MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6444ade4163af4453f7dade0e9a9bd29a69ad5e78e5ec0b729fbc42f7cc14d5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	6444ade4163af4453f7dade0e9a9bd29a69ad5e78e5ec0b729fbc42f7cc14d5b
SHA3-384 hash:	6338aadc468f3370605718cf826cd94b1a19a058924978331fafad2c66c80ccc1c77099b594a765f1885a298a6b30115
SHA1 hash:	058feec390d421cbf9cb303d3ed9310cd4e56940
MD5 hash:	9ccc1c68f03c065d80f168faae384f06
humanhash:	white-tennessee-oven-montana
File name:	6444ade4163af4453f7dade0e9a9bd29a69ad5e78e5ec0b729fbc42f7cc14d5b
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	789'448 bytes
First seen:	2021-03-09 20:08:37 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	982089e07eedebb62c392042401154fa (8 x Quakbot)
ssdeep	12288:ilTxdlYUTXacR/927cw6nlsL8IQayFihyGgBfMdK6Uwh1/6aMCxtd:GFgkau97wUsTsFicGEfUK4Lx
Threatray	217 similar samples on MalwareBazaar
TLSH	88F4B032F6904433D1732A7C9C57639C98397E4D3E28DC4A6BE45E4CAF3A6813627297
Reporter	JAMESWT_WT
Tags:	LoL d.o.o. Quakbot signed

Code Signing Certificate

Organisation:	LoL d.o.o.
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-02-26T00:00:00Z
Valid to:	2022-02-26T23:59:59Z
Serial number:	fed006fbf85cd1c6ba6b4345b198e1e6
Intelligence:	12 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	1cbce415a25c6021a37ebccc8d6fba903e6b861748279538f2d7fcb0bd013d1e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QakBot

Link:

https://www.capesandbox.com/analysis/123390/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Mal.EncPk-APY.27011.8891.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the Windows subdirectories

Sending a UDP request

Launching a process

Modifying an executable file

Creating a process with a hidden window

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Threat name:

Win32.Trojan.PinkSbot

Status:

Malicious

First seen:

2021-03-09 20:09:10 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

14 of 47 (29.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mrck3zawhl2ekp35vxqotkn5fgtjvvphrzpmbnzj7pcc67gbjvnq._file

Verdict:

malicious

Label(s):

qakbot

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:obama10 campaign:1615286191 banker stealer trojan

Link:

https://tria.ge/reports/210309-7ja12je4as/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Qakbot/Qbot

Malware Config

C2 Extraction:

76.94.200.148:995
140.82.49.12:443
24.95.61.62:443
195.43.173.70:443
197.45.110.165:995
87.202.87.210:2222
79.115.174.55:443
196.151.252.84:443
45.118.216.157:443
77.211.30.202:995
89.3.198.238:443
47.196.192.184:443
86.175.79.249:443
80.227.5.69:443
70.168.130.172:995
83.110.108.38:2222
71.117.132.169:443
184.189.122.72:443
47.22.148.6:443
84.72.35.226:443
59.90.246.200:443
95.77.223.148:443
45.77.117.108:995
45.77.117.108:8443
144.202.38.185:995
149.28.101.90:443
207.246.77.75:8443
45.77.115.208:995
45.63.107.192:443
45.77.117.108:2222
149.28.98.196:995
149.28.98.196:443
149.28.99.97:995
207.246.77.75:995
207.246.77.75:2222
149.28.101.90:2222
207.246.116.237:2222
207.246.116.237:8443
207.246.116.237:995
45.77.117.108:443
144.202.38.185:2222
207.246.116.237:443
45.77.115.208:8443
45.77.115.208:2222
149.28.98.196:2222
149.28.99.97:2222
45.32.211.207:8443
149.28.101.90:8443
149.28.101.90:995
149.28.99.97:443
45.63.107.192:2222
45.77.115.208:443
45.32.211.207:2222
45.32.211.207:995
207.246.77.75:443
144.202.38.185:443
45.32.211.207:443
75.136.40.155:443
24.117.107.120:443
24.50.118.93:443
105.198.236.101:443
105.198.236.99:443
97.69.160.4:2222
68.186.192.69:443
71.41.184.10:3389
217.133.54.140:32100
197.161.154.132:443
144.139.47.206:443
71.199.192.62:443
2.7.116.188:2222
172.78.30.215:443
75.67.192.125:443
74.222.204.82:995
90.65.236.181:2222
89.137.211.239:995
193.248.221.184:2222
115.133.243.6:443
202.188.138.162:443
81.97.154.100:443
71.163.223.159:443
176.181.247.197:443
190.85.91.154:443
41.39.134.183:443
122.148.156.131:995
67.6.12.4:443
73.25.124.140:2222
83.110.9.71:2222
173.21.10.71:2222
92.59.35.196:2222
98.192.185.86:443
136.232.34.70:443
80.11.173.82:8443
203.198.96.215:443
144.139.166.18:443
216.201.162.158:443
173.25.45.66:443
96.21.251.127:2222
75.136.26.147:443
108.29.32.251:443
106.51.52.111:443
125.239.152.76:995
189.146.183.105:443
75.118.1.141:443
67.165.206.193:993
202.185.166.181:443
189.210.115.207:443
96.37.113.36:993
77.27.204.204:995
72.240.200.181:2222
151.205.102.42:443
86.220.62.251:2222
24.55.112.61:443
83.196.56.65:2222
109.12.111.14:443
186.31.77.42:443
71.197.126.250:443
24.229.150.54:995
72.252.201.69:443
108.46.145.30:443
74.68.144.202:443
24.43.22.218:993
199.19.117.131:443
84.247.55.190:8443
188.26.91.212:443
181.48.190.78:443
98.252.118.134:443
196.221.207.137:995
213.60.147.140:443
83.110.103.152:443
189.222.59.177:443
45.46.53.140:2222
106.51.85.162:443
182.190.19.241:3389
78.63.226.32:443
209.210.187.52:443
86.236.77.68:2222
98.240.24.57:443
78.97.207.104:443
24.139.72.117:443
82.12.157.95:995
125.209.114.182:443
174.104.22.30:443
182.48.193.200:443
125.63.101.62:443
2.50.16.111:2078
81.214.126.173:2222
71.74.12.34:443
76.25.142.196:443
73.28.92.55:443
142.117.191.18:2222

Unpacked files

SH256 hash:

97ebce1e2ba9a00197ccc069173d68d8acee443bab042a301c38d08d721a8ed9

MD5 hash:

d077a55b48a6bec013df4455f42e08b1

SHA1 hash:

0bcde3fb9a9c3e7b8155376e8347ee1b9a6fa82d

Link:

https://www.unpac.me/results/f1331b59-9d9b-4ad8-bb2a-fac6ef1ccd4a/

SH256 hash:

6444ade4163af4453f7dade0e9a9bd29a69ad5e78e5ec0b729fbc42f7cc14d5b

MD5 hash:

9ccc1c68f03c065d80f168faae384f06

SHA1 hash:

058feec390d421cbf9cb303d3ed9310cd4e56940

Link:

https://www.unpac.me/results/f1331b59-9d9b-4ad8-bb2a-fac6ef1ccd4a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/6444ade4163af4453f7dade0e9a9bd29a69ad5e78e5ec0b729fbc42f7cc14d5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	qbot_bin Create hunting rule
Author:	James_inthe_box
Description:	Qbot Qakbot
Reference:	https://app.any.run/tasks/b89d7454-403c-4c81-95db-7ecbba38eb02

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/123390/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample