MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0dca3722f6fb05072c6d3754686df039b7c39c782af9b2eed6cf9598e5fa2a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0dca3722f6fb05072c6d3754686df039b7c39c782af9b2eed6cf9598e5fa2a6
SHA3-384 hash: da32c53dd85a34f3d5593279e7d8a917b19c5704cb49866ded7fdbf33419c0653706a75c1fb4e472844bd5130c9ad4db
SHA1 hash: 0a7a2bda2a1b079fd020a3a7faa09af9272a77c3
MD5 hash: ff04d1b785c70737efba4d35b47b0488
humanhash: fourteen-autumn-maine-white
File name:ff04d1b785c70737efba4d35b47b0488.exe
Download: download sample
Signature Quakbot
Create hunting rule
File size:271'360 bytes
First seen:2020-11-11 16:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 742901f36d7e646c132d87fed865548d (3 x Quakbot)
ssdeep 6144:U/0Fa940xzcpre6CF8RO2jkIsNxSTsQZZ7dZguoy2Cu:U/0FO40xw3BRwxSTj3Xroy
Threatray 301 similar samples on MalwareBazaar
TLSH FB44011234D94832FC2114FA8E67C6B1695E3854073E18CB2EC2279A5B66CE2DFF5379
Reporter abuse_ch
Tags:exe Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Qbot-9791227-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531601
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314901 Sample: qS5ihIISDk.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Qbot 2->47 49 2 other signatures 2->49 7 qS5ihIISDk.exe 4 2->7         started        11 qS5ihIISDk.exe 2->11         started        13 qS5ihIISDk.exe 2->13         started        process3 file4 39 C:\Users\user\AppData\Roaming\...\mromyi.exe, PE32 7->39 dropped 41 C:\Users\user\...\mromyi.exe:Zone.Identifier, ASCII 7->41 dropped 51 Detected unpacking (changes PE section rights) 7->51 53 Detected unpacking (overwrites its own PE header) 7->53 55 Contains functionality to detect virtual machines (IN, VMware) 7->55 57 Contains functionality to compare user and computer (likely to detect sandboxes) 7->57 15 mromyi.exe 7->15         started        18 qS5ihIISDk.exe 7->18         started        20 schtasks.exe 1 7->20         started        27 2 other processes 7->27 22 WerFault.exe 20 9 11->22         started        25 WerFault.exe 9 11->25         started        signatures5 process6 file7 59 Antivirus detection for dropped file 15->59 61 Multi AV Scanner detection for dropped file 15->61 63 Machine Learning detection for dropped file 15->63 29 WerFault.exe 18->29         started        31 WerFault.exe 18->31         started        33 conhost.exe 20->33         started        35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->37 dropped signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0dca3722f6fb05072c6d3754686df039b7c39c782af9b2eed6cf9598e5fa2a6/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 15:46:07 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
30a37091398c28d86d8d13713ef305bdb788afaf278318088811e98169d8e5c0
Quakbot
5015651d1537f3949aba94aba1a295909ac687a6966afc07fe1a784be3bfa784
Quakbot
74809f63f3e96d4f4897e123e2783c5ed37e9688c10b213ace75153024de26c7
Quakbot
81538aa1ff874e5a79dc8d5bfc56d61777d214850726ada1b50c3cefe348b293
Quakbot
ae6c68d1ba34c997cb9a55ed0e016a457d1bb84680eee0a97d5362b0312d03b0
Quakbot
b5ca4ec93c6aa87999f4d78556841527ea7a6f046de577948f9a42acac5e0ae4
Quakbot
b8ec99ddd578b8799a7a6c85231d7545ee54707846136114a3373f2b09f4a2ff
Quakbot
cdd0849cc7c21652c39ffdbdc039bc211b2044003c97c6bd964fca15012bd4d5
Quakbot
d5f719a5fb651053def370762beb99e78cf222f02d57ddb185b574dfe91627dc
Quakbot
f2bad33dc7a242f8f6caef8130f6424fcb934a458370f156dd1094b99318cec9
Quakbot
+ 291 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201111-sh955jm2y6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
e0dca3722f6fb05072c6d3754686df039b7c39c782af9b2eed6cf9598e5fa2a6
MD5 hash:
ff04d1b785c70737efba4d35b47b0488
SHA1 hash:
0a7a2bda2a1b079fd020a3a7faa09af9272a77c3
Link:
https://www.unpac.me/results/d63b2455-ba3d-4492-b367-a79fdcbfaca1/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

Executable exe e0dca3722f6fb05072c6d3754686df039b7c39c782af9b2eed6cf9598e5fa2a6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/802950/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/783102/

Comments