MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de45d7beb1e0231bf22e41bbb01a4ebccb6a2607787c48533fb53159bd44cf72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	de45d7beb1e0231bf22e41bbb01a4ebccb6a2607787c48533fb53159bd44cf72
SHA3-384 hash:	b6c747d3f6d502fcde85d7f79ae1fcef53e3d2d55bd1f29d2943eae9229d9ee840eaedd84901fe8aef3c801753a2ec5d
SHA1 hash:	d33c0f43fc1343dddfde7019366f18c2854089d0
MD5 hash:	6d8fa5d67e794abae4a08e5571aa54aa
humanhash:	nine-low-november-oranges
File name:	de45d7beb1e0231bf22e41bbb01a4ebccb6a2607787c48533fb53159bd44cf72.bin
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	167'936 bytes
First seen:	2022-10-27 19:45:16 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	fedb443e18b9e0419f43a85a4e213660 (1 x Quakbot)
ssdeep	3072:q0FuJmqDhCuNgQs7W+7DFA2Jb9FdrQTBfpZrAFO/ya+fT:vQpCuNZsC+X22JxFJQTBhZrA0/G
Threatray	1'608 similar samples on MalwareBazaar
TLSH	T1EBF37D01941343BAFA324475D58A5E194EBD77171363B8D3A3D8EB600910AF3EB3A2F6
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zalksec_sec
Tags:	dll Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/325120/

Detection(s):

SecuriteInfo.com.Variant.Jaik.45546.27460.28035.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f6d4daf-44de-4190-a7d2-e0bb4903cd4f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de45d7beb1e0231bf22e41bbb01a4ebccb6a2607787c48533fb53159bd44cf72/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-27 20:12:44 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3zc5ppvr4arrx4roig53agsoxtfwujqhpb6equz7wuyvtpkez5za._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

62b5cb0be9e42ed5628cf0bcbc7a159ac89668933c887796d2201e5eb4c2ca76

Quakbot

972a961e826745cfd530e9d409a603ebfefd4cc687354868847cdbe785a91bc8

Quakbot

9bea9743ed86d925f88d75077ef37b3a4a6a652bbdd2f0e516efdfbb94fb5e06

Quakbot

aa8fbf0411339a0acce09cebab6aea8ed00ceaec76fd92f304ee41c09a9372a4

Quakbot

dae5768e9a2f692512613af462d3ea8d96ce9f38eee1c06ddc52cde8dec2e0a2

Quakbot

e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

Quakbot

+ 1'598 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221027-ygys8addck/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

de45d7beb1e0231bf22e41bbb01a4ebccb6a2607787c48533fb53159bd44cf72

MD5 hash:

6d8fa5d67e794abae4a08e5571aa54aa

SHA1 hash:

d33c0f43fc1343dddfde7019366f18c2854089d0

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/86d32bf5-7c4e-4747-bcb7-e7bafe1d4c6c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/de45d7beb1e0231bf22e41bbb01a4ebccb6a2607787c48533fb53159bd44cf72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.unpac.me/results/f13969a9-2d23-448a-99ce-0cc9fd2db893

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/325120/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample