MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13541f1e4e054e56ed3f5909272c6146454fd52bc2257c62ac921f34a13d80b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e13541f1e4e054e56ed3f5909272c6146454fd52bc2257c62ac921f34a13d80b
SHA3-384 hash: de84bf0e8048efcc1b16a93a539d1ccb497f4e7796eed3f5e91031cd1ae4f752886e6488be514df6ac31b58be942ca0d
SHA1 hash: a6f0fc47f45bc542ab0497f84c6b430dfbe61323
MD5 hash: b8557e6121975f4267b374a12ad16cae
humanhash: speaker-vegan-mockingbird-robin
File name:b8557e6121975f4267b374a12ad16cae
Download: download sample
Signature QuakBot
Create hunting rule
File size:217'600 bytes
First seen:2020-10-25 18:41:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0d79b318bc431dac712bdbc2f416a4f (30 x QuakBot)
ssdeep 6144:2bnkh/mOzwhLo4opHFpEVfjeAIDNafsQ0YPXf+:z/PwhL4pHMgvQP
Threatray 726 similar samples on MalwareBazaar
TLSH 1E2401E5034889B9F8B877F51EAC13B2C527ADAF038D24C8274367C593215B67722EB5
Reporter seifreed
Tags:Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/76642/
Detection(s):
Win.Packed.Generic-9778225-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/510277
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 304261 Sample: w36RqVHXiZ Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 7 w36RqVHXiZ.exe 4 2->7         started        11 w36RqVHXiZ.exe 2->11         started        13 w36RqVHXiZ.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\...\ayzeu.exe, PE32 7->29 dropped 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (overwrites its own PE header) 7->43 45 Contains functionality to detect virtual machines (IN, VMware) 7->45 47 Contains functionality to compare user and computer (likely to detect sandboxes) 7->47 15 ayzeu.exe 7->15         started        18 schtasks.exe 1 7->18         started        20 w36RqVHXiZ.exe 7->20         started        signatures5 process6 signatures7 49 Antivirus detection for dropped file 15->49 51 Multi AV Scanner detection for dropped file 15->51 53 Detected unpacking (changes PE section rights) 15->53 55 7 other signatures 15->55 22 explorer.exe 1 15->22         started        25 ayzeu.exe 15->25         started        27 conhost.exe 18->27         started        process8 signatures9 39 Contains functionality to compare user and computer (likely to detect sandboxes) 22->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e13541f1e4e054e56ed3f5909272c6146454fd52bc2257c62ac921f34a13d80b/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 06:37:02 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4e2ud4pe4bkok3wt6wije4wgcrsfj7ksxqrfprrkzeq7gsqt3afq._file
Verdict:
malicious
Similar samples:
056f95b607706f579516030cac93f0752d3b70622383647b7a7cd3dd595dd8c8
QuakBot
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
QuakBot
11c6c84f4c67d7ab23c20984648b03289deca9e39dea861b092e0b5fce747b06
QuakBot
21f679e610da831b5793f874a1c1e10c6fcb66a2816b46ecb9081d0672fcbeb6
QuakBot
4a4df13254e5f1e62f8ab02703ebc5d96ecb97ab979f7a8e3a80120935a4df9e
QuakBot
8f3b20670faef6e2e81e2e679af9397ced5ed3116af03585d7f80986451e9987
QuakBot
9adfaa5b63a6a5456740d383e463055f47b796114675f0912e185638ad135d4a
QuakBot
b78c608b6efdbcab010375b990d029eefd2aa139b5796cd5b10adf50a8e48ec3
QuakBot
bcd506c83a908de270fd5fbe9ec541c42a6305a542edd9327ad86657656de4b3
QuakBot
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
