MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c1eb12dc76bcbb34ad726ffb072076a24a1b5205ce81d3bf8b8b1ee268da336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	5c1eb12dc76bcbb34ad726ffb072076a24a1b5205ce81d3bf8b8b1ee268da336
SHA3-384 hash:	5c5685757a969b77bd1f8522ef278afa1e2ab310a4e80918ca792d94c71411fdec4bdcd0c795230c670ee7208a510619
SHA1 hash:	9ade3b16e70039d8ef9b65465455a9da6f88fad5
MD5 hash:	74a8b9b12a88c62fbf9d95f486c98b59
humanhash:	artist-venus-mango-carolina
File name:	enfeebling.dat
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	549'888 bytes
First seen:	2022-10-24 16:15:17 UTC
Last seen:	2022-10-24 17:11:42 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	4b5a5483fcf7fe55868677e5590256c9 (3 x Quakbot)
ssdeep	12288:C3jf0sjnEhDnvQhfodTG7Ag8BE7WErKzS+r:VswDvEfwJksS
Threatray	1'568 similar samples on MalwareBazaar
TLSH	T19AC4BF1095852AB0D649CA3BF9BBEA49D61821F5FFA3770B3A4C450CB5F2281DF0674B
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	pr0xylife
Tags:	dll obama215 Qakbot Quakbot

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323505/

Detection(s):

SecuriteInfo.com.Variant.Cerbu.154619.32668.19430.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Modifying an executable file

Creating a window

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Qakbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2d463c57-b914-4b83-aaf5-80dfd704ce4b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c1eb12dc76bcbb34ad726ffb072076a24a1b5205ce81d3bf8b8b1ee268da336/

Threat name:

Win32.Spyware.Bobik

Status:

Malicious

First seen:

2022-10-24 17:10:11 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lqplclohnpf3gswxe373a4qhniskdnjaltub2o7yxcy64junum3a._file

Verdict:

malicious

Label(s):

qakbot

Quakbot

4df936e24707cbb9332c99488a20f5fa0f9e0ac5cc3a2ea4d509f3539ea79200

Quakbot

581a2c8b97a095950c90872335e30dff1355adc48781d39f5612ed44fb477c99

Quakbot

97bb01022eaa46e69d39cbddd770c5d5312b806d0b94836f96d026db1d54bf03

Quakbot

9ffd782dc0ff611a67170546287213e7ff90f9eff32faa573493c0b1d28b980b

Quakbot

+ 1'558 additional samples on MalwareBazaar

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama215 campaign:1666597712 banker stealer trojan

Link:

https://tria.ge/reports/221024-tqsakshfc5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Qakbot/Qbot

Malware Config

C2 Extraction:

156.220.185.41:993
37.8.67.5:443
156.197.230.148:995
27.110.134.202:995
172.117.139.142:995
208.78.220.120:443
105.111.102.145:443
102.157.250.192:995
58.247.115.126:995
2.88.206.121:443
189.110.3.60:2222
190.207.137.189:2222
105.98.89.54:443
190.74.248.136:443
189.129.38.158:2222
200.109.204.20:2222
105.103.63.213:443
190.27.103.174:995
206.1.175.95:443
167.58.254.85:443
160.176.137.80:443
41.98.239.92:443
186.18.77.99:443
90.165.109.4:2222
41.107.78.169:443
105.158.78.156:443
197.0.161.64:443
149.126.159.224:443
201.208.58.92:2222
78.179.135.247:443
156.196.169.222:443
196.207.146.151:443
190.100.149.122:995
201.210.121.95:993
1.0.215.176:443
125.25.73.17:995
202.5.53.143:443
206.1.254.89:2087
102.156.162.83:443
220.134.54.185:2222
190.37.174.11:2222
176.241.48.177:443
190.29.228.61:443
41.109.199.129:995
72.217.105.238:443
186.188.80.134:443
41.98.4.251:443
41.101.183.90:443
94.36.5.31:443
41.100.133.221:443
41.108.69.247:443
102.184.30.42:443
102.187.63.127:995
190.33.87.140:443
187.198.16.39:443
62.46.231.64:443
186.18.210.16:443
42.116.54.220:443
197.244.204.128:443
190.203.106.109:2222
200.155.61.245:995
200.155.61.245:443
160.177.168.51:995
105.105.46.239:443
78.162.135.45:443
41.143.109.111:61202
91.171.72.214:32100
197.58.185.117:443
136.232.184.134:995
186.52.96.202:995
163.182.177.80:443
113.170.217.46:443
167.56.53.143:995
181.141.3.126:443
189.216.29.135:443
191.84.65.116:443
196.65.123.130:995
152.170.17.136:443
186.213.214.13:2222
216.131.22.236:995
98.207.190.55:443
186.14.70.229:443
70.173.248.13:443
41.103.187.192:443
197.253.237.2:443
206.1.212.194:443
14.54.83.15:443
103.156.237.170:443
190.206.95.220:2222
181.168.145.94:443
139.190.173.215:443
188.236.139.240:3389
62.11.227.146:443
216.106.216.209:443
207.204.120.40:443
41.103.173.10:443
197.145.137.210:995
102.185.86.69:995
85.100.25.99:443
14.246.151.175:443

Unpacked files

SH256 hash:

7604794c9278b14c690341965afb3b8e031156a47322a2d75c4bede53f54fcf8

MD5 hash:

4126ba75f43c039213ddcb741e174a43

SHA1 hash:

dfdaa64663b009bb1bde26e98a46c17ef08304ad

Link:

https://www.unpac.me/results/f6fd6b99-bfbf-40f6-b97e-573b66b2a9de/

SH256 hash:

6a180c15f0e373e4b5e1aabb10107d1dc53b2819c7c61997f99e45b3f047db80

MD5 hash:

d61ebd27a7ec5e1be3a78528af9a5857

SHA1 hash:

c6b609ea061bd4b76486ddd99d0afbc840d4983c

Detections:

Qakbot

win_qakbot_auto

Link:

https://www.unpac.me/results/f6fd6b99-bfbf-40f6-b97e-573b66b2a9de/

SH256 hash:

5c1eb12dc76bcbb34ad726ffb072076a24a1b5205ce81d3bf8b8b1ee268da336

MD5 hash:

74a8b9b12a88c62fbf9d95f486c98b59

SHA1 hash:

9ade3b16e70039d8ef9b65465455a9da6f88fad5

Link:

https://www.unpac.me/results/f6fd6b99-bfbf-40f6-b97e-573b66b2a9de/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5c1eb12dc76bcbb34ad726ffb072076a24a1b5205ce81d3bf8b8b1ee268da336

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/323505/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample