MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 572c9105266e1390706b72023ad785e461fd8d908e4ca04e7e7599bd3fab12fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 10
| SHA256 hash: | 572c9105266e1390706b72023ad785e461fd8d908e4ca04e7e7599bd3fab12fc |
|---|---|
| SHA3-384 hash: | 649e7994df232af17bab648e0f6908a2eaba43a347150c52d288e09cc838dee67801b975d97eb0748e48d08cfaf901ae |
| SHA1 hash: | 1fa1055cf79240644e5dba166e20c537e8828e4f |
| MD5 hash: | c9ae9aeb3efdf16c273d7631715255b7 |
| humanhash: | ceiling-uniform-pasta-golf |
| File name: | oel1.ocx |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 711'148 bytes |
| First seen: | 2021-12-20 11:11:55 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 75d722eed2003c28d28aa42b3d9179f7 (2 x Quakbot) |
| ssdeep | 6144:GdN8OgXE1fgaV7zpuBwgJOZLktaosuqUeinhnyv7yjA:GdN8OXBldgJbvsnUeinhnK+jA |
| Threatray | 469 similar samples on MalwareBazaar |
| TLSH | T14AE4B5AAB9E5FF09D8B7C638C560B325D12A5C268712444ED3CB39117EB23EC2D56E1C |
| File icon (PE): |  |
| dhash icon | 736934fc4de8cc92 (4 x Quakbot, 3 x Gozi, 1 x CryptBot) |
| Reporter |  ffforward |
| Tags: | cullinan dll exe ocx Qakbot qbot Quakbot tr |
Intelligence
File Origin
# of uploads :
1
# of downloads :
510
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
DNS request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
0/10
Tags:
n/a
Behaviour
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
overlay
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Infostealer.QBot
Status:
Malicious
First seen:
2021-12-20 11:18:00 UTC
File Type:
PE (Dll)
Extracted files:
84
AV detection:
24 of 43 (55.81%)
Threat level:
5/5
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 459 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:cullinan campaign:1639988898 banker evasion stealer trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
32.221.229.7:443
140.82.49.12:443
24.152.219.253:995
182.56.99.126:443
76.169.147.192:32103
218.101.110.3:995
89.101.97.139:443
82.152.39.39:443
176.24.150.197:443
96.37.113.36:993
68.186.192.69:443
59.88.168.108:443
75.110.250.187:443
182.191.92.203:995
89.165.88.95:443
103.142.10.177:443
45.9.20.200:2211
24.95.61.62:443
194.36.28.26:443
78.101.82.198:2222
37.211.157.100:61202
70.163.1.219:443
31.215.99.73:443
103.143.8.71:6881
59.6.7.83:61200
63.153.187.104:443
14.96.79.22:61202
93.48.80.198:995
24.53.49.240:443
94.200.181.154:995
149.135.101.20:443
24.178.196.158:2222
209.210.95.228:32100
78.101.82.198:443
67.209.195.198:443
96.80.109.57:995
80.14.196.176:2222
38.70.253.226:2222
24.222.20.254:443
217.165.123.47:61200
74.15.2.252:2222
217.128.93.27:2222
102.65.38.67:443
190.73.3.148:2222
79.167.192.206:995
95.5.133.68:995
114.79.148.170:443
120.150.218.241:995
186.64.87.213:443
65.100.174.110:443
96.21.251.127:2222
136.232.34.70:443
63.143.92.99:995
136.143.11.232:443
39.49.27.10:995
111.125.245.116:995
41.228.22.180:443
217.164.247.241:2222
83.110.107.123:443
76.25.142.196:443
74.5.148.57:443
65.128.74.102:443
67.165.206.193:993
173.21.10.71:2222
71.74.12.34:443
94.60.254.81:443
23.233.146.92:443
73.151.236.31:443
79.160.207.214:443
213.120.26.24:443
89.137.52.44:443
75.188.35.168:443
109.12.111.14:443
106.51.48.170:50001
68.204.7.158:443
78.101.82.198:995
80.6.192.58:443
41.96.250.164:995
114.79.145.28:443
188.54.96.91:443
105.198.236.99:995
50.238.6.36:443
65.100.174.110:8443
70.51.134.181:2222
117.248.109.38:21
86.98.53.83:443
182.176.180.73:443
217.165.11.65:61200
103.143.8.71:995
50.237.134.22:995
187.189.86.168:443
100.1.119.41:443
2.178.67.97:61202
86.198.237.51:2222
88.253.171.236:995
73.171.4.177:443
40.134.247.125:995
72.252.201.34:995
190.39.205.165:443
187.172.146.123:443
92.167.4.71:2222
189.30.244.252:995
105.111.124.76:443
84.199.230.66:443
14.96.67.177:443
182.56.57.23:995
87.70.93.215:443
93.48.58.123:2222
73.5.119.219:443
75.169.58.229:32100
173.71.147.134:995
69.46.15.180:443
23.82.128.108:443
5.36.7.212:443
200.75.131.234:443
82.77.137.101:995
187.201.90.81:443
24.55.112.61:443
201.172.31.95:443
216.238.72.121:443
216.238.71.31:995
207.246.112.221:443
207.246.112.221:995
216.238.72.121:995
216.238.71.31:443
27.223.92.142:995
24.229.150.54:995
117.198.149.221:443
140.82.49.12:443
24.152.219.253:995
182.56.99.126:443
76.169.147.192:32103
218.101.110.3:995
89.101.97.139:443
82.152.39.39:443
176.24.150.197:443
96.37.113.36:993
68.186.192.69:443
59.88.168.108:443
75.110.250.187:443
182.191.92.203:995
89.165.88.95:443
103.142.10.177:443
45.9.20.200:2211
24.95.61.62:443
194.36.28.26:443
78.101.82.198:2222
37.211.157.100:61202
70.163.1.219:443
31.215.99.73:443
103.143.8.71:6881
59.6.7.83:61200
63.153.187.104:443
14.96.79.22:61202
93.48.80.198:995
24.53.49.240:443
94.200.181.154:995
149.135.101.20:443
24.178.196.158:2222
209.210.95.228:32100
78.101.82.198:443
67.209.195.198:443
96.80.109.57:995
80.14.196.176:2222
38.70.253.226:2222
24.222.20.254:443
217.165.123.47:61200
74.15.2.252:2222
217.128.93.27:2222
102.65.38.67:443
190.73.3.148:2222
79.167.192.206:995
95.5.133.68:995
114.79.148.170:443
120.150.218.241:995
186.64.87.213:443
65.100.174.110:443
96.21.251.127:2222
136.232.34.70:443
63.143.92.99:995
136.143.11.232:443
39.49.27.10:995
111.125.245.116:995
41.228.22.180:443
217.164.247.241:2222
83.110.107.123:443
76.25.142.196:443
74.5.148.57:443
65.128.74.102:443
67.165.206.193:993
173.21.10.71:2222
71.74.12.34:443
94.60.254.81:443
23.233.146.92:443
73.151.236.31:443
79.160.207.214:443
213.120.26.24:443
89.137.52.44:443
75.188.35.168:443
109.12.111.14:443
106.51.48.170:50001
68.204.7.158:443
78.101.82.198:995
80.6.192.58:443
41.96.250.164:995
114.79.145.28:443
188.54.96.91:443
105.198.236.99:995
50.238.6.36:443
65.100.174.110:8443
70.51.134.181:2222
117.248.109.38:21
86.98.53.83:443
182.176.180.73:443
217.165.11.65:61200
103.143.8.71:995
50.237.134.22:995
187.189.86.168:443
100.1.119.41:443
2.178.67.97:61202
86.198.237.51:2222
88.253.171.236:995
73.171.4.177:443
40.134.247.125:995
72.252.201.34:995
190.39.205.165:443
187.172.146.123:443
92.167.4.71:2222
189.30.244.252:995
105.111.124.76:443
84.199.230.66:443
14.96.67.177:443
182.56.57.23:995
87.70.93.215:443
93.48.58.123:2222
73.5.119.219:443
75.169.58.229:32100
173.71.147.134:995
69.46.15.180:443
23.82.128.108:443
5.36.7.212:443
200.75.131.234:443
82.77.137.101:995
187.201.90.81:443
24.55.112.61:443
201.172.31.95:443
216.238.72.121:443
216.238.71.31:995
207.246.112.221:443
207.246.112.221:995
216.238.72.121:995
216.238.71.31:443
27.223.92.142:995
24.229.150.54:995
117.198.149.221:443
Unpacked files
SH256 hash:
670e990631c0b98ccdd7701c2136f0cb8863a308b07abd0d64480c8a2412bde4
MD5 hash:
51083dbdc8f7d9bb9d1a600849c6895a
SHA1 hash:
9c63e4caac2f4e94cb013609a02018a1a2315114
SH256 hash:
572c9105266e1390706b72023ad785e461fd8d908e4ca04e7e7599bd3fab12fc
MD5 hash:
c9ae9aeb3efdf16c273d7631715255b7
SHA1 hash:
1fa1055cf79240644e5dba166e20c537e8828e4f
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
xlsx Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.