MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5c31232118ac6dcfbde67571270799cbc8d3fd54c4efa28bcba23894cec6ee7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 3
| SHA256 hash: | 5c31232118ac6dcfbde67571270799cbc8d3fd54c4efa28bcba23894cec6ee7f |
|---|---|
| SHA3-384 hash: | badf8ea4256048bb2ae9f5ebc4b2987d0e5d39dac1c3a4a9172541a179803aefdd59a0a83419277acb2ce0ea5d25c1f4 |
| SHA1 hash: | 29bc9a1b0c12600e2cf455502639396032c72535 |
| MD5 hash: | b95c29d7bea329e7593130d3ff2d3775 |
| humanhash: | lima-crazy-pizza-helium |
| File name: | WoodenestProtonotary.iso.zip |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 994'329 bytes |
| First seen: | 2022-12-19 13:15:13 UTC |
| Last seen: | Never |
| File type: | zip |
| MIME type: | application/zip |
| Note: | This file is a password protected archive. The password is: TR23 |
| ssdeep | 24576:zkDtWOIWXUPoCanFiwtMA07NK0JdZuQaMR8LzuKD+0zz:zM3IWXUPHwzaJJouKD+0/ |
| TLSH | T1A92533786B3912C87801CE7BB47D77AA314252BDC33884579EEEA4B31D60DED0A90396 |
| TrID | 80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1) |
| Reporter |  pr0xylife |
| Tags: | 1671442875 BB11 pw-TR23 Qakbot Quakbot zip |
Intelligence
File Origin
# of uploads :
1
# of downloads :
134
Origin country :
PTFile Archive Information
This file is a password protected archive. The password is: TR23
This file archive contains 8 file(s), sorted by their relevance:
| File name: | maldistributionUnvitalized.jpg |
|---|---|
| File size: | 3'874 bytes |
| SHA256 hash: | e137753578bd4aef0129dee2b54b82dc0d58472acefc969f50b686498cb5874b |
| MD5 hash: | f788b02a8a27a7673c918d8d9f75fab9 |
| MIME type: | image/jpeg |
| Signature | Quakbot |
| File name: | heptachlorCytidines.bin |
|---|---|
| File size: | 483'556 bytes |
| SHA256 hash: | 8a1a52da9e819579fb95b65d15da753f1c4fb12c98dba254a2e9151586dca4fb |
| MD5 hash: | a30d004dc4891448fcfc162785c3aa2e |
| MIME type: | text/plain |
| Signature | Quakbot |
| File name: | hydradephaganPerineal.data |
|---|---|
| File size: | 483'556 bytes |
| SHA256 hash: | dd748a5346b1a8abba20608eefdc80deae6bada395f431a80e8678a4d8543740 |
| MD5 hash: | 31647914c897359bb30ab36796c6ee78 |
| MIME type: | text/plain |
| Signature | Quakbot |
| File name: | Simaba.jpg |
|---|---|
| File size: | 25'275 bytes |
| SHA256 hash: | c0d648c8711884d5feca30b7bf474ecadd029e54a4b0d3839af103a0f8179bef |
| MD5 hash: | 2f9f2928e5f5cfc2a3c07aa2aad55e55 |
| MIME type: | image/jpeg |
| Signature | Quakbot |
| File name: | femursPlottery.dat |
|---|---|
| File size: | 483'556 bytes |
| SHA256 hash: | 4c6359cae1e69ad6212d7acfa55c5b691e575be308ed2ae301d7153adb04aaf6 |
| MD5 hash: | b2dde1e81a85adfbdf23c9d2733bc0cf |
| MIME type: | text/plain |
| Signature | Quakbot |
| File name: | dispergeGaloch.jpeg |
|---|---|
| File size: | 97'777 bytes |
| SHA256 hash: | e67976af4e0ab02b762f66bd1bbc27cb9fbe754ba1a844cc3f51256498952a2a |
| MD5 hash: | 8de80264478af35c94ecc123da57295c |
| MIME type: | image/jpeg |
| Signature | Quakbot |
| File name: | roughhousingCaliphship.wsf |
|---|---|
| File size: | 44'757 bytes |
| SHA256 hash: | 21884c68743af7194a329cca5c69576880301dfa9ff9695e1ef16597a90cb8ca |
| MD5 hash: | fb8f1ec905d10d63400cf013d6394b92 |
| MIME type: | text/html |
| Signature | Quakbot |
| File name: | WoodenestProtonotary.js |
|---|---|
| File size: | 156 bytes |
| SHA256 hash: | 5441e0018012a2496a38a8dbc3010e86e0094be7971e4f400ae50457efcd87fa |
| MD5 hash: | 372953b658f52118435afb13382bd81a |
| MIME type: | text/plain |
| Signature | Quakbot |
Vendor Threat Intelligence
Gathering data
Result
Verdict:
UNKNOWN
Link:
Detection(s):
Suspicious file
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:bb11 campaign:1671442875 banker stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
24.71.120.191:443
121.121.100.148:995
172.90.139.138:2222
70.55.120.16:2222
75.99.125.234:2222
172.248.42.122:443
37.14.229.220:2222
83.7.52.202:443
85.241.180.94:443
90.206.194.248:443
31.53.29.141:2222
72.80.7.6:50003
74.92.243.113:50000
90.48.151.17:2222
176.142.207.63:443
178.153.5.54:443
74.66.134.24:443
46.162.109.183:443
12.172.173.82:993
64.237.240.3:443
65.20.175.208:443
69.119.123.159:2222
94.105.123.53:443
99.229.164.42:443
91.169.12.198:32100
184.153.132.82:443
81.229.117.95:2222
82.34.170.37:443
86.96.75.237:2222
27.109.19.90:2078
109.219.126.249:2222
91.165.188.74:50000
175.139.130.191:2222
76.20.42.45:443
12.172.173.82:50001
91.96.249.3:443
150.107.231.59:2222
12.172.173.82:995
128.127.21.57:443
184.68.116.146:2222
87.220.205.65:2222
184.68.116.146:3389
87.223.95.66:443
92.189.214.236:2222
73.29.92.128:443
86.165.15.180:2222
82.6.99.234:443
92.27.86.48:2222
174.112.22.106:2078
187.199.184.14:32103
199.83.165.233:443
37.15.128.31:2222
90.79.129.166:2222
136.244.25.165:443
93.147.134.85:443
202.187.239.67:995
75.143.236.149:443
67.235.138.14:443
84.35.26.14:995
147.148.234.231:2222
108.6.249.139:443
86.98.23.199:443
60.254.51.168:443
103.55.67.180:443
176.44.121.220:995
103.42.86.42:995
103.141.50.151:995
217.128.200.114:2222
24.228.132.224:2222
90.119.197.132:2222
76.80.180.154:995
72.80.7.6:995
50.68.204.71:995
47.34.30.133:443
103.212.19.254:995
116.74.163.30:443
47.41.154.250:443
83.110.95.209:995
50.68.204.71:443
78.100.238.92:995
12.172.173.82:465
90.116.219.167:2222
86.99.15.254:2222
62.35.67.88:443
92.186.69.229:2222
84.108.173.79:443
79.13.202.140:443
77.86.98.236:443
123.3.240.16:995
86.196.35.232:2222
70.115.104.126:995
86.130.9.250:2222
92.185.204.18:2078
213.67.255.57:2222
73.36.196.11:443
186.64.67.55:443
103.144.201.62:2078
90.78.138.217:2222
76.170.252.153:995
87.202.101.164:50000
89.129.109.27:2222
87.57.13.215:443
108.162.6.34:443
87.65.160.87:995
45.152.16.14:443
12.172.173.82:20
85.245.221.87:2078
98.145.23.67:443
73.155.10.79:443
171.97.42.82:443
71.31.101.183:443
74.33.196.114:443
12.172.173.82:32101
45.248.169.101:443
174.104.184.149:443
90.66.229.185:2222
184.68.116.146:2078
12.172.173.82:22
173.18.126.3:443
121.121.100.148:995
172.90.139.138:2222
70.55.120.16:2222
75.99.125.234:2222
172.248.42.122:443
37.14.229.220:2222
83.7.52.202:443
85.241.180.94:443
90.206.194.248:443
31.53.29.141:2222
72.80.7.6:50003
74.92.243.113:50000
90.48.151.17:2222
176.142.207.63:443
178.153.5.54:443
74.66.134.24:443
46.162.109.183:443
12.172.173.82:993
64.237.240.3:443
65.20.175.208:443
69.119.123.159:2222
94.105.123.53:443
99.229.164.42:443
91.169.12.198:32100
184.153.132.82:443
81.229.117.95:2222
82.34.170.37:443
86.96.75.237:2222
27.109.19.90:2078
109.219.126.249:2222
91.165.188.74:50000
175.139.130.191:2222
76.20.42.45:443
12.172.173.82:50001
91.96.249.3:443
150.107.231.59:2222
12.172.173.82:995
128.127.21.57:443
184.68.116.146:2222
87.220.205.65:2222
184.68.116.146:3389
87.223.95.66:443
92.189.214.236:2222
73.29.92.128:443
86.165.15.180:2222
82.6.99.234:443
92.27.86.48:2222
174.112.22.106:2078
187.199.184.14:32103
199.83.165.233:443
37.15.128.31:2222
90.79.129.166:2222
136.244.25.165:443
93.147.134.85:443
202.187.239.67:995
75.143.236.149:443
67.235.138.14:443
84.35.26.14:995
147.148.234.231:2222
108.6.249.139:443
86.98.23.199:443
60.254.51.168:443
103.55.67.180:443
176.44.121.220:995
103.42.86.42:995
103.141.50.151:995
217.128.200.114:2222
24.228.132.224:2222
90.119.197.132:2222
76.80.180.154:995
72.80.7.6:995
50.68.204.71:995
47.34.30.133:443
103.212.19.254:995
116.74.163.30:443
47.41.154.250:443
83.110.95.209:995
50.68.204.71:443
78.100.238.92:995
12.172.173.82:465
90.116.219.167:2222
86.99.15.254:2222
62.35.67.88:443
92.186.69.229:2222
84.108.173.79:443
79.13.202.140:443
77.86.98.236:443
123.3.240.16:995
86.196.35.232:2222
70.115.104.126:995
86.130.9.250:2222
92.185.204.18:2078
213.67.255.57:2222
73.36.196.11:443
186.64.67.55:443
103.144.201.62:2078
90.78.138.217:2222
76.170.252.153:995
87.202.101.164:50000
89.129.109.27:2222
87.57.13.215:443
108.162.6.34:443
87.65.160.87:995
45.152.16.14:443
12.172.173.82:20
85.245.221.87:2078
98.145.23.67:443
73.155.10.79:443
171.97.42.82:443
71.31.101.183:443
74.33.196.114:443
12.172.173.82:32101
45.248.169.101:443
174.104.184.149:443
90.66.229.185:2222
184.68.116.146:2078
12.172.173.82:22
173.18.126.3:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QbotStuff |
|---|---|
| Author: | anonymous |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.