MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 3


Intelligence 3 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31
SHA3-384 hash: 5216b588b80951c0f329e157120b89446fe8c1ac4bd4985ba9585e2f3f203ce4b91dd2e622c743f5d974885860a0b857
SHA1 hash: fcc6305cd608a1e8f949a2841b19a497e1097174
MD5 hash: ce75bdf25dc3ffaf5b77f0a781fee3c1
humanhash: stairway-mockingbird-indigo-speaker
File name:R1454077294.zip
Download: download sample
Signature Quakbot
Create hunting rule
File size:417'565 bytes
First seen:2022-10-03 15:21:39 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: R871
ssdeep 12288:9WjFCf8Fcogr2JkvzUDtECZN2ZwDA+0gB2kHB:9MPLG1gmgN2uUNglHB
TLSH T172942362FF53FECDD36C45D0A07F7BFA06A922EE9147911A85506C0F0E8A156C5CB4A3
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter k3dg3___
Tags:BB pw R871 qbot Quakbot ta577 zip


Avatar
k3dg3
R871 pass

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
File Archive Information

This file archive contains 8 file(s), sorted by their relevance:

File name:purge.jpg
File size:35'477 bytes
SHA256 hash: a11b700babdc7b22bdaa833790716b432e82c9e196aaaab344bd6d4efeb7e94c
MD5 hash: 0b9167d578ddd702bb820640ed0f1a95
MIME type:image/jpeg
Signature Quakbot
File name:thrusters.txt
File size:125'131 bytes
SHA256 hash: 6384ac1ca3aa1e5b0135231e362af6f34b1a3b82b1282268d0d9241a20a5d9e5
MD5 hash: a754896e91e5bb19211368939ea012b4
MIME type:text/plain
Signature Quakbot
File name:grandparents.txt
File size:256'512 bytes
SHA256 hash: 9fe812c674791b472e17f062c9f94200d558fc6fc85f851cce0e06b4eecf3eef
MD5 hash: 045925086490cb719cecc322e1b05603
MIME type:text/plain
Signature Quakbot
File name:eardrum.dat
File size:483'840 bytes
SHA256 hash: 1abc2fb23f55378947bf528996b50ffed195a059d5f7b537271792704eb5cd4c
MD5 hash: f24a452723c7e5d1f85eab7f5ec7ecd9
MIME type:application/x-dosexec
Signature Quakbot
File name:depredating.txt
File size:177'177 bytes
SHA256 hash: bdfb4cdb6191e3cf7214c077dee595b42372a6d1d36001d1427ded9e38b86973
MD5 hash: ef9b0c9024a61d59a0c5bbd34d298416
MIME type:text/plain
Signature Quakbot
File name:overawesBets.vbs
File size:222 bytes
SHA256 hash: cbec223670da9952147218c69116e45f835a0fbd0e8c1bda3ad71c5c77af6abf
MD5 hash: c76b3b2c4b00a94c0d3ba19af172b109
MIME type:text/plain
Signature Quakbot
File name:supernumerariesUnlearned.cmd
File size:61 bytes
SHA256 hash: d69bf87afeb7d903bbdd095ebd66c0bbe963abc27b584c81fa9083394014ce43
MD5 hash: 858d6caff0d99314e50811f7e4e20313
MIME type:text/x-msdos-batch
Signature Quakbot
File name:Contract.lnk
File size:1'261 bytes
SHA256 hash: 436d64ee09b0489cbf5231a015de1f8cb5e985045c6db6f94fed27aa0e6db194
MD5 hash: cac85747caa16dacc64840fef1dbacd7
MIME type:application/octet-stream
Signature Quakbot
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62493995.24792.1933.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rqaaf7l23rym3tkys2apfrkl4pzx37eusyzm2du2ur72suyjuyq._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PassProtected_ZIP_ISO_file
Create hunting rule
Author:_jc
Description:Detects container formats commonly smuggled through password-protected zips
Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:unpacked_qbot
Create hunting rule
Description:Detects unpacked or memory-dumped QBot samples
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.
Rule name:win_qakbot_malped
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

zip fc600017ebd6e3866e6ac4b407962a5f1f9befe4a4b1966874d523fd4a984d31

(this sample)

Quakbot

DLL dll 1ABC2FB23F55378947BF528996B50FFED195A059D5F7B537271792704EB5CD4C

  
Dropping
SHA256 1ABC2FB23F55378947BF528996B50FFED195A059D5F7B537271792704EB5CD4C
  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/2346871/
  
URLhaus
https://urlhaus.abuse.ch/url/2317992/
  
URLhaus
https://urlhaus.abuse.ch/url/2337421/
  
URLhaus
https://urlhaus.abuse.ch/url/2347368/
  
URLhaus
https://urlhaus.abuse.ch/url/2346803/
  
URLhaus
https://urlhaus.abuse.ch/url/2323762/
  
URLhaus
https://urlhaus.abuse.ch/url/2347621/
  
URLhaus
https://urlhaus.abuse.ch/url/2340185/

Comments