MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 544add0097f7617d68253baf2f59e75ab52013f329c5e3b9613785b7c7353c87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	544add0097f7617d68253baf2f59e75ab52013f329c5e3b9613785b7c7353c87
SHA3-384 hash:	b1c065c795e01801921bca1ba61301a12b290d010aeddc2fc5bbee09b5b67580404e98b1f13d34e06c4dc880210c0467
SHA1 hash:	69a2e7d5824ebe0d7fb8434dddcd93a8afcc693b
MD5 hash:	4c65512ecdf5eea47b59882acd14ac83
humanhash:	salami-batman-seventeen-crazy
File name:	persecutory.asc
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	598'016 bytes
First seen:	2022-10-18 13:39:01 UTC
Last seen:	2022-10-18 15:03:41 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	f599b6f39c4199efc636d6c6956ca27a (5 x Quakbot)
ssdeep	12288:HZBs6eUwpkdFC7dStewcZWOcRVrXugaJJkPcpF:5+UwWFew2Dhk
Threatray	1'547 similar samples on MalwareBazaar
TLSH	T144D4BF0095851DF1D18ED97FB97FEC9AC62922B5FF126B8B35488258B5E23C1DF0270A
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	0xToxin
Tags:	1666019778 dll obama214 Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321404/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.25125.20318.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Modifying an executable file

Creating a window

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/634eac7cb5f60e72b8c7497b/reports/90c7fc12-c973-4ce2-abb0-feaa9c0e1fc8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/640b8429-51a3-4ab2-84b2-e13df305d48f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/544add0097f7617d68253baf2f59e75ab52013f329c5e3b9613785b7c7353c87/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2022-10-18 13:39:11 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=krfn2aex65qx22bfhoxs6wphlk2sae7tfhc6holbg6c3przvhsdq._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

616a531ff72b31cd7f9b6093bd98db343fa42907127dc82763539d34f49a4e88

Quakbot

80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172

Quakbot

9ebb684f13367a8b7817b787a5374f9072f9338d657c255403d991f50f6ce80c

Quakbot

+ 1'537 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama214 campaign:1666019778 banker stealer trojan

Link:

https://tria.ge/reports/221018-qxyt6agcbp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Qakbot/Qbot

Malware Config

C2 Extraction:

105.96.221.136:443
37.37.80.2:3389
105.154.56.232:995
41.107.116.19:443
105.103.52.189:443
159.192.204.135:443
41.107.58.251:443
177.152.65.142:443
102.47.218.41:443
176.45.35.243:443
70.173.248.13:443
102.159.77.134:995
220.123.29.76:443
82.12.196.197:443
103.156.237.71:443
149.126.159.254:443
176.44.119.153:443
181.56.171.3:995
190.205.229.67:2222
151.251.50.117:443
163.182.177.80:443
72.21.109.1:443
41.101.92.195:443
190.193.180.228:443
190.204.112.207:2222
41.97.56.102:443
41.69.209.76:443
190.78.89.157:993
206.1.216.19:2087
85.242.200.96:443
41.251.219.50:443
105.111.141.73:443
41.103.64.82:443
190.39.218.17:443
84.220.13.28:443
190.100.149.122:995
197.1.19.60:443
196.64.70.216:443
196.89.213.40:995
181.168.145.94:443
187.101.200.186:995
41.105.245.174:443
179.25.144.177:995
78.179.135.247:443
94.52.127.44:443
186.18.210.16:443
102.158.215.180:443
78.183.238.79:443
197.1.50.150:443
42.189.32.186:80
167.58.235.5:443
14.54.83.15:443
187.198.8.241:443
71.239.12.136:443
112.70.141.221:443
37.245.136.135:2222
88.232.10.69:443
41.98.250.65:443
82.205.9.34:443
196.64.239.75:443
37.8.68.1:443
197.1.248.244:443
197.2.139.7:443
79.45.134.162:22
182.183.211.163:995
154.246.14.94:443
144.86.17.168:443
182.185.29.69:995
160.177.47.116:6881
181.197.41.173:443
160.248.194.147:443
85.109.221.97:443
125.25.77.249:995
1.20.185.138:443
91.171.72.214:32100
197.10.195.7:443
45.160.33.163:443
202.170.206.61:995
96.9.66.118:995
132.251.244.227:443
113.188.13.246:443
78.181.39.116:443
1.53.101.75:443
197.202.173.111:443
31.201.40.194:443
197.116.178.224:443
79.155.159.177:443
181.188.164.123:443
156.221.50.226:995
41.251.15.7:990
45.240.140.233:995
102.188.91.158:995
189.243.187.76:443
179.105.182.216:995
196.65.230.248:995
181.141.3.126:443
128.234.26.174:995
78.161.194.147:443
78.101.177.210:443
86.217.167.235:2222

Unpacked files

SH256 hash:

1d80f42feab51304ad3a065f001ac38bafde1c415e0d570459cff1e6a0b3ee8d

MD5 hash:

190ec61e2c41d3fced699b9b7384f738

SHA1 hash:

dca5becc339885f7707e08af9c369e56a8cad3af

Link:

https://www.unpac.me/results/9389af7c-a079-47b7-a50c-0464d0070fc3/

SH256 hash:

33f3bd4d5b34c6efb45a4d69f8e2801449a966344f777e55448317ca1eb57c8b

MD5 hash:

176f74092237d70d37b2f4bde47bfc96

SHA1 hash:

aa1b8a1ecceb030ef6e3e15098bf3bec06bfc563

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/9389af7c-a079-47b7-a50c-0464d0070fc3/

SH256 hash:

544add0097f7617d68253baf2f59e75ab52013f329c5e3b9613785b7c7353c87

MD5 hash:

4c65512ecdf5eea47b59882acd14ac83

SHA1 hash:

69a2e7d5824ebe0d7fb8434dddcd93a8afcc693b

Link:

https://www.unpac.me/results/9389af7c-a079-47b7-a50c-0464d0070fc3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/544add0097f7617d68253baf2f59e75ab52013f329c5e3b9613785b7c7353c87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/321404/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample