MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 13
| SHA256 hash: | 12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0 |
|---|---|
| SHA3-384 hash: | fc979d39fa5f28713749d15e07fc38dbe1ec433124b62e3f05217438eee63c4c05b3a14f5d9f077b363e54d86fdd00a9 |
| SHA1 hash: | 4f91bf124118be2f16f610ede7d299aa04e61cac |
| MD5 hash: | 0aedeb30aff0c5373a4d3f6ab16b8b26 |
| humanhash: | victor-xray-blue-berlin |
| File name: | 12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0 |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 1'331'459 bytes |
| First seen: | 2022-05-24 12:12:31 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | be3e8fca69eebc486ff414f59d27d2a2 (6 x Quakbot) |
| ssdeep | 24576:aYvblaVJ3Spoz7MgJtZmRf4sMckd4Xz9QA7iJb:Rzo7hzZ9s/ThWJ |
| Threatray | 1'119 similar samples on MalwareBazaar |
| TLSH | T1AF557D22B2C1843BC5731B7C9D6BB29999357E142E3C944A7BE41E4C0F3A6417A363E3 |
| TrID | 28.8% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) 12.9% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (573 x Quakbot, 293 x GCleaner, 137 x ArkeiStealer) |
| Reporter |  malwarelabnet |
| Tags: | AA dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed replace.exe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Trojan.Tedy
Status:
Malicious
First seen:
2022-05-24 12:13:12 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
16 of 41 (39.02%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'109 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:aa campaign:1653295661 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
2.50.4.57:443
24.178.196.158:2222
91.177.173.10:995
187.207.131.50:61202
81.129.112.49:2078
124.40.244.118:2222
176.67.56.94:443
140.82.49.12:443
86.97.11.30:443
108.60.213.141:443
84.241.8.23:32103
202.134.152.2:2222
39.44.66.76:995
39.44.62.55:995
197.87.182.35:443
67.209.195.198:443
182.191.92.203:995
39.52.77.102:995
103.116.178.85:995
2.34.12.8:443
217.165.109.187:993
148.64.96.100:443
197.94.85.72:443
121.7.223.59:2222
37.208.155.29:6883
37.34.253.233:443
82.152.39.39:443
90.120.65.153:2078
179.145.13.69:32101
45.241.222.104:993
1.161.122.145:443
75.99.168.194:443
37.186.54.254:995
175.145.235.37:443
93.48.80.198:995
75.99.168.194:61201
80.11.74.81:2222
183.82.103.213:443
47.23.89.60:993
39.41.249.181:995
173.174.216.62:443
78.101.84.56:2222
173.21.10.71:2222
74.14.5.179:2222
103.246.242.202:443
92.132.172.197:2222
217.128.122.65:2222
72.27.86.98:443
186.90.153.162:2222
120.150.218.241:995
78.180.86.123:443
172.114.160.81:995
148.0.15.41:443
69.14.172.24:443
32.221.224.140:995
70.46.220.114:443
46.107.48.202:443
2.50.137.155:443
86.98.208.214:2222
144.202.2.175:443
144.202.3.39:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
45.76.167.26:995
140.82.63.183:443
144.202.2.175:995
149.28.238.199:443
45.63.1.12:443
144.202.3.39:995
149.28.238.199:995
76.25.142.196:443
210.246.4.69:995
117.248.109.38:21
180.129.108.214:995
67.165.206.193:993
45.46.53.140:2222
73.151.236.31:443
174.69.215.101:443
85.246.82.244:443
208.107.221.224:443
82.41.63.217:443
79.80.80.29:2222
217.164.117.199:1194
196.203.37.215:80
41.228.22.180:443
41.84.238.50:995
111.125.245.118:995
120.61.2.124:443
38.70.253.226:2222
106.51.48.170:50001
187.172.219.103:443
89.137.52.44:443
109.12.111.14:443
76.70.9.169:2222
179.158.105.44:443
39.49.23.236:995
72.66.116.235:995
125.168.47.127:2222
172.115.177.204:2222
190.36.232.221:2222
190.252.242.69:443
187.208.122.239:443
101.50.67.212:995
72.76.94.99:443
181.208.248.227:443
47.156.131.10:443
70.51.138.133:2222
40.134.246.185:995
100.1.108.246:443
24.139.72.117:443
189.223.134.157:443
46.176.192.130:995
72.252.157.93:990
201.172.23.68:2222
72.252.157.93:995
189.253.111.196:443
200.148.9.225:32101
72.252.157.93:993
191.250.188.54:443
187.16.64.193:2222
102.182.232.3:995
186.105.119.233:443
24.55.67.176:443
79.129.121.68:995
86.195.158.178:2222
217.164.117.199:2222
125.24.193.41:443
118.161.37.101:995
89.86.33.217:443
47.157.227.70:443
103.107.113.83:443
41.38.167.179:995
113.89.6.31:995
41.84.233.96:443
203.122.46.130:443
197.165.163.159:995
67.69.166.79:2222
81.215.196.174:443
63.143.92.99:995
187.251.132.144:22
68.204.7.158:443
177.157.156.136:443
194.36.28.62:443
5.32.41.45:443
5.193.138.70:2222
173.22.32.101:443
