MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 814299de88cde77b7f06476f2abf8f6719d3b8d2184796114c56a6ee08833e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 6
| SHA256 hash: | 814299de88cde77b7f06476f2abf8f6719d3b8d2184796114c56a6ee08833e61 |
|---|---|
| SHA3-384 hash: | efc6410c450f4276980bbdd2b84d3e1ca082abdfb9db50660977d3c607ad004aeee338e74631bbe4e8b2529c48a6a9d3 |
| SHA1 hash: | adf5411f4bd777f2a2fc7819c63f53f1f22e495e |
| MD5 hash: | 4cf60391efc89945d85ba83c93547d5d |
| humanhash: | high-connecticut-leopard-massachusetts |
| File name: | PE#3962.iso |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 454'656 bytes |
| First seen: | 2022-10-06 17:48:56 UTC |
| Last seen: | Never |
| File type: | iso |
| MIME type: | application/x-iso9660-image |
| ssdeep | 6144:3wWNVNYHWRZMZeiVt5p682MkWgylrBeKd5bYBWzjCvIuwDJnpCKHbrxOG53KPNs:3l5eWt82Mk6lroKsLguiHOPNs |
| TLSH | T1B6A42C86ED54EFBBC2AD81B9AA5F099F562241167F4336EB721D4190B58370333E638C |
| TrID | 99.6% (.NULL) null bytes (2048000/1) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3) 0.0% (.SMT) Memo File Apollo Database Engine (88/84) |
| Reporter |  pr0xylife |
| Tags: | BB iso Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
309
Origin country :
n/a
File Archive Information
This file archive contains 3 file(s), sorted by their relevance:
| File name: | Item.lnk |
|---|---|
| File size: | 1'207 bytes |
| SHA256 hash: | 0cd04a843d670bf2c379476af2a0c3957962acc924800990e34780bcd3945566 |
| MD5 hash: | 6df9e10b2ac6d9b385831136e430c105 |
| MIME type: | application/octet-stream |
| Signature | Quakbot |
| File name: | 6190.cmd |
|---|---|
| File size: | 187 bytes |
| SHA256 hash: | 7d5bdd81da74a8908216ef80642588eec11009c06decfa86aa9ef321aa1ca854 |
| MD5 hash: | 5f1a86f574068771662310dd27e4dda8 |
| MIME type: | text/x-msdos-batch |
| Signature | Quakbot |
| File name: | extinct.dat |
|---|---|
| File size: | 393'728 bytes |
| SHA256 hash: | fd18b58235e50379b775cc3cbabdc8df599e71f787b2d286281999c24ecc18f8 |
| MD5 hash: | 1fa2068f08d1c55f06d6c33cb846f9ad |
| MIME type: | application/x-dosexec |
| Signature | Quakbot |
Vendor Threat Intelligence
Detection(s):
Verdict:
No Threat
Threat level:
2/10
Confidence:
100%
Tags:
masquerade
Result
Verdict:
MALICIOUS
Threat name:
Win32.Infostealer.QBot
Status:
Malicious
First seen:
2022-10-06 17:49:08 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
4 of 40 (10.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot banker stealer trojan
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Malware Config
C2 Extraction:
254.220.133.175:61488
6.214.34.86:37718
129.63.87.139:47957
199.143.187.202:62342
233.203.75.113:40362
82.124.234.247:34892
77.88.220.108:65380
25.178.53.162:20183
234.205.153.76:63077
238.101.201.44:62063
244.41.89.118:54277
231.192.232.240:5182
13.173.166.131:1980
145.12.85.164:5864
13.198.107.186:24529
120.215.195.171:65347
193.162.253.134:2162
122.85.3.31:40483
50.116.208.51:18656
210.30.166.49:58465
153.82.223.80:52639
90.156.206.147:6480
248.255.3.157:36782
70.166.177.154:8582
80.52.240.184:39029
224.147.231.18:26231
201.254.148.88:2037
195.144.62.34:49877
188.64.131.241:4622
107.81.154.144:34441
237.206.212.29:56383
85.84.198.142:12295
97.135.164.94:41867
137.54.43.113:23074
235.219.178.212:22782
230.24.167.76:23622
240.14.116.14:19364
57.227.156.139:0
84.45.92.155:35924
230.175.205.20:24043
154.93.172.138:10659
61.169.210.127:33589
148.150.193.221:56754
131.161.227.172:2723
84.129.117.64:31596
195.232.207.127:65414
23.98.222.35:0
6.214.34.86:37718
129.63.87.139:47957
199.143.187.202:62342
233.203.75.113:40362
82.124.234.247:34892
77.88.220.108:65380
25.178.53.162:20183
234.205.153.76:63077
238.101.201.44:62063
244.41.89.118:54277
231.192.232.240:5182
13.173.166.131:1980
145.12.85.164:5864
13.198.107.186:24529
120.215.195.171:65347
193.162.253.134:2162
122.85.3.31:40483
50.116.208.51:18656
210.30.166.49:58465
153.82.223.80:52639
90.156.206.147:6480
248.255.3.157:36782
70.166.177.154:8582
80.52.240.184:39029
224.147.231.18:26231
201.254.148.88:2037
195.144.62.34:49877
188.64.131.241:4622
107.81.154.144:34441
237.206.212.29:56383
85.84.198.142:12295
97.135.164.94:41867
137.54.43.113:23074
235.219.178.212:22782
230.24.167.76:23622
240.14.116.14:19364
57.227.156.139:0
84.45.92.155:35924
230.175.205.20:24043
154.93.172.138:10659
61.169.210.127:33589
148.150.193.221:56754
131.161.227.172:2723
84.129.117.64:31596
195.232.207.127:65414
23.98.222.35:0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | iso_lnk |
|---|---|
| Author: | tdawg |
| Rule name: | SUSP_EXE_in_ISO |
|---|---|
| Author: | SECUINFRA Falcon Team |
| Description: | Detects ISO files that contains an Exe file. Does not need to be malicious |
| Reference: | Internal Research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.