MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7eef3bee45306f5870e49270ba60291096d0ce6d71b17f16cf57c88caa8efcbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 13
| SHA256 hash: | 7eef3bee45306f5870e49270ba60291096d0ce6d71b17f16cf57c88caa8efcbd |
|---|---|
| SHA3-384 hash: | 2feb99a6f5b7bab97b0211f411ca41f1e6a3c4aac25e94dae0df3dc0f7daf514f4c7cfdcde3a74c376a387e79c718079 |
| SHA1 hash: | 174bb1e0eaac5076e5e7426c4ddd6fff1de929e6 |
| MD5 hash: | facf84dc607a0bb06a44f0e25d9a4648 |
| humanhash: | apart-muppet-four-river |
| File name: | 7eef3bee45306f5870e49270ba60291096d0ce6d71b17f16cf57c88caa8efcbd |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 893'404 bytes |
| First seen: | 2022-05-03 13:42:12 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | d0f05ca687f9f16f264a475768c38442 (3 x Quakbot) |
| ssdeep | 12288:wwYWSVNT8mDwme7gAbq/LstY00MQxHsePTbzswVpeJo6b26OHeloyMzjEwP:G4mkLv2/CYX3dLPswXeJg6jotzj |
| Threatray | 566 similar samples on MalwareBazaar |
| TLSH | T18815F165AA58C82EF8DF04BA50ACC507083CB9B2275545CBF3C08DE5A4E51D3BE36E5B |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  malwarelabnet |
| Tags: | AA dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
greyware overlay packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Detection:
qakbot
Threat name:
Win32.Infostealer.QBot
Status:
Malicious
First seen:
2022-05-03 13:43:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 556 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:aa campaign:1651213569 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
74.14.7.71:2222
1.161.104.149:443
1.161.104.149:995
24.152.219.253:995
180.129.20.164:995
46.107.48.202:443
118.172.250.162:443
102.65.38.74:443
76.25.142.196:443
93.48.80.198:995
47.23.89.62:995
2.34.12.8:443
38.70.253.226:2222
47.23.89.62:993
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
108.60.213.141:443
172.114.160.81:443
140.82.49.12:443
2.50.4.57:443
46.176.222.34:995
103.246.242.202:443
72.76.94.99:443
187.207.47.198:61202
197.89.108.36:443
39.44.144.64:995
69.14.172.24:443
175.145.235.37:443
39.57.111.109:995
67.209.195.198:443
121.7.223.59:2222
149.135.101.20:443
75.99.168.194:61201
39.52.12.84:993
202.134.152.2:2222
103.116.178.85:995
83.110.218.155:993
185.249.85.175:443
208.107.221.224:443
117.248.109.38:21
113.89.5.252:995
203.122.46.130:443
103.87.95.133:2222
70.46.220.114:443
45.9.20.200:443
173.174.216.62:443
187.58.79.229:993
144.202.2.175:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
140.82.63.183:443
45.76.167.26:995
149.28.238.199:995
144.202.2.175:995
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
182.191.92.203:995
120.150.218.241:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
31.35.28.29:443
24.139.72.117:443
217.128.122.65:2222
148.0.57.85:443
37.210.160.58:2222
86.98.208.214:2222
186.64.67.8:443
92.132.172.197:2222
172.114.160.81:995
63.143.92.99:995
121.74.167.191:995
37.186.54.254:995
104.34.212.7:32103
172.115.177.204:2222
103.107.113.120:443
39.52.12.84:995
173.21.10.71:2222
191.99.191.28:443
174.69.215.101:443
73.67.152.98:2222
67.165.206.193:993
47.156.191.217:443
45.46.53.140:2222
187.208.137.144:443
187.172.170.129:443
5.32.41.45:443
72.252.157.172:995
70.51.153.227:2222
190.252.242.69:443
73.151.236.31:443
72.252.157.172:990
201.172.23.68:2222
100.1.108.246:443
72.12.115.71:22
37.34.253.233:443
187.250.114.15:443
39.33.191.123:995
179.99.49.37:32101
40.134.246.185:995
187.102.135.142:2222
190.74.239.37:2222
89.101.97.139:443
156.219.10.43:995
24.55.67.176:443
217.164.117.87:1194
103.139.243.207:990
71.13.93.154:2222
179.158.105.44:443
89.86.33.217:443
86.195.158.178:2222
81.155.87.247:2078
109.12.111.14:443
217.164.210.192:443
41.84.243.152:995
82.152.39.39:443
191.112.14.1:443
39.49.7.245:995
80.11.74.81:2222
78.180.88.120:443
105.99.166.175:443
32.221.224.140:995
45.241.145.100:995
196.203.37.215:80
103.88.226.30:443
197.161.54.85:993
31.215.98.103:443
191.250.245.193:443
217.164.117.87:2222
83.110.94.89:443
180.183.102.114:2222
102.182.232.3:995
187.189.173.181:443
174.95.174.163:2222
94.36.195.250:2222
120.61.3.142:443
84.241.8.23:32103
85.246.82.244:443
39.41.155.156:995
98.22.246.169:443
189.243.13.151:443
167.86.165.74:443
82.41.63.217:443
188.211.190.128:61202
176.205.194.145:2078
79.129.121.68:995
1.161.104.149:443
1.161.104.149:995
24.152.219.253:995
180.129.20.164:995
46.107.48.202:443
118.172.250.162:443
102.65.38.74:443
76.25.142.196:443
93.48.80.198:995
47.23.89.62:995
2.34.12.8:443
38.70.253.226:2222
47.23.89.62:993
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
108.60.213.141:443
172.114.160.81:443
140.82.49.12:443
2.50.4.57:443
46.176.222.34:995
103.246.242.202:443
72.76.94.99:443
187.207.47.198:61202
197.89.108.36:443
39.44.144.64:995
69.14.172.24:443
175.145.235.37:443
39.57.111.109:995
67.209.195.198:443
121.7.223.59:2222
149.135.101.20:443
75.99.168.194:61201
39.52.12.84:993
202.134.152.2:2222
103.116.178.85:995
83.110.218.155:993
185.249.85.175:443
208.107.221.224:443
117.248.109.38:21
113.89.5.252:995
203.122.46.130:443
103.87.95.133:2222
70.46.220.114:443
45.9.20.200:443
173.174.216.62:443
187.58.79.229:993
144.202.2.175:443
45.76.167.26:443
140.82.63.183:995
45.63.1.12:995
140.82.63.183:443
45.76.167.26:995
149.28.238.199:995
144.202.2.175:995
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
182.191.92.203:995
120.150.218.241:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
31.35.28.29:443
24.139.72.117:443
217.128.122.65:2222
148.0.57.85:443
37.210.160.58:2222
86.98.208.214:2222
186.64.67.8:443
92.132.172.197:2222
172.114.160.81:995
63.143.92.99:995
121.74.167.191:995
37.186.54.254:995
104.34.212.7:32103
172.115.177.204:2222
103.107.113.120:443
39.52.12.84:995
173.21.10.71:2222
191.99.191.28:443
174.69.215.101:443
73.67.152.98:2222
67.165.206.193:993
47.156.191.217:443
45.46.53.140:2222
187.208.137.144:443
187.172.170.129:443
5.32.41.45:443
72.252.157.172:995
70.51.153.227:2222
190.252.242.69:443
73.151.236.31:443
72.252.157.172:990
201.172.23.68:2222
100.1.108.246:443
72.12.115.71:22
37.34.253.233:443
187.250.114.15:443
39.33.191.123:995
179.99.49.37:32101
40.134.246.185:995
187.102.135.142:2222
190.74.239.37:2222
89.101.97.139:443
156.219.10.43:995
24.55.67.176:443
217.164.117.87:1194
103.139.243.207:990
71.13.93.154:2222
179.158.105.44:443
89.86.33.217:443
86.195.158.178:2222
81.155.87.247:2078
109.12.111.14:443
217.164.210.192:443
41.84.243.152:995
82.152.39.39:443
191.112.14.1:443
39.49.7.245:995
80.11.74.81:2222
78.180.88.120:443
105.99.166.175:443
32.221.224.140:995
45.241.145.100:995
196.203.37.215:80
103.88.226.30:443
197.161.54.85:993
31.215.98.103:443
191.250.245.193:443
217.164.117.87:2222
83.110.94.89:443
180.183.102.114:2222
102.182.232.3:995
187.189.173.181:443
174.95.174.163:2222
94.36.195.250:2222
120.61.3.142:443
84.241.8.23:32103
85.246.82.244:443
39.41.155.156:995
98.22.246.169:443
189.243.13.151:443
167.86.165.74:443
82.41.63.217:443
188.211.190.128:61202
176.205.194.145:2078
79.129.121.68:995
Unpacked files
SH256 hash:
5c845a79f165b47b2d0cf0da26c73f77aa207b92d02fc7f5395d6af9c8376d2b
MD5 hash:
12401dfdd2f2b105adbab18fc1998f92
SHA1 hash:
2f193967908fccec4228a4a41111f6ed3c39b9b7
SH256 hash:
f5604b5461aa1dda9493ac78452876600e755ec061594a2f9d817fadc75662f7
MD5 hash:
dfc78f3805f9b2bbf7c557c0a3e68ea6
SHA1 hash:
bd069bd29244616f72c8f2f13d2d23703710944a
Detections:
win_qakbot_auto
SH256 hash:
7eef3bee45306f5870e49270ba60291096d0ce6d71b17f16cf57c88caa8efcbd
MD5 hash:
facf84dc607a0bb06a44f0e25d9a4648
SHA1 hash:
174bb1e0eaac5076e5e7426c4ddd6fff1de929e6
Malware family:
QBot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | BitcoinAddress |
|---|---|
| Author: | Didier Stevens (@DidierStevens) |
| Description: | Contains a valid Bitcoin address |
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.