MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f64e61c7e08bb909b67afe3e90b194ee53b286a5bd0cf8d7843e2c34e46fc3a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 3

Intelligence 3 IOCs YARA 7 File information Comments

SHA256 hash:	f64e61c7e08bb909b67afe3e90b194ee53b286a5bd0cf8d7843e2c34e46fc3a8
SHA3-384 hash:	3c3ac6eb071e768fed831e1317886cc3c089764bcdd328c53eba9fdb0f518911ddbae43be21fcab78ff8a7b95dde6fa3
SHA1 hash:	e0f75a4b985b692a3b47252fca3d60fae0813c62
MD5 hash:	5d91fa6dbf0a301a0f2f132005722cd7
humanhash:	sierra-grey-helium-fanta
File name:	M301.zip
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	530'950 bytes
First seen:	2022-11-22 16:22:55 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: VX21
ssdeep	12288:1CWqg3ccW8bd5/8v6Oh1SCYx87Lkn9sSHt+IJUAJ7wn:1WgsN8RF8iIohwLkySHoJG7wn
TLSH	T1F1B4234A4E8E9D3F1D9757715FBF521CDEF8680D980E3C1312AAB4A1E1188D82F1397A
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	pr0xylife
Tags:	1669024152 BB07 pw-VX21 Qakbot Quakbot zip

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

File Archive Information

This file is a password protected archive. The password is: VX21

This file archive contains 9 file(s), sorted by their relevance:

File name:	5
File size:	9'353 bytes
SHA256 hash:	04ebee024243f43108fac79108366abf16b39082c44d604d786819b268869146
MD5 hash:	f62880a7053e4dd951bfd206aec01fc3
MIME type:	image/png
Signature	Quakbot

File name:	128
File size:	188 bytes
SHA256 hash:	27998f6c8605d61291b3e49d51804d1857f4f73b408b957dd5ff65c9e48347f7
MD5 hash:	a9b3772903210fae790de0c67df62316
MIME type:	application/octet-stream
Signature	Quakbot

File name:	hindmost.temp
File size:	1'055'704 bytes
SHA256 hash:	085f0f3f25b1328d153a7c56125e1d8a4d43bc882fe3f250d742ea5247850c02
MD5 hash:	09a815f48d8a5319d88f2b8b2e4b02ab
MIME type:	application/x-dosexec
Signature	Quakbot

File name:	data.txt
File size:	4 bytes
SHA256 hash:	e5b0843f42485b22242c595fe066bb00d8ff8fe63fcbb22ca9ffe157fb57255a
MD5 hash:	bc5602dd9d96a28376eeaa0e59eae06c
MIME type:	text/plain
Signature	Quakbot

File name:	polyhedral.txt
File size:	257'558 bytes
SHA256 hash:	351e9681138473f4802cbca910bffdc6e63c51f3cfc42f445876c2e1f93b7349
MD5 hash:	a7ca015f4e97940195deadcc252fb4e4
MIME type:	text/plain
Signature	Quakbot

File name:	2
File size:	381 bytes
SHA256 hash:	4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
MD5 hash:	1e4a89b11eae0fcf8bb5fdd5ec3b6f61
MIME type:	text/xml
Signature	Quakbot

File name:	XS.vbs
File size:	9'544 bytes
SHA256 hash:	38cc60d96d146e02f46fe3102ecc61111b2e06258c0a1d8a44989d19e71be06b
MD5 hash:	9eff66dd9b4af8d717b391f2480f0685
MIME type:	text/plain
Signature	Quakbot

File name:	156
File size:	84 bytes
SHA256 hash:	c17641c236293f036668d0c6a00ff8e016cf89da567aa7fd0477a5e50d0135ea
MD5 hash:	40e719eb5d1af9bed0b4c038e4c1e022
MIME type:	application/x-dbt
Signature	Quakbot

File name:	9
File size:	12'775 bytes
SHA256 hash:	674f40819b629d624b7c35e1d21de16f6fd93a4f55acd907550045a3a0039914
MD5 hash:	fdc64f884acf7cdddd6c4bafd7953ae0
MIME type:	image/png
Signature	Quakbot

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.PKillPWZipISOAllTheSmallThings.20221024.UNOFFICIAL

Gathering data

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f64e61c7e08bb909b67afe3e90b194ee53b286a5bd0cf8d7843e2c34e46fc3a8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f64e61c7e08bb909b67afe3e90b194ee53b286a5bd0cf8d7843e2c34e46fc3a8/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zhgdr7aro4qtnt27y7jbmmu5zj3fbvfxugprv4ehywdjzdpyoua._file

Gathering data

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f64e61c7e08bb909b67afe3e90b194ee53b286a5bd0cf8d7843e2c34e46fc3a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	PassProtected_ZIP_ISO_file Create hunting rule
Author:	_jc
Description:	Detects container formats commonly smuggled through password-protected zips

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample