MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7481bbb875d21794846f7bc3b3ebbecec8c4bc058d6ae2aea60bff793cecb2cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 8
| SHA256 hash: | 7481bbb875d21794846f7bc3b3ebbecec8c4bc058d6ae2aea60bff793cecb2cb |
|---|---|
| SHA3-384 hash: | 90a74a4cc4d0f854f8fd282c9ebb0cd24e9a662dc7efbb9cd513a8558cf3c40ae7f2500b2a746cbffa6182bc613a16e5 |
| SHA1 hash: | a781a2688f1ba8ece55c7bbe36f95c0d75628f72 |
| MD5 hash: | 41f51884195209158472179655e3d56c |
| humanhash: | spring-lithium-california-mango |
| File name: | PRSM 21524.xlsb |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 240'688 bytes |
| First seen: | 2021-11-16 14:45:16 UTC |
| Last seen: | Never |
| File type: |  xlsx |
| MIME type: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
| ssdeep | 6144:AcHl6eX4Uk2GCZZzFEp2G/cjv5ZHME5RMOiT:AcHl6g4UPGaQ2G/cTB5s |
| TLSH | T10E34122BCC416B61C61CAA3879070E6D370B9E4DAAC9728F05A54D5DB7CC1661CCA73E |
| Reporter |  abuse_ch |
| Tags: | 1637062221 obama129 Qakbot qbot Quakbot xlsb xlsx |
abuse_ch
Quakbot payload URL:http://194.143.146.49/4444444.dat
Quakbot C2s:
117.248.109.38:21
117.203.51.17:443
103.142.10.177:443
109.177.77.68:995
45.9.20.200:2211
78.191.45.163:995
102.65.38.57:443
136.143.11.232:443
91.178.126.51:995
187.121.88.3:995
181.118.183.60:443
72.252.201.34:465
111.250.51.232:443
220.255.25.187:2222
39.49.23.166:995
188.27.119.243:443
209.210.95.228:443
190.73.3.148:2222
86.8.177.143:443
136.232.34.70:443
80.6.192.58:443
140.82.49.12:443
103.116.178.85:61200
89.101.97.139:443
86.98.37.65:443
105.198.236.99:995
27.5.5.31:2222
197.89.109.235:443
216.238.71.31:443
176.45.250.182:995
41.235.5.174:443
86.97.160.193:443
81.250.153.227:2222
76.25.142.196:443
173.21.10.71:2222
120.150.218.241:995
73.151.236.31:443
71.74.12.34:443
45.46.53.140:2222
189.135.61.226:443
190.229.18.108:465
65.100.174.110:8443
96.246.158.154:995
94.200.181.154:443
50.194.160.233:465
50.194.160.233:443
50.194.160.233:32100
24.229.150.54:995
108.4.67.252:443
176.63.117.1:22
94.60.254.81:443
24.55.112.61:443
109.12.111.14:443
68.186.192.69:443
96.21.251.127:2222
24.139.72.117:443
41.228.22.180:443
100.1.119.41:443
93.48.80.198:995
68.204.7.158:443
72.252.201.34:995
216.238.71.31:995
216.238.72.121:995
216.238.72.121:443
96.37.113.36:993
207.246.112.221:995
207.246.112.221:443
89.137.52.44:443
123.252.190.14:443
162.244.227.45:443
75.66.88.33:443
86.173.96.86:443
75.169.58.229:32100
78.153.126.175:443
206.47.134.234:2222
189.152.18.180:80
93.147.212.206:443
71.13.93.154:2083
178.239.56.80:443
27.223.92.142:995
63.143.92.99:995
189.147.225.12:443
75.188.35.168:443
103.150.40.76:995
189.223.33.109:443
71.13.93.154:6881
2.222.167.138:443
182.176.180.73:443
94.196.209.83:995
103.143.8.71:995
103.27.22.162:995
73.140.38.124:443
79.160.207.214:443
83.223.164.163:443
71.13.93.154:2222
115.96.64.9:995
146.66.139.84:443
103.116.178.85:993
67.165.206.193:993
178.51.47.120:995
189.146.127.83:443
93.48.58.123:2222
92.59.35.196:2222
109.133.93.127:995
109.228.255.59:443
176.35.109.202:2222
72.27.126.188:995
103.143.8.71:443
185.53.147.51:443
216.201.162.158:443
39.52.224.170:995
Intelligence
File Origin
# of uploads :
1
# of downloads :
360
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending an HTTP GET request
Creating a process with a hidden window
Sending a UDP request
Creating a file
Replacing files
Connection attempt by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Deleting of the original file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Document image
Image:
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
macros-on-open regsvr32 stripped
Result
Verdict:
MALICIOUS
Link:
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Threat name:
Document-Word.Backdoor.Quakbot
Status:
Malicious
First seen:
2021-11-16 14:46:06 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
n/a
Score:
10/10
Tags:
macro xlm
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://194.143.146.49/4444444.dat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
dll Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.