MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 11
| SHA256 hash: | 28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec |
|---|---|
| SHA3-384 hash: | b4c2f926759e41eabd309833c6c99b314ad3688456b1346c80e80bd14bfd23a9081ac306175ab1ffdd7e9bbfe94176a4 |
| SHA1 hash: | b494e2b72e5c013c4eed2aae7cdc549e9de284a1 |
| MD5 hash: | 8a56eb21fe347dede3932571976bd824 |
| humanhash: | magnesium-charlie-network-arizona |
| File name: | 28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 711'801 bytes |
| First seen: | 2022-05-16 17:24:14 UTC |
| Last seen: | 2022-05-16 17:37:34 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | df2c97204ed982b8b3e7393fd2a71059 (7 x Quakbot) |
| ssdeep | 12288:ED25c7bMl3XyN6VqX1bFJf44pnlG2LniES2DY0HZyHHsPNQsifQu8:G8Aw3CowXrJf44pnw2Ln1jY0HwHHsPNK |
| Threatray | 1'079 similar samples on MalwareBazaar |
| TLSH | T1E8E4AE22E3D04C77C1772A799C2B7768A839BE112D7899C72BE42D4C4F3568136362B7 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  pr0xylife |
| Tags: | AA dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Trojan.PinkSbot
Status:
Malicious
First seen:
2022-05-16 17:25:08 UTC
File Type:
PE (Dll)
Extracted files:
62
AV detection:
18 of 41 (43.90%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'069 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:aa campaign:1652433315 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
103.139.243.207:990
217.128.122.65:2222
40.134.246.185:995
172.114.160.81:995
186.90.153.162:2222
75.99.168.194:61201
124.40.244.118:2222
86.98.208.214:2222
2.34.12.8:443
46.107.48.202:443
46.103.186.43:995
103.246.242.202:443
76.70.9.169:2222
72.76.94.99:443
102.65.16.245:443
45.63.1.12:443
45.76.167.26:443
144.202.3.39:995
140.82.63.183:443
144.202.2.175:995
144.202.2.175:443
140.82.63.183:995
45.63.1.12:995
149.28.238.199:443
45.76.167.26:995
144.202.3.39:443
149.28.238.199:995
173.22.32.101:443
39.44.178.7:995
197.89.17.146:443
81.129.112.49:2078
202.134.152.2:2222
189.26.55.114:443
1.161.66.82:995
183.82.103.213:443
172.115.177.204:2222
70.46.220.114:443
1.161.66.82:443
37.186.54.254:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
146.66.139.14:443
201.42.3.27:32101
217.165.147.77:993
188.55.249.231:995
148.0.57.85:443
93.48.80.198:995
89.101.97.139:443
82.152.39.39:443
186.90.13.85:2222
108.60.213.141:443
187.207.131.50:61202
67.209.195.198:443
196.203.37.215:80
92.132.172.197:2222
47.23.89.60:993
37.210.156.191:2222
120.150.218.241:995
103.107.113.84:443
74.14.7.71:2222
182.182.228.80:995
32.221.224.140:995
70.51.137.64:2222
38.70.253.226:2222
90.120.65.153:2078
39.44.66.76:995
80.11.74.81:2222
31.215.102.193:2078
79.129.121.68:995
85.246.82.244:443
41.228.22.180:443
75.99.168.194:443
148.64.96.100:443
208.107.221.224:443
2.50.4.57:443
78.183.159.152:443
140.82.49.12:443
203.122.46.130:443
121.74.167.191:995
122.118.154.106:995
109.12.111.14:443
115.164.63.113:443
189.146.87.77:443
39.52.105.156:995
182.191.92.203:995
86.97.247.101:2222
67.165.206.193:993
174.69.215.101:443
76.25.142.196:443
173.21.10.71:2222
45.46.53.140:2222
187.172.191.97:443
190.252.242.69:443
82.41.63.217:443
187.208.122.239:443
181.208.248.227:443
73.151.236.31:443
72.252.157.172:990
72.252.157.172:995
187.251.132.144:22
201.142.133.198:443
100.1.108.246:443
201.1.202.82:32101
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
191.99.191.28:443
201.172.23.68:2222
47.157.227.70:443
179.158.105.44:443
37.34.253.233:443
41.84.226.103:995
186.105.98.35:443
217.164.119.236:1194
41.84.248.225:443
189.253.214.159:443
86.195.158.178:2222
94.36.195.102:2222
45.241.145.155:993
86.190.159.132:443
39.49.48.82:995
89.86.33.217:443
69.14.172.24:443
106.51.48.170:50001
86.97.8.200:443
197.162.117.38:995
102.182.232.3:995
83.110.93.158:443
118.172.251.136:443
37.208.145.168:6883
120.61.3.164:443
191.251.134.129:443
173.174.216.62:443
84.241.8.23:32103
41.38.167.179:995
5.32.41.45:443
63.143.92.99:995
121.7.223.59:2222
58.105.167.36:50000
128.106.123.187:443
103.157.122.130:21
101.50.67.212:995
109.228.220.196:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.165.129:995
197.205.106.232:443
217.128.122.65:2222
40.134.246.185:995
172.114.160.81:995
186.90.153.162:2222
75.99.168.194:61201
124.40.244.118:2222
86.98.208.214:2222
2.34.12.8:443
46.107.48.202:443
46.103.186.43:995
103.246.242.202:443
76.70.9.169:2222
72.76.94.99:443
102.65.16.245:443
45.63.1.12:443
45.76.167.26:443
144.202.3.39:995
140.82.63.183:443
144.202.2.175:995
144.202.2.175:443
140.82.63.183:995
45.63.1.12:995
149.28.238.199:443
45.76.167.26:995
144.202.3.39:443
149.28.238.199:995
173.22.32.101:443
39.44.178.7:995
197.89.17.146:443
81.129.112.49:2078
202.134.152.2:2222
189.26.55.114:443
1.161.66.82:995
183.82.103.213:443
172.115.177.204:2222
70.46.220.114:443
1.161.66.82:443
37.186.54.254:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
146.66.139.14:443
201.42.3.27:32101
217.165.147.77:993
188.55.249.231:995
148.0.57.85:443
93.48.80.198:995
89.101.97.139:443
82.152.39.39:443
186.90.13.85:2222
108.60.213.141:443
187.207.131.50:61202
67.209.195.198:443
196.203.37.215:80
92.132.172.197:2222
47.23.89.60:993
37.210.156.191:2222
120.150.218.241:995
103.107.113.84:443
74.14.7.71:2222
182.182.228.80:995
32.221.224.140:995
70.51.137.64:2222
38.70.253.226:2222
90.120.65.153:2078
39.44.66.76:995
80.11.74.81:2222
31.215.102.193:2078
79.129.121.68:995
85.246.82.244:443
41.228.22.180:443
75.99.168.194:443
148.64.96.100:443
208.107.221.224:443
2.50.4.57:443
78.183.159.152:443
140.82.49.12:443
203.122.46.130:443
121.74.167.191:995
122.118.154.106:995
109.12.111.14:443
115.164.63.113:443
189.146.87.77:443
39.52.105.156:995
182.191.92.203:995
86.97.247.101:2222
67.165.206.193:993
174.69.215.101:443
76.25.142.196:443
173.21.10.71:2222
45.46.53.140:2222
187.172.191.97:443
190.252.242.69:443
82.41.63.217:443
187.208.122.239:443
181.208.248.227:443
73.151.236.31:443
72.252.157.172:990
72.252.157.172:995
187.251.132.144:22
201.142.133.198:443
100.1.108.246:443
201.1.202.82:32101
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
191.99.191.28:443
201.172.23.68:2222
47.157.227.70:443
179.158.105.44:443
37.34.253.233:443
41.84.226.103:995
186.105.98.35:443
217.164.119.236:1194
41.84.248.225:443
189.253.214.159:443
86.195.158.178:2222
94.36.195.102:2222
45.241.145.155:993
86.190.159.132:443
39.49.48.82:995
89.86.33.217:443
69.14.172.24:443
106.51.48.170:50001
86.97.8.200:443
197.162.117.38:995
102.182.232.3:995
83.110.93.158:443
118.172.251.136:443
37.208.145.168:6883
120.61.3.164:443
191.251.134.129:443
173.174.216.62:443
84.241.8.23:32103
41.38.167.179:995
5.32.41.45:443
63.143.92.99:995
121.7.223.59:2222
58.105.167.36:50000
128.106.123.187:443
103.157.122.130:21
101.50.67.212:995
109.228.220.196:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.165.129:995
197.205.106.232:443
Unpacked files
SH256 hash:
c6cb45ddad7fad4d2f057313081d2790213e26a6e3ced0021553bb17bf1dc1df
MD5 hash:
ea5d83578d5398ce2467ed3521ab54d0
SHA1 hash:
0d881cbf8e2c9970ac9d2e45e5daa7952edbfd39
SH256 hash:
000988f755db01d13601630bfae235b86a338eb780300c1e0898825084f854ae
MD5 hash:
2f17bd9f4b9edd91a7fd80ef32981f70
SHA1 hash:
ee82f6f12a69e70861ed80a6e59d0c2524869151
Detections:
win_qakbot_auto
Parent samples :
76209c7f60db832e93bdd6e68bcb2aaff914d2094f7db636e8aa19d4f43f40ea
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
811399465b79b10495080b65b9d6b797d394df034f44d3aadd18be86c0c19e0d
28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec
db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e
05abcf4f0220a026d9d591722428fb8cd87053aa9b5be0ee1a6d6cda27e926ce
811399465b79b10495080b65b9d6b797d394df034f44d3aadd18be86c0c19e0d
28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec
db61681cbdd7643768d1459fabea38a4ceae4a0e8ce70a1caeecfca5b8fc915e
SH256 hash:
28b57b028cdb6556ee8d180ae990022f887f3194a749b1948c522e48d3e06fec
MD5 hash:
8a56eb21fe347dede3932571976bd824
SHA1 hash:
b494e2b72e5c013c4eed2aae7cdc549e9de284a1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.