MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1670c76a6995a9ed224d14781c721603e157285caafd7cc9c68433de07d4bcd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 6
| SHA256 hash: | 1670c76a6995a9ed224d14781c721603e157285caafd7cc9c68433de07d4bcd3 |
|---|---|
| SHA3-384 hash: | ba84ccde5884c7687d1073534901367db30366a3292738f263a51d1f572cd6dba96dbe8964fca4da3f89d8ef5216dca5 |
| SHA1 hash: | 912d00db88de43b84a103aacaa0c224424f52b26 |
| MD5 hash: | 03e2e626f905b93e6f409e5a1255742f |
| humanhash: | kitten-leopard-cardinal-beer |
| File name: | file |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 351'208 bytes |
| First seen: | 2021-04-29 01:24:40 UTC |
| Last seen: | 2021-04-29 12:45:55 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 2f58585fc731a3646ea640dd58abbda7 (570 x Quakbot) |
| ssdeep | 6144:YnQU+LqGvHr0nNK11G9DMEeZa8POyKmLUyaViFwRuN:/FrkNK11G9AEtMxQyOi6+ |
| Threatray | 2'439 similar samples on MalwareBazaar |
| TLSH | E174BF7DBB16DC23E2581BB062D35B581A53DAD63250210A1AF19F58ACE73A4BC37FC4 |
| Reporter | Anonymous |
| Tags: | Qakbot signed |
Intelligence
File Origin
# of uploads :
2
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Changing a file
Creating a file in the Windows subdirectories
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Sending a UDP request
Modifying a system file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.QBot
Status:
Malicious
First seen:
2020-12-03 13:08:37 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
5/5
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 2'429 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:abc106 campaign:1606896670 banker stealer trojan
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
203.106.195.67:443
58.152.9.133:443
67.61.157.208:443
211.24.72.253:443
82.10.43.130:2222
200.75.136.78:443
120.159.238.185:2222
196.151.252.84:443
105.198.236.101:443
197.161.154.132:443
79.172.26.240:443
41.233.153.21:993
103.102.100.78:2222
82.223.205.216:443
90.23.117.67:2222
81.214.126.173:2222
95.56.177.11:995
217.128.117.218:2222
185.163.221.77:2222
120.151.95.167:443
87.218.53.206:2222
94.49.188.240:443
2.90.33.130:443
70.124.29.226:443
81.150.181.168:2222
109.154.193.21:2222
120.150.218.241:995
96.40.175.33:443
5.2.188.253:443
86.125.209.126:443
89.137.211.239:443
189.252.72.41:995
109.209.94.165:2222
79.115.171.106:2222
61.1.205.150:443
68.46.142.48:995
69.11.247.242:443
123.136.59.45:443
87.27.110.90:2222
39.61.33.253:995
217.133.54.140:32100
181.129.155.10:443
27.223.92.142:995
175.137.119.141:443
197.51.82.115:995
197.45.110.165:995
174.62.13.151:443
71.10.43.79:443
75.136.26.147:443
156.205.103.107:995
189.150.40.192:2222
116.240.78.45:995
80.110.42.35:443
85.132.36.111:2222
144.202.38.185:443
41.97.178.190:443
68.224.121.148:993
78.101.145.96:61201
47.146.34.236:443
149.28.98.196:443
45.77.193.83:443
31.5.168.31:443
82.76.47.211:443
149.28.98.196:995
144.202.38.185:2222
24.95.61.62:443
149.28.98.196:2222
45.63.107.192:2222
149.28.99.97:2222
149.28.99.97:443
45.63.107.192:995
72.29.181.78:2222
144.202.38.185:995
37.21.231.245:995
41.227.82.102:443
182.161.6.57:3389
94.49.90.92:995
178.222.114.132:995
98.121.187.78:443
108.23.22.28:0
41.39.134.183:443
109.205.204.229:2222
120.150.34.178:443
95.77.223.148:443
176.45.233.94:995
50.244.112.10:995
173.173.1.164:443
108.30.125.94:443
78.187.125.116:2222
79.113.119.125:443
86.121.43.200:443
85.52.72.32:2222
31.5.21.66:995
189.231.3.63:443
105.103.33.188:443
218.227.162.13:443
95.76.27.6:443
91.104.44.226:995
81.97.154.100:443
47.44.217.98:443
37.209.255.10:443
161.142.217.62:443
85.204.189.105:443
68.15.109.125:443
37.211.86.156:443
156.220.32.217:995
90.101.117.122:2222
96.225.88.23:443
2.50.56.81:443
47.21.192.182:2222
93.146.133.102:2222
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
72.36.59.46:2222
189.157.3.12:443
219.76.148.249:443
198.2.35.226:2222
86.98.59.208:443
47.22.148.6:443
197.86.204.38:443
120.150.60.189:995
45.118.65.34:443
110.142.205.182:443
37.210.133.63:995
94.98.242.243:443
45.32.162.253:443
83.110.150.100:443
140.82.27.132:443
45.32.165.134:443
39.36.30.92:995
94.176.40.234:443
73.244.83.199:443
2.88.67.161:995
86.98.34.84:995
65.131.47.74:995
181.208.249.141:443
200.110.188.218:443
151.33.226.156:443
73.51.245.231:995
37.210.131.246:443
71.220.164.199:443
172.87.157.235:443
47.24.47.218:443
195.97.101.40:443
184.21.136.237:995
118.70.55.146:443
103.76.160.110:443
2.89.183.206:443
58.152.9.133:443
67.61.157.208:443
211.24.72.253:443
82.10.43.130:2222
200.75.136.78:443
120.159.238.185:2222
196.151.252.84:443
105.198.236.101:443
197.161.154.132:443
79.172.26.240:443
41.233.153.21:993
103.102.100.78:2222
82.223.205.216:443
90.23.117.67:2222
81.214.126.173:2222
95.56.177.11:995
217.128.117.218:2222
185.163.221.77:2222
120.151.95.167:443
87.218.53.206:2222
94.49.188.240:443
2.90.33.130:443
70.124.29.226:443
81.150.181.168:2222
109.154.193.21:2222
120.150.218.241:995
96.40.175.33:443
5.2.188.253:443
86.125.209.126:443
89.137.211.239:443
189.252.72.41:995
109.209.94.165:2222
79.115.171.106:2222
61.1.205.150:443
68.46.142.48:995
69.11.247.242:443
123.136.59.45:443
87.27.110.90:2222
39.61.33.253:995
217.133.54.140:32100
181.129.155.10:443
27.223.92.142:995
175.137.119.141:443
197.51.82.115:995
197.45.110.165:995
174.62.13.151:443
71.10.43.79:443
75.136.26.147:443
156.205.103.107:995
189.150.40.192:2222
116.240.78.45:995
80.110.42.35:443
85.132.36.111:2222
144.202.38.185:443
41.97.178.190:443
68.224.121.148:993
78.101.145.96:61201
47.146.34.236:443
149.28.98.196:443
45.77.193.83:443
31.5.168.31:443
82.76.47.211:443
149.28.98.196:995
144.202.38.185:2222
24.95.61.62:443
149.28.98.196:2222
45.63.107.192:2222
149.28.99.97:2222
149.28.99.97:443
45.63.107.192:995
72.29.181.78:2222
144.202.38.185:995
37.21.231.245:995
41.227.82.102:443
182.161.6.57:3389
94.49.90.92:995
178.222.114.132:995
98.121.187.78:443
108.23.22.28:0
41.39.134.183:443
109.205.204.229:2222
120.150.34.178:443
95.77.223.148:443
176.45.233.94:995
50.244.112.10:995
173.173.1.164:443
108.30.125.94:443
78.187.125.116:2222
79.113.119.125:443
86.121.43.200:443
85.52.72.32:2222
31.5.21.66:995
189.231.3.63:443
105.103.33.188:443
218.227.162.13:443
95.76.27.6:443
91.104.44.226:995
81.97.154.100:443
47.44.217.98:443
37.209.255.10:443
161.142.217.62:443
85.204.189.105:443
68.15.109.125:443
37.211.86.156:443
156.220.32.217:995
90.101.117.122:2222
96.225.88.23:443
2.50.56.81:443
47.21.192.182:2222
93.146.133.102:2222
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
72.36.59.46:2222
189.157.3.12:443
219.76.148.249:443
198.2.35.226:2222
86.98.59.208:443
47.22.148.6:443
197.86.204.38:443
120.150.60.189:995
45.118.65.34:443
110.142.205.182:443
37.210.133.63:995
94.98.242.243:443
45.32.162.253:443
83.110.150.100:443
140.82.27.132:443
45.32.165.134:443
39.36.30.92:995
94.176.40.234:443
73.244.83.199:443
2.88.67.161:995
86.98.34.84:995
65.131.47.74:995
181.208.249.141:443
200.110.188.218:443
151.33.226.156:443
73.51.245.231:995
37.210.131.246:443
71.220.164.199:443
172.87.157.235:443
47.24.47.218:443
195.97.101.40:443
184.21.136.237:995
118.70.55.146:443
103.76.160.110:443
2.89.183.206:443
Unpacked files
SH256 hash:
e306a7a3dda23d90ef95dc2b10b81d01a5c42de0760e2ef2d9018c0500b2820c
MD5 hash:
fc54b3ae29ef5eda2606f3fc7fffbbcd
SHA1 hash:
40b839a989f1f0099498a14686800d3fc1a86eda
SH256 hash:
1670c76a6995a9ed224d14781c721603e157285caafd7cc9c68433de07d4bcd3
MD5 hash:
03e2e626f905b93e6f409e5a1255742f
SHA1 hash:
912d00db88de43b84a103aacaa0c224424f52b26
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | quakbot_halo_generated |
|---|---|
| Author: | Halogen Generated Rule, Corsin Camichel |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.