QuakBot
+ 716 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker stealer family:qakbot
Link:
https://tria.ge/reports/201025-hd326ywece/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
e13541f1e4e054e56ed3f5909272c6146454fd52bc2257c62ac921f34a13d80b
MD5 hash:
b8557e6121975f4267b374a12ad16cae
SHA1 hash:
a6f0fc47f45bc542ab0497f84c6b430dfbe61323
Link:
https://www.unpac.me/results/ce04f96a-898a-4953-b269-46fdda757e07/
SH256 hash:
80d4e28aab6a22f528443d9d4364f576c7adc7ee9c1dd77bfcaa7f067ac1884d
MD5 hash:
8f2343a4f975f68e244e1756eb763721
SHA1 hash:
2b6895c55f7fa7c61e41be32317ebadba9f149e8
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ce04f96a-898a-4953-b269-46fdda757e07/
SH256 hash:
48cfc44c4abb999b0a945919f4c15ccba517693222891915bb035872bfaca42b
MD5 hash:
7cc344fcebc1e014f89a2b7c9576bfd7
SHA1 hash:
5f7768c8f54a1ab5a4bfbda4c79bfa87beba6bd3
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ce04f96a-898a-4953-b269-46fdda757e07/
Parent samples :
5c4243b2a27c731bdbf29375d308252fbf0e071b6ea0bed813b61cfe6926e738
a1ccf7c8edc1c55387a37afeea220130241485e38a112ac5eb70b65ae1096c64
80ff62e6e116eae4e4430d1c9b222ef2279874cbcbe81f8585d698ff65353d95
76dfd774e997c6f57436d26f9687330780fb4e531be2ac87b987f59caf9420c3
7de8c22aea7b3a871d4ca5715e4a70313f7e63eb8ac661c4f0b4f84e1876183d
56d66968ebb368c3bfbece314ceee99c380e9c8c2a1e69331c079ca6e8a34046
6335194fe6aff4a5aee7f31cb566f019fb7e8e9b1c4e567fb39f64d048b9fb82
e7b71f274fa6101b23bea864a62527e991781f2b94d2158077bef3e8eefa0bc6
e47af57efec059e3f5a36e2de93a1e215f9ebe11550c194a95b7ecd247b0785c
184c4e09da72a61a29b2b70d9d3cc5465e222230fb5421bb4bf453f9621498ce
61af615619086988198cde3cfb7ec65b4d8fe01fe9595c4aa029a90072391b57
1399a0c10893e6d83d602d6026434e0d5615a56e32439b5a49146b1823b01333
c9e6437ed323393c34fa189bfee56bfcb05aecc563cad0d2b0e8163489f2283d
b0bc8c7d2786b8b2b2fd0c6cec412c62fc4feaa267685b7734846cbc6b1c7ea6
31ecca83de833b3f41446f1e5da470b177ca6cb4fc4c55b73c001bdb35551844
8ffb42e60b3dcd29fd9fb67b782d418f632f975a84f6ae1eefec8c3509fcb29e
48f64c9177e93942695e1108b6346a1437a3ad44e6cf65ebe1d2e5b738a23421
b5e53f30ebc4e6dcf0f09dd4351cfa0e2457b46472acc008ac2eeb51c9970dd2
e13541f1e4e054e56ed3f5909272c6146454fd52bc2257c62ac921f34a13d80b
8e8256d3d439cff5df7953111fa19b015ea11ff253d0c22181dfa35a211ba5cc
d0bc4126cc4314c3227cf78896ad636bde55eee476dc9a748c3919b34eb8c218
aca4aed3b78b51c06b7fac14b362a46cc6f0e4fae1f2828b9c696249bb1f24ae
b70b811a237cb64b9c8ae2d32a6054b06ac336a31939c59bb91451ae326a15ee
8ba3aa42d5c3e1b4cd3ead07bf2c40641e4011aac0b2a1b1262f80504d423f9a
1138aa0a51e7b7c9bd78b1b423ceec867de06c609adf541ee9f1b0168ba32121
74d89c3456100cfe9b7708cea71e1182b625295eee3d391bf9d602530091ab32
740e9e6deff4dc4bfb8a24bd3c945c3f7ffea5d54ebb7e102e6ea099470544ae
26a9b67b001c7839f501a44b99004ea3896bf36e2ee1dc5e67616884a3d4a742
17facf860fe1a5ed999a328490fcc2962d173ab4cfe2142e532913f7a23b66ab
de6919b7df8a2c9bc317a46d3fd2a05033358c0cef66fbcc3a614def1ddcc805
46bb53cb64290bd775679b20f09d60933e043e1d2182ab18c62500fc3c4faaf7
6424aede08a876e0c723d055f9f23886d0af5259e1cffc907f7dbc07fac748f9
7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e13541f1e4e054e56ed3f5909272c6146454fd52bc2257c62ac921f34a13d80b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/718198/
Cape
Cape
https://www.capesandbox.com/analysis/76642/

Comments