MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f93c7ec1f9fd8e810478c8a9882f8728a3da7275e1389075255aaa3efd3af087. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	f93c7ec1f9fd8e810478c8a9882f8728a3da7275e1389075255aaa3efd3af087
SHA3-384 hash:	fcc7a225f07e8c84fc4e4b5e5d1cf06bcdcde87185f8c47dd44c61ab08671800f8957ef25413fdfb1907b6a69ba58649
SHA1 hash:	5ecd5623f82175eee03faab4f2e987fa3e43b5df
MD5 hash:	5764c4c2e409c6d63c2872318dfe6889
humanhash:	kilo-beryllium-fanta-hawaii
File name:	177e94700896d4f69db2d14de7e0fa72
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	1'094'120 bytes
First seen:	2020-11-17 12:08:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ba5c263c6125faae2c597950f7826711 (27 x Quakbot)
ssdeep	12288:VqflDFoCNF90NNHCW8k45hox9l73UHiX6EQ2XbhT:V0fT0NNHCWZmO7kHINbd
Threatray	1'644 similar samples on MalwareBazaar
TLSH	F335011BE1E35BCBE483817C59E280BA9532EF8DDB5BD47B2A08F0D871B63C5811E604
Reporter	seifreed
Tags:	Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f93c7ec1f9fd8e810478c8a9882f8728a3da7275e1389075255aaa3efd3af087/

Threat name:

Win32.Trojan.PinkSbot

Status:

Malicious

First seen:

2020-11-17 12:12:13 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7e6h5qpz7whicbdyzcuyql4hfcr5u4tv4e4ja5jflkvd57j26cdq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201117-efpd54f37n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Unpacked files

SH256 hash:

f93c7ec1f9fd8e810478c8a9882f8728a3da7275e1389075255aaa3efd3af087

MD5 hash:

5764c4c2e409c6d63c2872318dfe6889

SHA1 hash:

5ecd5623f82175eee03faab4f2e987fa3e43b5df

Link:

https://www.unpac.me/results/ae5b3599-751f-4e49-8c57-757c36d988d3/

SH256 hash:

084375b08669d6c81d596645ea72decd753bfbd7be425a76c779b122acf94197

MD5 hash:

7d2b796f3fc1f81f3911bfb3aff9de2d

SHA1 hash:

aef5f96c958271738bda1865d540512fd50622f9

Detections:

win_qakbot_auto

Link:

https://www.unpac.me/results/ae5b3599-751f-4e49-8c57-757c36d988d3/

Parent samples :

26817290f0652816257709fde485859ae4cde79997371a8538aa2a6d57dcfef4
f93c7ec1f9fd8e810478c8a9882f8728a3da7275e1389075255aaa3efd3af087

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample