8425292a6318d8e1374b3e1769fb7fe
Quakbot
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210222-lvjxsa26dn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
d8147651b1e8ce13e32578ec06753a4cb1a8ada46943f660753ee9749e87a96d
MD5 hash:
cd395ad83c4ca080c1bd9bce1341e01f
SHA1 hash:
6c2e2a199505c7b6a7d3d554e41818365625ebe1
Link:
https://www.unpac.me/results/f1bd59c1-65e1-4536-a5b3-b99ac3068d7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8147651b1e8ce13e32578ec06753a4cb1a8ada46943f660753ee9749e87a96d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe d8147651b1e8ce13e32578ec06753a4cb1a8ada46943f660753ee9749e87a96d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1024070/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1024069/
Cape
Cape
https://www.capesandbox.com/analysis/118399/

Comments


Avatar
Brad commented on 2021-02-22 19:17:16 UTC

Run method: rundll32.exe [filename],DllRegisterServer