94.36.195.102:2222
76.23.237.163:995
96.37.113.36:993
24.178.196.158:2222
91.177.173.10:995
187.207.131.50:61202
81.129.112.49:2078
124.40.244.118:2222
176.67.56.94:443
140.82.49.12:443
86.97.11.30:443
108.60.213.141:443
84.241.8.23:32103
202.134.152.2:2222
39.44.66.76:995
39.44.62.55:995
197.87.182.35:443
67.209.195.198:443
182.191.92.203:995
39.52.77.102:995
103.116.178.85:995
2.34.12.8:443
217.165.109.187:993
148.64.96.100:443
197.94.85.72:443
121.7.223.59:2222
37.208.155.29:6883
37.34.253.233:443
82.152.39.39:443
90.120.65.153:2078
179.145.13.69:32101
45.241.222.104:993
1.161.122.145:443
75.99.168.194:443
37.186.54.254:995
175.145.235.37:443
93.48.80.198:995
75.99.168.194:61201
80.11.74.81:2222
183.82.103.213:443
47.23.89.60:993
39.41.249.181:995
173.174.216.62:443
78.101.84.56:2222
173.21.10.71:2222
74.14.5.179:2222
103.246.242.202:443
92.132.172.197:2222
217.128.122.65:2222
72.27.86.98:443
186.90.153.162:2222
120.150.218.241:995
78.180.86.123:443
172.114.160.81:995
148.0.15.41:443
69.14.172.24:443
32.221.224.140:995
70.46.220.114:443
46.107.48.202:443
2.50.137.155:443
86.98.208.214:2222
144.202.2.175:443
144.202.3.39:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
45.76.167.26:995
140.82.63.183:443
144.202.2.175:995
149.28.238.199:443
45.63.1.12:443
144.202.3.39:995
149.28.238.199:995
76.25.142.196:443
210.246.4.69:995
117.248.109.38:21
180.129.108.214:995
67.165.206.193:993
45.46.53.140:2222
73.151.236.31:443
174.69.215.101:443
85.246.82.244:443
208.107.221.224:443
82.41.63.217:443
79.80.80.29:2222
217.164.117.199:1194
196.203.37.215:80
41.228.22.180:443
41.84.238.50:995
111.125.245.118:995
120.61.2.124:443
38.70.253.226:2222
106.51.48.170:50001
187.172.219.103:443
89.137.52.44:443
109.12.111.14:443
76.70.9.169:2222
179.158.105.44:443
39.49.23.236:995
72.66.116.235:995
125.168.47.127:2222
172.115.177.204:2222
190.36.232.221:2222
190.252.242.69:443
187.208.122.239:443
101.50.67.212:995
72.76.94.99:443
181.208.248.227:443
47.156.131.10:443
70.51.138.133:2222
40.134.246.185:995
100.1.108.246:443
24.139.72.117:443
189.223.134.157:443
46.176.192.130:995
72.252.157.93:990
201.172.23.68:2222
72.252.157.93:995
189.253.111.196:443
200.148.9.225:32101
72.252.157.93:993
191.250.188.54:443
187.16.64.193:2222
102.182.232.3:995
186.105.119.233:443
24.55.67.176:443
79.129.121.68:995
86.195.158.178:2222
217.164.117.199:2222
125.24.193.41:443
118.161.37.101:995
89.86.33.217:443
47.157.227.70:443
103.107.113.83:443
41.38.167.179:995
113.89.6.31:995
41.84.233.96:443
203.122.46.130:443
197.165.163.159:995
67.69.166.79:2222
81.215.196.174:443
63.143.92.99:995
187.251.132.144:22
68.204.7.158:443
177.157.156.136:443
194.36.28.62:443
5.32.41.45:443
5.193.138.70:2222
173.22.32.101:443
94.36.195.102:2222
76.23.237.163:995
96.37.113.36:993
Unpacked files
SH256 hash:
346a2b19c3e9ee766a073ea8ce466f5695af6cabf9d15068d148d1308a0d1e0f
MD5 hash:
64298ad66f2f61f1458567db811371e7
SHA1 hash:
8d92d068d0bfbd135f8cefd5c9fb15d602749925
SH256 hash:
985254c18178d7d1d50b51549b5365273db3a286a8c03955cd02f977080f0b97
MD5 hash:
019117f66e43de489b3ff56377f9907b
SHA1 hash:
4fc8cd21b51034e3ca5e21e7975769257ea591a5
Detections:
win_qakbot_auto
Parent samples :
35eb1ecf8e097e0495bb8dcc1ebf6132d1a248574814f9459228c87ab8069ded
22c107e74ac92a9269c28b9184cc718d772be469f590ad6c069ffcc53dc2cca3
69700dfbcbe60d5b9085ca551ca1fe25556b9e78db8bca5125380bf6aba6a690
ed67b3bed0f3b27b49bcd90d7786901ffc9e31e687aa2ddc5155e1fd319236b0
12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0
f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
60c225589579f7667684deff14c30d16c2f14c7c98fbd25b8ab36af7dab019a7
22c107e74ac92a9269c28b9184cc718d772be469f590ad6c069ffcc53dc2cca3
69700dfbcbe60d5b9085ca551ca1fe25556b9e78db8bca5125380bf6aba6a690
ed67b3bed0f3b27b49bcd90d7786901ffc9e31e687aa2ddc5155e1fd319236b0
12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0
f50cc756ef93c314d733c65425c5a4adb98413d8176867b5bbfcaa41fc05b07f
60c225589579f7667684deff14c30d16c2f14c7c98fbd25b8ab36af7dab019a7
SH256 hash:
12ae550976ca06b70100dc99473e0accd3320bb5c21278efc278f079e3eecae0
MD5 hash:
0aedeb30aff0c5373a4d3f6ab16b8b26
SHA1 hash:
4f91bf124118be2f16f610ede7d299aa04e61cac
Malware family:
CryptOne
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.