MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eccc43d18bcf4f718c23bd1fde73570661ee71749ba96ba89327a89b3d3e57a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eccc43d18bcf4f718c23bd1fde73570661ee71749ba96ba89327a89b3d3e57a0
SHA3-384 hash: 004525d564cdffb9f1ee33c1394f1584a97bc641a0049b22af3dc3188d6d5cb64c3f1af991f4239324e0856258169084
SHA1 hash: b48d1f12a01d36b5199e6cf7b1e35e9e0efa34dc
MD5 hash: 124dbf71eec74a20be323d4016580c94
humanhash: six-washington-lithium-kitten
File name:7MxD0YvPT3GMI70f3nNXBmHucXSbqWuokyeomz0_V6A.bin
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'007'079 bytes
First seen:2021-12-17 10:40:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcb54e41e8df228eeaa37df1acecde64 (3 x Quakbot)
ssdeep 6144:kZ3vSB/TRhm3jMF9v+VDzThWlb4sr8UQw8Mz1+:kJm98TS9uMVPr8UQw8Mz
Threatray 463 similar samples on MalwareBazaar
TLSH T1B42594F622246307EEC391746E02C73514445E4B02F518FE6BD7B2BE0D727266B9AE2D
File icon (PE):PE icon
dhash icon 11f0f892ccecf070 (5 x Quakbot)
Reporter Anonymous
Tags:exe qbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Babar.29909.1075.27996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2373/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Link:
https://www.filescan.io/uploads/61bc69066daa353fa3b79cc1/reports/1a3c7c75-ed5f-42c8-a6b7-fbff3f37e688/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5f500b4-1ed7-484d-b78f-a2d0b4a14581
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/909026
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Sigma detected: Suspicious Call by Ordinal
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 541503 Sample: 7MxD0YvPT3GMI70f3nNXBmHucXS... Startdate: 17/12/2021 Architecture: WINDOWS Score: 96 32 Found malware configuration 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 Yara detected Qbot 2->36 38 3 other signatures 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->48 50 Injects code into the Windows Explorer (explorer.exe) 8->50 52 Maps a DLL or memory area into another process 8->52 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 regsvr32.exe 8->16         started        18 explorer.exe 8->18         started        process5 signatures6 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->54 56 Injects code into the Windows Explorer (explorer.exe) 11->56 58 Writes to foreign memory regions 11->58 20 explorer.exe 8 1 11->20         started        23 rundll32.exe 14->23         started        60 Allocates memory in foreign processes 16->60 62 Maps a DLL or memory area into another process 16->62 26 explorer.exe 16->26         started        process7 file8 30 7MxD0YvPT3GMI70f3n...qWuokyeomz0_V6A.dll, MS-DOS 20->30 dropped 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->40 42 Injects code into the Windows Explorer (explorer.exe) 23->42 44 Writes to foreign memory regions 23->44 46 2 other signatures 23->46 28 explorer.exe 23->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eccc43d18bcf4f718c23bd1fde73570661ee71749ba96ba89327a89b3d3e57a0/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 10:41:14 UTC
File Type:
PE (Dll)
Extracted files:
36
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tgehumlz5hxddbdxup5442xazq644lutouwxkete6ujwpj6k6qa._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
186b5f0acbf214a1f442530198f213e675de3cd908b33501b646a5f8494d1ecc
Quakbot
18d5151ff156139ee901d21abd933dbe3efb3630e30e1acf2b0cbf0a34f3d3ca
Quakbot
268cf4bdbb872b24825068cc75677e51941b67003a7a589963715808e9f4728a
Quakbot
a2a676d3c97975edce1e09d9f777287bc953b382962005030f7627d6da08b00a
Quakbot
d302a473d8f19884d38147d13ce87f54b897dad51fdc6490467bca62cc7ae937
Quakbot
e10c39b660a84f703700fb8d6bd19dc4f9bbab239b2e62f6d2817864154b0a85
Quakbot
e3bf20fa69644c0ca34c600feb3c43f70a1d51408534d1167825a2178a7b7073
Quakbot
f0b81104457bb65aa8d908ccc920e725da1485be7d8bfa8fbdb79cd06d8e9a7a
Quakbot
+ 453 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/211217-mqk3yaecbp/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Windows security bypass
Unpacked files
SH256 hash:
c17df54823c2eca429150e8e7fefeebd1c705a69f4c4a6d44c7bb6ce13a8df91
MD5 hash:
2edf7bb8c8ec2315806ccf6d2203a909
SHA1 hash:
bd00455afe30f225ee8155285ecc1fd5ea188964
Link:
https://www.unpac.me/results/420bb504-0ac7-4115-9959-4f56f3ed6e0f/
SH256 hash:
1e39e1089d22ef49f0eaff0d77b601d8eb4f159d2636057857e57c88d8a25d29
MD5 hash:
2b630484a55e58bde69f45ef036469b9
SHA1 hash:
708cb91d4534e90373062dbcf538e43636ca03d2
Link:
https://www.unpac.me/results/420bb504-0ac7-4115-9959-4f56f3ed6e0f/
SH256 hash:
eccc43d18bcf4f718c23bd1fde73570661ee71749ba96ba89327a89b3d3e57a0
MD5 hash:
124dbf71eec74a20be323d4016580c94
SHA1 hash:
b48d1f12a01d36b5199e6cf7b1e35e9e0efa34dc
Link:
https://www.unpac.me/results/420bb504-0ac7-4115-9959-4f56f3ed6e0f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/eccc43d18bcf4f718c23bd1fde73570661ee71749ba96ba89327a89b3d3e57a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214785/

Comments