MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ae51193eadcb07c277612a3ab57d8f7eb73a0c368b4ebd79dc271b09938516f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	2ae51193eadcb07c277612a3ab57d8f7eb73a0c368b4ebd79dc271b09938516f
SHA3-384 hash:	495083e2858aa3fdf464a053c7f7eb52df4530edf8f30dc2ded5a107165cccb970b905ab40d611a299299156314c29b7
SHA1 hash:	8a46510e96e8a98c7b4eddf71fa2198a64eafb2a
MD5 hash:	37165c0d89e10cbfc1f03ba057ffc144
humanhash:	quiet-diet-bulldog-alabama
File name:	file
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	351'208 bytes
First seen:	2021-04-29 01:36:19 UTC
Last seen:	2021-04-29 12:48:15 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	ea6c26ee328343a3e92009b0fbbc8e7a (286 x Quakbot)
ssdeep	6144:ZTfmt7eZAPOyKmLrLqGvHr0nNK11G9DMQyaViFwRu4:Zbi7/xZrkNK11G9AQyOi6X
Threatray	2'423 similar samples on MalwareBazaar
TLSH	B674C07DBB17DC23E26C1BB062D35B581A53DAD63250210A0AB19E58ACE73E47C37EC4
Reporter	Anonymous
Tags:	Qakbot Quakbot signed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/145823/

Detection(s):

Win.Packed.Qbot-9802444-0

Win.Malware.Ezuu-9802595-0

Win.Malware.Ezvd-9803869-0

Win.Malware.Ezuu-9810692-0

Win.Malware.Ezvd-9811340-0

Win.Malware.Ezvd-9812657-0

Win.Malware.Ezvd-9814679-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Changing a file

Creating a file in the Windows subdirectories

Launching a process

Modifying an executable file

Creating a process with a hidden window

Creating a window

Sending a UDP request

Modifying a system file

Unauthorized injection to a system process

Enabling autorun by creating a file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ae51193eadcb07c277612a3ab57d8f7eb73a0c368b4ebd79dc271b09938516f/

Threat name:

Win32.Infostealer.QBot

Status:

Malicious

First seen:

2020-12-04 07:34:11 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=flsrde7k3syhyj3wckr2wv6y67vxhigdnc2oxv45yjy3bgjykfxq._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:abc106m campaign:1606921461 banker stealer trojan

Link:

https://tria.ge/reports/210429-ytfgmqyf7a/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Qakbot/Qbot

Malware Config

C2 Extraction:

94.69.242.254:2222
189.140.45.48:995
37.182.244.124:2222
73.136.242.114:443
187.149.126.53:443
189.210.115.207:443
96.27.47.70:2222
185.163.221.77:2222
85.132.36.111:2222
178.87.10.110:443
120.150.218.241:995
68.224.121.148:993
78.101.145.96:61201
47.146.34.236:443
24.95.61.62:443
72.29.181.78:2222
93.113.177.152:443
87.218.53.206:2222
106.51.85.162:443
2.90.33.130:443
187.145.100.209:443
81.150.181.168:2222
98.240.24.57:443
109.154.193.21:2222
96.40.175.33:443
72.240.200.181:2222
2.7.202.106:2222
173.21.10.71:2222
187.213.136.249:995
189.252.72.41:995
66.97.247.15:443
75.109.180.221:443
72.252.201.69:443
109.209.94.165:2222
65.29.116.74:443
172.87.134.226:443
69.11.247.242:443
87.27.110.90:2222
217.133.54.140:32100
181.129.155.10:443
187.213.199.54:443
174.104.31.209:443
67.8.103.21:443
71.182.142.63:443
149.28.98.196:443
45.77.193.83:443
68.116.193.239:443
197.45.110.165:995
149.28.98.196:2222
149.28.99.97:443
144.202.38.185:2222
174.62.13.151:443
144.202.38.185:443
149.28.98.196:995
45.63.107.192:995
144.202.38.185:995
45.63.107.192:2222
189.150.40.192:2222
149.28.99.97:2222
72.79.79.92:0
116.240.78.45:995
45.118.216.157:443
95.77.223.148:443
83.202.68.220:2222
92.154.83.96:2087
41.227.82.102:443
41.205.16.89:443
86.98.89.173:2222
156.194.205.151:995
47.44.217.98:443
24.27.82.216:2222
24.229.150.54:995
71.14.110.199:443
5.15.225.109:443
47.187.49.3:2222
78.97.207.104:443
67.6.54.180:443
178.222.114.132:995
89.3.198.238:443
109.205.204.229:2222
143.178.135.25:2222
90.53.228.60:2222
95.76.27.6:443
184.89.71.68:443
85.204.189.105:443
197.161.154.132:443
176.45.233.94:995
50.244.112.10:995
75.170.145.25:443
72.28.255.159:995
108.190.151.108:2222
51.235.24.196:443
94.59.236.155:995
78.187.125.116:2222
85.52.72.32:2222
174.54.24.110:995
189.231.3.63:443
86.121.43.200:443
193.248.154.174:2222
105.103.33.188:443
37.210.133.63:995
102.185.242.27:443
39.36.30.92:995
73.244.83.199:443
2.90.186.243:995
68.15.109.125:443
86.245.87.251:2222
197.135.54.239:443
90.101.117.122:2222
96.225.88.23:443
2.50.56.81:443
47.21.192.182:2222
93.146.133.102:2222
72.66.47.70:443
96.21.251.127:2222
184.98.97.227:995
58.179.21.147:995
201.152.69.198:995
74.129.26.119:443
67.82.244.199:2222
80.14.22.234:2222
189.157.3.12:443
83.196.50.197:2222
90.23.117.67:2222
208.93.202.41:443
47.22.148.6:443
197.86.204.38:443
45.32.162.253:443
120.150.60.189:995
110.142.205.182:443
72.36.59.46:2222
196.204.207.111:443
181.208.249.141:443
140.82.27.132:443
45.32.165.134:443
71.226.140.73:443
85.98.177.32:443
87.238.133.187:995
92.137.138.52:2222
24.179.13.119:443
78.63.226.32:443
71.163.223.144:443
68.131.19.52:443
86.98.34.84:995
65.131.47.74:995
92.154.83.96:1194
217.162.149.212:443
78.181.19.134:443
151.33.226.156:443
73.51.245.231:995

Unpacked files

SH256 hash:

c9effc9328055005f393f71a15f73331547f3e23fe6127b74ede43a6a88e8f08

MD5 hash:

be6004fd9eb7379f313e096dc90f8635

SHA1 hash:

c4ca4e94f637d4bb5e6628c4f569dcec646547aa

Link:

https://www.unpac.me/results/e14a6e5e-9267-446d-9f77-a7a0338a4163/

SH256 hash:

2ae51193eadcb07c277612a3ab57d8f7eb73a0c368b4ebd79dc271b09938516f

MD5 hash:

37165c0d89e10cbfc1f03ba057ffc144

SHA1 hash:

8a46510e96e8a98c7b4eddf71fa2198a64eafb2a

Link:

https://www.unpac.me/results/e14a6e5e-9267-446d-9f77-a7a0338a4163/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

qbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ae51193eadcb07c277612a3ab57d8f7eb73a0c368b4ebd79dc271b09938516f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_QakBot Create hunting rule
Author:	ditekSHen
Description:	Detects variants of QakBot payload

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	qbot_bin Create hunting rule
Author:	James_inthe_box
Description:	Qbot Qakbot
Reference:	https://app.any.run/tasks/b89d7454-403c-4c81-95db-7ecbba38eb02

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Cape

https://www.capesandbox.com/analysis/145823/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample