MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 55dff05b8bd54a21267a8320f44230b217188ad1134128f8a33c488937c0c407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 10
| SHA256 hash: | 55dff05b8bd54a21267a8320f44230b217188ad1134128f8a33c488937c0c407 |
|---|---|
| SHA3-384 hash: | 26ac5af8e8a0c0a44732f232adc931ad9c6fdd51a3b640d91be77c949843ffc96a895cdbcd74d38e66af1195268e7401 |
| SHA1 hash: | 7f94ea7bcf8796987bad0042566d77289e8a6b10 |
| MD5 hash: | 6e9e2076a950b7bf6820a61cae864a5b |
| humanhash: | berlin-snake-summer-jig |
| File name: | triage_dropped_file |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 819'712 bytes |
| First seen: | 2022-05-11 13:21:06 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 99335be05eea85d920eaf8f6f5246fc1 (2 x Quakbot) |
| ssdeep | 12288:pg2boKKRrRYEr991kYgwHXdBRPBPSjpho0vqLks2n2BpJBJC8QEydhIjtkI90N+m:pgD1P96YlbGjwks22B/QBhCfG+6F3ll |
| Threatray | 1'048 similar samples on MalwareBazaar |
| TLSH | T17005AFB875147CD6E66F567BDADABCDC03B6272299CBA4CD80647BC30563372EE02805 |
| TrID | 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 26.3% (.EXE) Win32 Executable (generic) (4505/5/1) 11.8% (.EXE) OS/2 Executable (generic) (2029/13) 11.6% (.EXE) Generic Win/DOS Executable (2002/3) 11.6% (.EXE) DOS Executable Generic (2000/1) |
| Reporter |  malwarelabnet |
| Tags: | dll obama183 Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2022-05-11 13:22:07 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
19 of 26 (73.08%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'038 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama183 campaign:1652254401 banker evasion stealer trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
140.82.49.12:443
41.228.22.180:443
75.99.168.194:443
93.48.80.198:995
148.64.96.100:443
86.132.13.91:2078
82.152.39.39:443
41.38.167.179:995
2.50.4.57:443
217.128.122.65:2222
172.114.160.81:995
186.90.153.162:2222
118.161.15.217:443
37.34.253.233:443
2.34.12.8:443
46.107.48.202:443
72.76.94.99:443
124.40.244.118:2222
201.42.3.27:32101
78.100.235.8:2222
76.70.9.169:2222
45.241.145.155:993
203.122.46.130:443
202.134.152.2:2222
75.99.168.194:61201
119.158.122.112:995
183.82.103.213:443
201.210.162.138:2222
173.174.216.62:443
80.11.74.81:2222
86.98.208.214:2222
140.82.63.183:995
149.28.238.199:443
144.202.2.175:995
45.76.167.26:995
144.202.3.39:443
45.63.1.12:995
149.28.238.199:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
144.202.3.39:995
45.63.1.12:443
89.101.97.139:443
103.107.113.84:443
39.44.23.250:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
148.0.57.85:443
208.107.221.224:443
172.115.177.204:2222
37.186.54.254:995
70.46.220.114:443
118.161.15.217:995
46.103.186.43:995
197.89.6.37:443
181.208.248.227:443
103.246.242.202:443
83.110.89.191:443
76.25.142.196:443
108.60.213.141:443
188.50.241.63:995
86.97.246.216:2222
45.46.53.140:2222
92.132.172.197:2222
121.74.167.191:995
78.100.197.230:6883
120.150.218.241:995
101.51.76.46:443
86.98.78.177:993
39.44.86.21:995
74.14.7.71:2222
86.97.8.200:443
84.241.8.23:32103
86.97.246.216:1194
32.221.224.140:995
47.23.89.60:993
38.70.253.226:2222
182.191.92.203:995
39.52.54.195:995
175.145.235.37:443
185.249.85.200:443
173.21.10.71:2222
174.69.215.101:443
5.32.41.45:443
73.151.236.31:443
190.252.242.69:443
85.246.82.244:443
82.41.63.217:443
187.208.0.99:443
47.156.191.217:443
70.51.137.64:2222
72.252.157.172:990
72.252.157.172:995
100.1.108.246:443
201.142.133.198:443
102.182.232.3:995
201.1.202.82:32101
40.134.246.185:995
24.139.72.117:443
24.55.67.176:443
179.158.105.44:443
201.172.23.68:2222
90.120.65.153:2078
187.102.135.141:2222
189.146.87.77:443
187.251.132.144:22
191.99.191.28:443
41.84.236.194:995
63.143.92.99:995
186.106.206.47:443
39.49.7.132:995
79.129.121.68:995
69.14.172.24:443
109.12.111.14:443
196.203.37.215:80
86.195.158.178:2222
197.162.117.38:995
189.26.55.114:443
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
187.207.47.198:61202
94.36.195.102:2222
128.106.123.187:443
86.190.159.132:443
103.157.122.130:21
67.209.195.198:443
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
88.228.251.169:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.105.32:995
191.251.134.129:443
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
103.139.243.207:990
39.52.54.195:993
81.215.196.174:443
217.118.46.41:2222
89.86.33.217:443
120.61.3.169:443
2.50.17.128:2222
180.129.20.164:995
41.228.22.180:443
75.99.168.194:443
93.48.80.198:995
148.64.96.100:443
86.132.13.91:2078
82.152.39.39:443
41.38.167.179:995
2.50.4.57:443
217.128.122.65:2222
172.114.160.81:995
186.90.153.162:2222
118.161.15.217:443
37.34.253.233:443
2.34.12.8:443
46.107.48.202:443
72.76.94.99:443
124.40.244.118:2222
201.42.3.27:32101
78.100.235.8:2222
76.70.9.169:2222
45.241.145.155:993
203.122.46.130:443
202.134.152.2:2222
75.99.168.194:61201
119.158.122.112:995
183.82.103.213:443
201.210.162.138:2222
173.174.216.62:443
80.11.74.81:2222
86.98.208.214:2222
140.82.63.183:995
149.28.238.199:443
144.202.2.175:995
45.76.167.26:995
144.202.3.39:443
45.63.1.12:995
149.28.238.199:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
144.202.3.39:995
45.63.1.12:443
89.101.97.139:443
103.107.113.84:443
39.44.23.250:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
148.0.57.85:443
208.107.221.224:443
172.115.177.204:2222
37.186.54.254:995
70.46.220.114:443
118.161.15.217:995
46.103.186.43:995
197.89.6.37:443
181.208.248.227:443
103.246.242.202:443
83.110.89.191:443
76.25.142.196:443
108.60.213.141:443
188.50.241.63:995
86.97.246.216:2222
45.46.53.140:2222
92.132.172.197:2222
121.74.167.191:995
78.100.197.230:6883
120.150.218.241:995
101.51.76.46:443
86.98.78.177:993
39.44.86.21:995
74.14.7.71:2222
86.97.8.200:443
84.241.8.23:32103
86.97.246.216:1194
32.221.224.140:995
47.23.89.60:993
38.70.253.226:2222
182.191.92.203:995
39.52.54.195:995
175.145.235.37:443
185.249.85.200:443
173.21.10.71:2222
174.69.215.101:443
5.32.41.45:443
73.151.236.31:443
190.252.242.69:443
85.246.82.244:443
82.41.63.217:443
187.208.0.99:443
47.156.191.217:443
70.51.137.64:2222
72.252.157.172:990
72.252.157.172:995
100.1.108.246:443
201.142.133.198:443
102.182.232.3:995
201.1.202.82:32101
40.134.246.185:995
24.139.72.117:443
24.55.67.176:443
179.158.105.44:443
201.172.23.68:2222
90.120.65.153:2078
187.102.135.141:2222
189.146.87.77:443
187.251.132.144:22
191.99.191.28:443
41.84.236.194:995
63.143.92.99:995
186.106.206.47:443
39.49.7.132:995
79.129.121.68:995
69.14.172.24:443
109.12.111.14:443
196.203.37.215:80
86.195.158.178:2222
197.162.117.38:995
189.26.55.114:443
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
187.207.47.198:61202
94.36.195.102:2222
128.106.123.187:443
86.190.159.132:443
103.157.122.130:21
67.209.195.198:443
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
88.228.251.169:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.105.32:995
191.251.134.129:443
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
103.139.243.207:990
39.52.54.195:993
81.215.196.174:443
217.118.46.41:2222
89.86.33.217:443
120.61.3.169:443
2.50.17.128:2222
180.129.20.164:995
Unpacked files
SH256 hash:
55dff05b8bd54a21267a8320f44230b217188ad1134128f8a33c488937c0c407
MD5 hash:
6e9e2076a950b7bf6820a61cae864a5b
SHA1 hash:
7f94ea7bcf8796987bad0042566d77289e8a6b10
Malware family:
QBot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.