MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 18d5151ff156139ee901d21abd933dbe3efb3630e30e1acf2b0cbf0a34f3d3ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 9
| SHA256 hash: | 18d5151ff156139ee901d21abd933dbe3efb3630e30e1acf2b0cbf0a34f3d3ca |
|---|---|
| SHA3-384 hash: | 0f67922c3d18db32808db0a0b43e167fedf5d95ca06093f17b9c7e7f3aaeacd6db59bc2480b70175439f033db69601de |
| SHA1 hash: | 69d70a620ba75c9c9b45e6e98f67c6571647bf8c |
| MD5 hash: | 6f40451666117db906d22ff89748b64c |
| humanhash: | victor-mississippi-xray-four |
| File name: | 18d5151ff156139ee901d21abd933dbe3efb3630e30e1acf2b0cbf0a34f3d3ca |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 2'951'664 bytes |
| First seen: | 2021-12-15 16:26:51 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 2ac7a340a3aa040cc3a8e404720833a5 (3 x Quakbot, 1 x ParallaxRAT) |
| ssdeep | 49152:nVUZMcNCu/aXwvg7CfUCOyzw4LxNPpOcQdRckhdIfTRfWGf9mjT4R:nVgMsD+woufx1fWGlmw |
| Threatray | 8'527 similar samples on MalwareBazaar |
| TLSH | T16CD56D15FA934CF2DAE712314046F23B56306B2DC263ABB7FF4469BCBA726404D1B259 |
| File icon (PE): |  |
| dhash icon | 0220bc96cccc9480 (3 x Quakbot) |
| Reporter |  malwarelabnet |
| Tags: | dll obama146 Qakbot Quakbot signed |
Code Signing Certificate
| Organisation: | Trade in Brasil s.r.o. |
|---|---|
| Issuer: | Sectigo RSA Code Signing CA |
| Algorithm: | sha256WithRSAEncryption |
| Valid from: | 2021-05-03T00:00:00Z |
| Valid to: | 2022-05-03T23:59:59Z |
| Serial number: | 881573fc67ff7395dde5bccfbce5b088 |
| Intelligence: | 2 malware samples on MalwareBazaar are signed with this code signing certificate |
| MalwareBazaar Blocklist: | This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB) |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | df5d988687c98539b5dde0198703793715182fe3955f589bc86a5eab81f03b3a |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
DNS request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
anti-debug greyware keylogger overlay packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2021-12-15 16:27:12 UTC
File Type:
PE (Dll)
Extracted files:
9
AV detection:
23 of 28 (82.14%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 8'517 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama146 campaign:1639564411 banker evasion stealer trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
93.48.80.198:995
93.48.58.123:2222
120.150.218.241:995
186.64.87.213:443
65.100.174.110:443
89.101.97.139:443
102.65.38.67:443
41.228.22.180:443
136.143.11.232:443
140.82.49.12:443
176.24.150.197:443
218.101.110.3:995
105.198.236.99:995
194.36.28.26:443
78.180.163.25:995
45.9.20.200:2211
103.142.10.177:443
68.186.192.69:443
27.223.92.142:995
216.238.71.31:443
207.246.112.221:995
207.246.112.221:443
216.238.72.121:443
216.238.71.31:995
216.238.72.121:995
67.165.206.193:993
173.21.10.71:2222
75.188.35.168:995
76.25.142.196:443
71.74.12.34:443
100.1.119.41:443
72.252.201.34:995
65.100.174.110:8443
109.12.111.14:443
108.4.67.252:443
24.55.112.61:443
73.151.236.31:443
94.60.254.81:443
86.97.9.219:443
39.49.104.126:995
24.229.150.54:995
190.73.3.148:2222
68.204.7.158:443
136.232.34.70:443
89.137.52.44:443
117.198.149.221:443
73.5.119.219:443
86.148.6.51:443
63.143.92.99:995
182.176.180.73:443
187.192.61.177:80
73.140.38.124:443
96.37.113.36:993
117.248.109.38:21
217.165.7.254:995
75.169.58.229:32100
27.5.4.111:2222
197.89.144.207:443
86.98.36.211:443
106.220.76.130:443
129.208.139.229:995
45.46.53.140:2222
190.229.210.128:465
91.178.126.51:995
189.18.181.24:995
185.53.147.51:443
93.48.58.123:2222
120.150.218.241:995
186.64.87.213:443
65.100.174.110:443
89.101.97.139:443
102.65.38.67:443
41.228.22.180:443
136.143.11.232:443
140.82.49.12:443
176.24.150.197:443
218.101.110.3:995
105.198.236.99:995
194.36.28.26:443
78.180.163.25:995
45.9.20.200:2211
103.142.10.177:443
68.186.192.69:443
27.223.92.142:995
216.238.71.31:443
207.246.112.221:995
207.246.112.221:443
216.238.72.121:443
216.238.71.31:995
216.238.72.121:995
67.165.206.193:993
173.21.10.71:2222
75.188.35.168:995
76.25.142.196:443
71.74.12.34:443
100.1.119.41:443
72.252.201.34:995
65.100.174.110:8443
109.12.111.14:443
108.4.67.252:443
24.55.112.61:443
73.151.236.31:443
94.60.254.81:443
86.97.9.219:443
39.49.104.126:995
24.229.150.54:995
190.73.3.148:2222
68.204.7.158:443
136.232.34.70:443
89.137.52.44:443
117.198.149.221:443
73.5.119.219:443
86.148.6.51:443
63.143.92.99:995
182.176.180.73:443
187.192.61.177:80
73.140.38.124:443
96.37.113.36:993
117.248.109.38:21
217.165.7.254:995
75.169.58.229:32100
27.5.4.111:2222
197.89.144.207:443
86.98.36.211:443
106.220.76.130:443
129.208.139.229:995
45.46.53.140:2222
190.229.210.128:465
91.178.126.51:995
189.18.181.24:995
185.53.147.51:443
Unpacked files
SH256 hash:
9124840273a468edbdca87b899f83707c2975bada135ed27e72adcef80efd5a2
MD5 hash:
11f1cf97758ed86dad17786cc7524009
SHA1 hash:
16a20fc55db64aadbe0d073f11dc6d49fa2e3d31
SH256 hash:
18d5151ff156139ee901d21abd933dbe3efb3630e30e1acf2b0cbf0a34f3d3ca
MD5 hash:
6f40451666117db906d22ff89748b64c
SHA1 hash:
69d70a620ba75c9c9b45e6e98f67c6571647bf8c
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture |
|---|---|
| Author: | ditekSHen |
| Description: | Detect executables with stomped PE compilation timestamp that is greater than local current time |
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | Sectigo_Code_Signed |
|---|---|
| Description: | Detects code signed by the Sectigo RSA Code Signing CA |
| Reference: | https://bazaar.abuse.ch/export/csv/cscb/ |
| Rule name: | Sectigo_Code_Signed |
|---|---|
| Description: | Detects code signed by the Sectigo RSA Code Signing CA |
| Reference: | https://bazaar.abuse.ch/export/csv/cscb/ |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.