MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
SHA3-384 hash: e8662a16f8acdfe6c9755bef0dbe877c81573b1625e3eecc9a8ab342b0a7e7c52edfb45e5aa84276a87ab05b34e77dc6
SHA1 hash: 6f77968b6766a89606a66ae51d7c5e88632d7282
MD5 hash: cc332c61f83042ed265981779ed8fb74
humanhash: ceiling-queen-king-robin
File name:44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
Download: download sample
Signature Quakbot
Create hunting rule
File size:574'464 bytes
First seen:2022-05-06 23:14:45 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 22b99fa302038e0141db17211e65b333 (5 x Quakbot)
ssdeep 12288:4QZcD4XyPsVAhrvjYhTZhzsKnaFih/Abi0vZRz5B:jZtiP9pGzgKEihQJZRdB
Threatray 1'033 similar samples on MalwareBazaar
TLSH T142C4A022F3D0883BD1731A7D8D57B764982ABE812D74AC8B2BE41E8C8F397817525357
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter malwarelabnet
Tags:dll obama182 Qakbot Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269198/
Detection(s):
Win.Malware.Zusy-9910308-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger packed zusy
Link:
https://www.filescan.io/uploads/6275ac08a40dfc4df20c1f79/reports/4beab41c-52eb-4b4f-8527-53b7a0d1ace0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d93c18d-5d82-4527-86d9-e29853f06a30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 23:15:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ith3mqblb5js46pv77pdf6qm35ac7camzjozfha7jsydjf3jaoiq._file
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
06cfccd728289970135c714172ed359fe1075af9f2852902998e3b49e75b2099
Quakbot
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
Quakbot
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
Quakbot
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
Quakbot
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
Quakbot
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
Quakbot
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
Quakbot
+ 1'023 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:obama182 campaign:1651756499 banker stealer trojan
Link:
https://tria.ge/reports/220506-28jedsddcj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
103.107.113.120:443
80.11.74.81:2222
177.102.2.175:32101
24.178.196.158:2222
91.177.173.10:995
181.208.248.227:443
176.67.56.94:443
202.134.152.2:2222
148.0.57.85:443
179.179.162.9:993
40.134.246.185:995
37.186.54.254:995
196.203.37.215:80
120.150.218.241:995
208.107.221.224:443
113.53.151.59:443
70.46.220.114:443
69.14.172.24:443
108.60.213.141:443
24.55.67.176:443
74.14.7.71:2222
103.246.242.202:443
172.115.177.204:2222
24.152.219.253:995
197.83.230.61:443
38.70.253.226:2222
217.165.84.177:993
118.161.34.21:443
194.36.28.102:443
32.221.224.140:995
39.33.170.57:995
81.215.196.174:443
24.139.72.117:443
113.110.253.185:995
187.207.47.198:61202
203.122.46.130:443
79.129.121.68:995
140.82.49.12:443
47.23.89.62:993
86.132.13.91:2078
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
2.50.4.57:443
67.209.195.198:443
217.128.122.65:2222
5.32.41.45:443
179.158.105.44:443
46.107.48.202:443
183.82.103.213:443
103.139.243.207:990
72.76.94.99:443
76.70.9.169:2222
93.48.80.198:995
82.152.39.39:443
2.34.12.8:443
92.132.172.197:2222
75.99.168.194:61201
89.86.33.217:443
88.228.251.169:443
120.61.3.169:443
85.246.82.244:443
89.211.182.31:2222
103.87.95.133:2222
173.174.216.62:443
86.98.208.214:2222
174.69.215.101:443
89.101.97.139:443
63.143.92.99:995
37.34.253.233:443
86.195.158.178:2222
