MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcc6ca0e284f527bfa0c8c9bc25f81389532cf7a2ddfd3e8c01ae2e7feb39ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcc6ca0e284f527bfa0c8c9bc25f81389532cf7a2ddfd3e8c01ae2e7feb39ad1
SHA3-384 hash: 9a637d7fe1d1413298d0a1237f3371ef73a838cd3dbf5b226557daf057e53af3e2ec086f1ba68b77fa3593ab2672a9f5
SHA1 hash: c0c017f604912f8d5f5d5104512fbca9b81c974b
MD5 hash: 7098151184920994fe048b20a9fbd57c
humanhash: pizza-sierra-tennessee-tango
File name:Calculation#8785(Sep16).html
Download: download sample
Signature Quakbot
Create hunting rule
File size:763'498 bytes
First seen:2022-09-16 17:12:19 UTC
Last seen:Never
File type: html
MIME type:text/html
ssdeep 12288:zRy9PHPgWWwSi1SYqZGmgjSXeKvXXthYsXT1gmzPZktSb66c:A9PoRi1R0kjKvthDTpzZbI
TLSH T197F4CFEBF9C124098A63C25D90917BFD7D2F9547D7025AABB42B3B20CB496C70963E4C
Reporter pr0xylife
Tags:html obama204 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Downloader-108.UNOFFICIAL
Create hunting rule

TwinWave.EvilHTML.PKillDlZipITDistantCitylights.202200617.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6324ae7f1183046074a7df8c/reports/1887313c-a5fb-4862-b52c-fb55c860f543/overview
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1071800
Signature
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Phishing site detected (based on favicon image match)
Uses 7zip to decompress a password protected archive
Wscript starts Powershell (via cmd or directly)
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704342 Sample: Calculation#8785(Sep16).html Startdate: 16/09/2022 Architecture: WINDOWS Score: 84 56 Malicious sample detected (through community Yara rule) 2->56 58 Phishing site detected (based on favicon image match) 2->58 60 Yara detected Qbot 2->60 10 chrome.exe 18 8 2->10         started        13 chrome.exe 2->13         started        process3 dnsIp4 52 192.168.2.1 unknown unknown 10->52 54 239.255.255.250 unknown Reserved 10->54 15 unarchiver.exe 3 5 10->15         started        18 chrome.exe 10->18         started        process5 dnsIp6 70 Uses 7zip to decompress a password protected archive 15->70 21 wscript.exe 1 15->21         started        24 cmd.exe 1 15->24         started        26 7za.exe 2 15->26         started        46 clients.l.google.com 142.250.180.174, 443, 49727 GOOGLEUS United States 18->46 48 www.google.com 142.250.184.100, 443, 49732, 49799 GOOGLEUS United States 18->48 50 4 other IPs or domains 18->50 signatures7 process8 file9 62 Wscript starts Powershell (via cmd or directly) 21->62 29 cmd.exe 1 21->29         started        31 powershell.exe 30 24->31         started        33 conhost.exe 24->33         started        44 C:\Users\user\...\Calculation#8785.iso, ISO 26->44 dropped 35 conhost.exe 26->35         started        signatures10 process11 process12 37 regsvr32.exe 29->37         started        40 conhost.exe 29->40         started        signatures13 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->64 66 Injects code into the Windows Explorer (explorer.exe) 37->66 68 Maps a DLL or memory area into another process 37->68 42 explorer.exe 37->42         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcc6ca0e284f527bfa0c8c9bc25f81389532cf7a2ddfd3e8c01ae2e7feb39ad1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tdmudrij5jhx6qmrsn4ex4bhcktft32fxp5h2gadlrop7vttliq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/fcc6ca0e284f527bfa0c8c9bc25f81389532cf7a2ddfd3e8c01ae2e7feb39ad1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments