MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 12
| SHA256 hash: | 7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0 |
|---|---|
| SHA3-384 hash: | 07245a6f2d19e940fb43e4442281093232e2ed239d13c2b7fe9a4d5b6d607e83f126f3303a840894fda95d6cc42fc71f |
| SHA1 hash: | 326a27710388aca21244f70af7736cbaff676e50 |
| MD5 hash: | fd54b5051d64a1e8fd65d99725f35a6f |
| humanhash: | football-kansas-five-idaho |
| File name: | suet.db |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 712'192 bytes |
| First seen: | 2022-09-28 17:10:46 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 8f9af0fd00f491491f9ecd72ef59a9a6 (8 x Quakbot) |
| ssdeep | 12288:nieL1vc1PdFjpmw5qS6xnGWfE/N285UT+QD1lNMA:i81IFnqnfEl5w9M |
| Threatray | 1'417 similar samples on MalwareBazaar |
| TLSH | T1D0E49E26B3D08477C272263C9C3B97A8A8357D112F29594B3FE81E4D5F396813A76393 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  malwarelabnet |
| Tags: | dll obama207 Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
380
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Modifying an executable file
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
67%
Tags:
greyware keylogger
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2022-09-28 17:11:12 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
17 of 25 (68.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'407 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama207 campaign:1664363417 banker stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
217.165.146.158:993
41.97.179.58:443
86.132.13.49:2078
197.203.50.195:443
85.245.143.94:443
86.196.181.62:2222
102.190.190.242:995
105.184.133.198:995
179.111.23.186:32101
179.251.119.206:995
84.3.85.30:443
39.44.5.104:995
197.41.235.69:995
193.3.19.137:443
186.81.122.168:443
103.173.121.17:443
41.104.80.233:443
102.189.184.12:995
156.199.90.139:443
14.168.180.223:443
41.140.98.37:995
156.205.3.210:993
139.228.33.176:2222
134.35.12.0:443
49.205.197.13:443
131.100.40.13:995
73.252.27.208:995
82.217.55.20:443
176.177.136.35:443
180.232.159.9:443
41.68.209.102:995
186.90.144.235:2222
191.92.125.254:443
41.96.204.133:443
58.186.75.42:443
85.86.242.245:443
187.193.143.111:443
200.175.173.80:443
197.49.68.15:995
186.50.139.45:995
41.68.155.190:443
186.72.236.88:995
187.150.143.159:443
105.69.189.28:995
160.177.207.113:8443
41.102.97.28:443
193.254.32.156:443
88.168.84.62:443
156.218.169.48:995
41.105.159.42:443
186.53.115.151:995
186.48.206.63:995
151.231.60.200:2083
196.217.32.15:443
102.157.212.143:443
189.189.89.32:443
181.177.156.209:443
85.94.178.73:995
201.209.4.2:443
41.69.236.243:995
74.133.189.36:443
149.126.159.254:443
41.104.132.166:443
188.157.6.170:443
197.160.22.10:443
187.189.68.8:443
109.128.221.164:995
92.98.73.123:443
154.237.235.43:995
212.102.56.47:443
110.238.39.214:443
185.233.79.238:995
154.237.60.254:995
181.206.46.7:443
186.16.163.94:443
75.71.96.226:995
181.105.32.5:443
41.227.228.31:443
197.203.142.42:443
118.174.89.216:443
41.107.112.236:995
105.96.207.25:443
111.125.157.230:443
68.224.229.42:443
190.44.40.48:995
88.232.207.24:443
72.88.245.71:443
119.82.111.158:443
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
197.94.84.128:443
41.96.130.46:80
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
76.169.76.44:2222
68.53.110.74:995
41.69.103.179:995
194.166.205.204:995
89.211.223.138:2222
85.98.206.165:995
177.103.94.155:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
91.116.160.252:443
151.234.63.48:990
99.253.251.74:443
41.40.146.5:995
41.97.179.58:443
86.132.13.49:2078
197.203.50.195:443
85.245.143.94:443
86.196.181.62:2222
102.190.190.242:995
105.184.133.198:995
179.111.23.186:32101
179.251.119.206:995
84.3.85.30:443
39.44.5.104:995
197.41.235.69:995
193.3.19.137:443
186.81.122.168:443
103.173.121.17:443
41.104.80.233:443
102.189.184.12:995
156.199.90.139:443
14.168.180.223:443
41.140.98.37:995
156.205.3.210:993
139.228.33.176:2222
134.35.12.0:443
49.205.197.13:443
131.100.40.13:995
73.252.27.208:995
82.217.55.20:443
176.177.136.35:443
180.232.159.9:443
41.68.209.102:995
186.90.144.235:2222
191.92.125.254:443
41.96.204.133:443
58.186.75.42:443
85.86.242.245:443
187.193.143.111:443
200.175.173.80:443
197.49.68.15:995
186.50.139.45:995
41.68.155.190:443
186.72.236.88:995
187.150.143.159:443
105.69.189.28:995
160.177.207.113:8443
41.102.97.28:443
193.254.32.156:443
88.168.84.62:443
156.218.169.48:995
41.105.159.42:443
186.53.115.151:995
186.48.206.63:995
151.231.60.200:2083
196.217.32.15:443
102.157.212.143:443
189.189.89.32:443
181.177.156.209:443
85.94.178.73:995
201.209.4.2:443
41.69.236.243:995
74.133.189.36:443
149.126.159.254:443
41.104.132.166:443
188.157.6.170:443
197.160.22.10:443
187.189.68.8:443
109.128.221.164:995
92.98.73.123:443
154.237.235.43:995
212.102.56.47:443
110.238.39.214:443
185.233.79.238:995
154.237.60.254:995
181.206.46.7:443
186.16.163.94:443
75.71.96.226:995
181.105.32.5:443
41.227.228.31:443
197.203.142.42:443
118.174.89.216:443
41.107.112.236:995
105.96.207.25:443
111.125.157.230:443
68.224.229.42:443
190.44.40.48:995
88.232.207.24:443
72.88.245.71:443
119.82.111.158:443
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
197.94.84.128:443
41.96.130.46:80
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
76.169.76.44:2222
68.53.110.74:995
41.69.103.179:995
194.166.205.204:995
89.211.223.138:2222
85.98.206.165:995
177.103.94.155:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
91.116.160.252:443
151.234.63.48:990
99.253.251.74:443
41.40.146.5:995
Unpacked files
SH256 hash:
bcf1ddb027e6146b19d0a9929daa3a6967ab76514d35cac3703bcd895f57ede0
MD5 hash:
21c5947375a9ca056bebb8d8518c396f
SHA1 hash:
288435c8261e1ca20cee3614260eb1eddfe3fd49
SH256 hash:
33702c6def37313bad1d94828bfe4c2915269caba72a4661033c5510bde06b81
MD5 hash:
050ce5fb25ffd3e907a5c81a6711fcea
SHA1 hash:
d5e6bb7a9eba0d785d8ffc06607b2557707a3ced
Detections:
Qakbot
win_qakbot_auto
Parent samples :
466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a
7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0
ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802
64f351168466c20604dda4c4819012367ddafff36e4c3fd8e3cff844565cebc5
4ff872d196dbb0d23c4bc96311372f9b0cd9f8b9ea00fa4b5041fa9ea49a1442
799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0
ea674cdc8665944c013fb0526342539cd615531cc675c57ff83a6fd805c58802
64f351168466c20604dda4c4819012367ddafff36e4c3fd8e3cff844565cebc5
4ff872d196dbb0d23c4bc96311372f9b0cd9f8b9ea00fa4b5041fa9ea49a1442
799b7a01e7941fa8baf90b3bc4c6397ca2974429b835949540b0b88162f4fc81
SH256 hash:
7e99b34fad7d2bab24ed27b03dc5c40deb1b88b673b0eda7dc629f00e5e085c0
MD5 hash:
fd54b5051d64a1e8fd65d99725f35a6f
SHA1 hash:
326a27710388aca21244f70af7736cbaff676e50
Malware family:
QBot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | unpacked_qbot |
|---|---|
| Description: | Detects unpacked or memory-dumped QBot samples |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
| Rule name: | win_qakbot_malped |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.