144.202.3.39:995
144.202.2.175:995
45.63.1.12:443
149.28.238.199:443
140.82.63.183:995
144.202.3.39:443
140.82.63.183:443
45.63.1.12:995
149.28.238.199:995
144.202.2.175:443
45.76.167.26:443
45.76.167.26:995
94.36.195.102:2222
141.237.86.114:995
118.161.34.21:995
105.99.204.185:443
90.120.65.153:2078
2.50.17.128:2222
58.105.167.36:50000
189.146.78.175:443
104.34.212.7:32103
76.25.142.196:443
173.21.10.71:2222
73.151.236.31:443
67.165.206.193:993
45.46.53.140:2222
191.99.191.28:443
180.129.20.164:995
149.135.101.20:443
31.35.28.29:443
187.208.0.99:443
201.142.133.198:443
82.41.63.217:443
201.172.23.68:2222
72.252.157.172:990
190.252.242.69:443
70.51.152.61:2222
217.118.46.41:2222
72.252.157.172:995
5.193.104.246:2222
100.1.108.246:443
187.102.135.141:2222
47.156.191.217:443
2.191.231.178:443
109.12.111.14:443
41.215.151.247:995
103.157.122.130:21
96.37.113.36:993
186.64.67.8:443
67.69.166.79:2222
121.74.167.191:995
190.36.233.41:2222
68.204.7.158:443
197.94.84.67:443
106.51.48.170:50001
72.66.116.235:995
72.12.115.78:22
103.139.243.207:993
89.137.52.44:443
191.34.199.46:443
98.50.191.202:443
96.45.66.216:61202
102.182.232.3:995
84.241.8.23:32103
172.114.160.81:995
217.164.117.87:1194
45.9.20.200:443
47.23.89.62:995
187.172.191.97:443
24.43.99.75:443
103.88.226.30:443
182.191.92.203:995
39.44.144.64:995
45.241.254.110:993
39.57.56.19:995
121.7.223.59:2222
94.140.8.55:2222
172.114.160.81:443
39.49.69.112:995
Unpacked files
SH256 hash:
527e9d61ddeff064647d956d52b1780e2d6bbf9a28f30efdc7c30f985629dc43
MD5 hash:
0472c872620ed002ca3f20878019e1ed
SHA1 hash:
f7ec5d5ab11beb372e72e0981100876d3c3d4597
Link:
https://www.unpac.me/results/3c19b550-45ea-4735-a256-938dcc8baa43/
SH256 hash:
931a012c14e0289cffd0ef48b433493e2b6d0fc4100e8e36ad1af9966e314286
MD5 hash:
aa20ad2e6405b98fc552282d089447e9
SHA1 hash:
a1b8f7721560ea8120e2da2e25d54ebd32b9c19b
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3c19b550-45ea-4735-a256-938dcc8baa43/
Parent samples :
c7c420b02b00e4a8abfb23baed70bfa3051821d5405f3183926768acd4517971
b2836b4f7e90321048bbd5a6b6d61877efec98631d6357672fff9ff933f88253
e941c28da1fca27de32514686e3c5dfa6fbc713764d16715bd285534bd983fd3
2e568648636c1fbb913e2ec44daa161127686b41adaaf076aa23534e85571e16
b660a1f7a7d88cb931721e680c9911a28e83dbc6120eae3cd2875fad107206f4
454cab7d08e79574023d86735fbd87ea84a1e36af097e29fff4a54186269858a
1a5df6cc0523aa65780ac5565fe19fee7d2473ee8402857af04125bd36f449b2
c4e64cace2a3d08bcd96617d935bc90e204ba0b734c8b07f9a5039f2bbf80b49
44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
d762057dd5a76075f38baf15f8f453416cb5c446253a5aff0427f09a3755e302
3f177ea2417a396dcfb2bca475c0680848980f412a3efc8693a46a8cb8eeeaca
4655f8ceab36ab8e2e91e038b4fad864c5e08f8fdde8d9889aab4c447fdc5264
81e6b3957773675320a240ef080cf4a52e2fa72c66a60a716296b68121cefd06
SH256 hash:
44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391
MD5 hash:
cc332c61f83042ed265981779ed8fb74
SHA1 hash:
6f77968b6766a89606a66ae51d7c5e88632d7282
Link:
https://www.unpac.me/results/3c19b550-45ea-4735-a256-938dcc8baa43/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44cfb6402b0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/44cfb6402b0f532e79f5ffde32fa0cdf402f880cca5d929c1f4cb03497690391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QakBot
Create hunting rule
Author:kevoreilly
Description:QakBot Payload
Rule name:win_qakbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269198/

Comments