MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d59105fcf2b1d5d5b27bd75b9f8e14987c25be58f03098beb2e174dbd38e10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d59105fcf2b1d5d5b27bd75b9f8e14987c25be58f03098beb2e174dbd38e10
SHA3-384 hash: 496a8e652e5f666c2d002eee13fcb3e8e2970e953a99507bc49adec2de961eaab76dd8a61b248ea2d97f68e04d461133
SHA1 hash: f456df68bf6101a427fa4d0f5dfc5af64f7279c4
MD5 hash: e8be3630eb3b563613ffeb676a92fb14
humanhash: crazy-muppet-magazine-avocado
File name:file
Download: download sample
Signature Quakbot
Create hunting rule
File size:351'208 bytes
First seen:2021-04-29 01:16:29 UTC
Last seen:2021-04-29 12:43:54 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 2f58585fc731a3646ea640dd58abbda7 (570 x Quakbot)
ssdeep 6144:znQU+LqGvHr0nNK11G9DMEeZa8POyKmLUyaViFwRuI:EFrkNK11G9AEtMxQyOi6v
Threatray 2'334 similar samples on MalwareBazaar
TLSH F774BF7DBB16DC23E2581BB062D35B581A53DAD63250210A1AF19F58ACE73A4BC37FC4
Reporter Anonymous
Tags:Qakbot signed

Intelligence

File Origin
# of uploads :
4
# of downloads :
57
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/146003/
Detection(s):
Win.Packed.Qbot-9802444-0
Create hunting rule

Win.Malware.Ezuu-9802595-0
Create hunting rule

Win.Malware.Ezvd-9803869-0
Create hunting rule

Win.Malware.Ezuu-9805498-0
Create hunting rule

Win.Malware.Ezuu-9806579-0
Create hunting rule

Win.Malware.Ezuu-9810642-0
Create hunting rule

Win.Malware.Ezuu-9810692-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a file in the Windows subdirectories
Launching a process
Modifying an executable file
Creating a process with a hidden window
Sending a UDP request
Creating a window
Searching for the window
Modifying a system file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06d59105fcf2b1d5d5b27bd75b9f8e14987c25be58f03098beb2e174dbd38e10/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 19:15:00 UTC
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
028f3af0dfc60c8ad13ccdf9a507c4368d68a7c42b90060f2031cf73f95f31de
Quakbot
02a17c836b661696f7055bdd5f76c1e6be889d2a2d81241da921fc0a7e3c4b4a
Quakbot
02c8a7814a300e76d099f5a3530895b18c7ce6bcee494d02f986b364a6a5ae02
Quakbot
03267019e5d537cd04d9ac87ae3f36550500f5b47c45a26cff9d36828919c8da
Quakbot
0695cd35445dc2f5b9bd2028e09db9449d61be3e1aab0a3047d822634afd2df1
Quakbot
092df9d3e8db9d273e3fd63414ddd1f251af6b56dc27692433929864f8586059
Quakbot
0a5ef6659eea43210e4a20d7f0845fd0751f1a04cc36350e129cb6def00b3dd5
Quakbot
0bda44b4f1d9244d04af37e8a2a67fa3799a57b744d829adbd3136b482f5de6b
Quakbot
0cec1f5a70472cb35bfbf884dc0c93fc42dc650b10238f69b6ff5141ccd23f37
Quakbot
0d515ecf43b1671fc573f3556557a6af56fd0a1daed761139c8222b7138cf782
Quakbot
+ 2'324 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:abc106 campaign:1606896670 banker stealer trojan
Link:
https://tria.ge/reports/210429-3pgkmgrtle/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
203.106.195.67:443
58.152.9.133:443
67.61.157.208:443
211.24.72.253:443
82.10.43.130:2222
200.75.136.78:443
120.159.238.185:2222
196.151.252.84:443
105.198.236.101:443
197.161.154.132:443
79.172.26.240:443
41.233.153.21:993
103.102.100.78:2222
82.223.205.216:443
90.23.117.67:2222
81.214.126.173:2222
95.56.177.11:995
217.128.117.218:2222
185.163.221.77:2222
120.151.95.167:443
87.218.53.206:2222
94.49.188.240:443
2.90.33.130:443
70.124.29.226:443
81.150.181.168:2222
109.154.193.21:2222
120.150.218.241:995
96.40.175.33:443
5.2.188.253:443
86.125.209.126:443
89.137.211.239:443
189.252.72.41:995
109.209.94.165:2222
79.115.171.106:2222
61.1.205.150:443
68.46.142.48:995
69.11.247.242:443
123.136.59.45:443
87.27.110.90:2222
39.61.33.253:995
217.133.54.140:32100
181.129.155.10:443
27.223.92.142:995
175.137.119.141:443
197.51.82.115:995
197.45.110.165:995
174.62.13.151:443
71.10.43.79:443
75.136.26.147:443
156.205.103.107:995
189.150.40.192:2222
116.240.78.45:995
80.110.42.35:443
85.132.36.111:2222
144.202.38.185:443
41.97.178.190:443
68.224.121.148:993
78.101.145.96:61201
47.146.34.236:443
149.28.98.196:443
45.77.193.83:443
31.5.168.31:443
82.76.47.211:443
149.28.98.196:995
144.202.38.185:2222
24.95.61.62:443
149.28.98.196:2222
45.63.107.192:2222
149.28.99.97:2222
149.28.99.97:443
45.63.107.192:995
72.29.181.78:2222
144.202.38.185:995
37.21.231.245:995
41.227.82.102:443
182.161.6.57:3389
94.49.90.92:995
178.222.114.132:995
98.121.187.78:443
108.23.22.28:0
41.39.134.183:443
109.205.204.229:2222
120.150.34.178:443
95.77.223.148:443
176.45.233.94:995
50.244.112.10:995
173.173.1.164:443
108.30.125.94:443
78.187.125.116:2222
79.113.119.125:443
86.121.43.200:443
85.52.72.32:2222
31.5.21.66:995
189.231.3.63:443
105.103.33.188:443
218.227.162.13:443
95.76.27.6:443
91.104.44.226:995
81.97.154.100:443
47.44.217.98:443
37.209.255.10:443
161.142.217.62:443
85.204.189.105:443
68.15.109.125:443
37.211.86.156:443
156.220.32.217:995
90.101.117.122:2222
96.225.88.23:443
2.50.56.81:443
47.21.192.182:2222
93.146.133.102:2222
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
72.36.59.46:2222
189.157.3.12:443
219.76.148.249:443
198.2.35.226:2222
86.98.59.208:443
47.22.148.6:443
197.86.204.38:443
120.150.60.189:995
45.118.65.34:443
110.142.205.182:443
37.210.133.63:995
94.98.242.243:443
45.32.162.253:443
83.110.150.100:443
140.82.27.132:443
45.32.165.134:443
39.36.30.92:995
94.176.40.234:443
73.244.83.199:443
2.88.67.161:995
86.98.34.84:995
65.131.47.74:995
181.208.249.141:443
200.110.188.218:443
151.33.226.156:443
73.51.245.231:995
37.210.131.246:443
71.220.164.199:443
172.87.157.235:443
47.24.47.218:443
195.97.101.40:443
184.21.136.237:995
118.70.55.146:443
103.76.160.110:443
2.89.183.206:443
Unpacked files
SH256 hash:
e306a7a3dda23d90ef95dc2b10b81d01a5c42de0760e2ef2d9018c0500b2820c
MD5 hash:
fc54b3ae29ef5eda2606f3fc7fffbbcd
SHA1 hash:
40b839a989f1f0099498a14686800d3fc1a86eda
Link:
https://www.unpac.me/results/c4c90041-8b74-4c67-ba94-c4a883193912/
SH256 hash:
06d59105fcf2b1d5d5b27bd75b9f8e14987c25be58f03098beb2e174dbd38e10
MD5 hash:
e8be3630eb3b563613ffeb676a92fb14
SHA1 hash:
f456df68bf6101a427fa4d0f5dfc5af64f7279c4
Link:
https://www.unpac.me/results/c4c90041-8b74-4c67-ba94-c4a883193912/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/06d59105fcf2b1d5d5b27bd75b9f8e14987c25be58f03098beb2e174dbd38e10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
Cape
Cape
https://www.capesandbox.com/analysis/146003/

Comments