MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 898fa15b790b45f2806672ef27c1803407ca2c66b347013b0955d9fd7ea4cd78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 12
| SHA256 hash: | 898fa15b790b45f2806672ef27c1803407ca2c66b347013b0955d9fd7ea4cd78 |
|---|---|
| SHA3-384 hash: | 5c9b225c0a66b5a065af30ba5c069298bdb9b3ef9a79dfd07b17975fe0f33d582c7b7ca3041b0a4d0a49c780d44ba045 |
| SHA1 hash: | 6f65d1871454414ff9aa950620031c3ca0d08298 |
| MD5 hash: | c67783eeb3c1982e0676133160331051 |
| humanhash: | echo-cold-floor-blossom |
| File name: | 4444444.dat |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 710'144 bytes |
| First seen: | 2021-11-16 14:46:28 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 7308cf87ba1fa38443fece871c417e49 (1 x Quakbot) |
| ssdeep | 12288:pmSfgEYLdH11lXYx5rPlYUUOOPE5b0I7ZydSm4kDPE5b0I7ZydSm4kK:ky2dVfobGUUOO8dT7ZyDD8dT7ZyD |
| Threatray | 370 similar samples on MalwareBazaar |
| TLSH | T16BE4BF23F6D08433D26316389C7B92689935BD412E286C4E27E89D4C4FBB3C1F66D697 |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  abuse_ch |
| Tags: | 1637062221 dll obama129 Qakbot qbot Quakbot |
abuse_ch
Quakbot payload URL:http://194.143.146.49/4444444.dat
Quakbot C2s:
117.248.109.38:21
117.203.51.17:443
103.142.10.177:443
109.177.77.68:995
45.9.20.200:2211
78.191.45.163:995
102.65.38.57:443
136.143.11.232:443
91.178.126.51:995
187.121.88.3:995
181.118.183.60:443
72.252.201.34:465
111.250.51.232:443
220.255.25.187:2222
39.49.23.166:995
188.27.119.243:443
209.210.95.228:443
190.73.3.148:2222
86.8.177.143:443
136.232.34.70:443
80.6.192.58:443
140.82.49.12:443
103.116.178.85:61200
89.101.97.139:443
86.98.37.65:443
105.198.236.99:995
27.5.5.31:2222
197.89.109.235:443
216.238.71.31:443
176.45.250.182:995
41.235.5.174:443
86.97.160.193:443
81.250.153.227:2222
76.25.142.196:443
173.21.10.71:2222
120.150.218.241:995
73.151.236.31:443
71.74.12.34:443
45.46.53.140:2222
189.135.61.226:443
190.229.18.108:465
65.100.174.110:8443
96.246.158.154:995
94.200.181.154:443
50.194.160.233:465
50.194.160.233:443
50.194.160.233:32100
24.229.150.54:995
108.4.67.252:443
176.63.117.1:22
94.60.254.81:443
24.55.112.61:443
109.12.111.14:443
68.186.192.69:443
96.21.251.127:2222
24.139.72.117:443
41.228.22.180:443
100.1.119.41:443
93.48.80.198:995
68.204.7.158:443
72.252.201.34:995
216.238.71.31:995
216.238.72.121:995
216.238.72.121:443
96.37.113.36:993
207.246.112.221:995
207.246.112.221:443
89.137.52.44:443
123.252.190.14:443
162.244.227.45:443
75.66.88.33:443
86.173.96.86:443
75.169.58.229:32100
78.153.126.175:443
206.47.134.234:2222
189.152.18.180:80
93.147.212.206:443
71.13.93.154:2083
178.239.56.80:443
27.223.92.142:995
63.143.92.99:995
189.147.225.12:443
75.188.35.168:443
103.150.40.76:995
189.223.33.109:443
71.13.93.154:6881
2.222.167.138:443
182.176.180.73:443
94.196.209.83:995
103.143.8.71:995
103.27.22.162:995
73.140.38.124:443
79.160.207.214:443
83.223.164.163:443
71.13.93.154:2222
115.96.64.9:995
146.66.139.84:443
103.116.178.85:993
67.165.206.193:993
178.51.47.120:995
189.146.127.83:443
93.48.58.123:2222
92.59.35.196:2222
109.133.93.127:995
109.228.255.59:443
176.35.109.202:2222
72.27.126.188:995
103.143.8.71:443
185.53.147.51:443
216.201.162.158:443
39.52.224.170:995
Intelligence
File Origin
# of uploads :
1
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Modifying an executable file
Creating a process with a hidden window
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
keylogger
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Trojan.KBot
Status:
Malicious
First seen:
2021-11-16 14:47:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 360 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama129 campaign:1637062221 banker evasion stealer trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Windows security bypass
Malware Config
C2 Extraction:
117.248.109.38:21
117.203.51.17:443
103.142.10.177:443
109.177.77.68:995
45.9.20.200:2211
78.191.45.163:995
102.65.38.57:443
136.143.11.232:443
91.178.126.51:995
187.121.88.3:995
181.118.183.60:443
72.252.201.34:465
111.250.51.232:443
220.255.25.187:2222
39.49.23.166:995
188.27.119.243:443
209.210.95.228:443
190.73.3.148:2222
86.8.177.143:443
136.232.34.70:443
80.6.192.58:443
140.82.49.12:443
103.116.178.85:61200
89.101.97.139:443
86.98.37.65:443
105.198.236.99:995
27.5.5.31:2222
197.89.109.235:443
216.238.71.31:443
176.45.250.182:995
41.235.5.174:443
86.97.160.193:443
81.250.153.227:2222
76.25.142.196:443
173.21.10.71:2222
120.150.218.241:995
73.151.236.31:443
71.74.12.34:443
45.46.53.140:2222
189.135.61.226:443
190.229.18.108:465
65.100.174.110:8443
96.246.158.154:995
94.200.181.154:443
50.194.160.233:465
50.194.160.233:443
50.194.160.233:32100
24.229.150.54:995
108.4.67.252:443
176.63.117.1:22
94.60.254.81:443
24.55.112.61:443
109.12.111.14:443
68.186.192.69:443
96.21.251.127:2222
24.139.72.117:443
41.228.22.180:443
100.1.119.41:443
93.48.80.198:995
68.204.7.158:443
72.252.201.34:995
216.238.71.31:995
216.238.72.121:995
216.238.72.121:443
96.37.113.36:993
207.246.112.221:995
207.246.112.221:443
89.137.52.44:443
123.252.190.14:443
162.244.227.45:443
75.66.88.33:443
86.173.96.86:443
75.169.58.229:32100
78.153.126.175:443
206.47.134.234:2222
189.152.18.180:80
93.147.212.206:443
71.13.93.154:2083
178.239.56.80:443
27.223.92.142:995
63.143.92.99:995
189.147.225.12:443
75.188.35.168:443
103.150.40.76:995
189.223.33.109:443
71.13.93.154:6881
2.222.167.138:443
182.176.180.73:443
94.196.209.83:995
103.143.8.71:995
103.27.22.162:995
73.140.38.124:443
79.160.207.214:443
83.223.164.163:443
71.13.93.154:2222
115.96.64.9:995
146.66.139.84:443
103.116.178.85:993
67.165.206.193:993
178.51.47.120:995
189.146.127.83:443
93.48.58.123:2222
92.59.35.196:2222
109.133.93.127:995
109.228.255.59:443
176.35.109.202:2222
72.27.126.188:995
103.143.8.71:443
185.53.147.51:443
216.201.162.158:443
39.52.224.170:995
117.203.51.17:443
103.142.10.177:443
109.177.77.68:995
45.9.20.200:2211
78.191.45.163:995
102.65.38.57:443
136.143.11.232:443
91.178.126.51:995
187.121.88.3:995
181.118.183.60:443
72.252.201.34:465
111.250.51.232:443
220.255.25.187:2222
39.49.23.166:995
188.27.119.243:443
209.210.95.228:443
190.73.3.148:2222
86.8.177.143:443
136.232.34.70:443
80.6.192.58:443
140.82.49.12:443
103.116.178.85:61200
89.101.97.139:443
86.98.37.65:443
105.198.236.99:995
27.5.5.31:2222
197.89.109.235:443
216.238.71.31:443
176.45.250.182:995
41.235.5.174:443
86.97.160.193:443
81.250.153.227:2222
76.25.142.196:443
173.21.10.71:2222
120.150.218.241:995
73.151.236.31:443
71.74.12.34:443
45.46.53.140:2222
189.135.61.226:443
190.229.18.108:465
65.100.174.110:8443
96.246.158.154:995
94.200.181.154:443
50.194.160.233:465
50.194.160.233:443
50.194.160.233:32100
24.229.150.54:995
108.4.67.252:443
176.63.117.1:22
94.60.254.81:443
24.55.112.61:443
109.12.111.14:443
68.186.192.69:443
96.21.251.127:2222
24.139.72.117:443
41.228.22.180:443
100.1.119.41:443
93.48.80.198:995
68.204.7.158:443
72.252.201.34:995
216.238.71.31:995
216.238.72.121:995
216.238.72.121:443
96.37.113.36:993
207.246.112.221:995
207.246.112.221:443
89.137.52.44:443
123.252.190.14:443
162.244.227.45:443
75.66.88.33:443
86.173.96.86:443
75.169.58.229:32100
78.153.126.175:443
206.47.134.234:2222
189.152.18.180:80
93.147.212.206:443
71.13.93.154:2083
178.239.56.80:443
27.223.92.142:995
63.143.92.99:995
189.147.225.12:443
75.188.35.168:443
103.150.40.76:995
189.223.33.109:443
71.13.93.154:6881
2.222.167.138:443
182.176.180.73:443
94.196.209.83:995
103.143.8.71:995
103.27.22.162:995
73.140.38.124:443
79.160.207.214:443
83.223.164.163:443
71.13.93.154:2222
115.96.64.9:995
146.66.139.84:443
103.116.178.85:993
67.165.206.193:993
178.51.47.120:995
189.146.127.83:443
93.48.58.123:2222
92.59.35.196:2222
109.133.93.127:995
109.228.255.59:443
176.35.109.202:2222
72.27.126.188:995
103.143.8.71:443
185.53.147.51:443
216.201.162.158:443
39.52.224.170:995
Unpacked files
SH256 hash:
609d5b103766d0942c6ff9b21a656d05b9d39a70e6cdbce85e71450e2134ee9f
MD5 hash:
8b73e720bdb1bffb672c2deac5974eed
SHA1 hash:
9d16ea0611393be9c2ed5e59dc6c84646363afa2
SH256 hash:
24a732fced819c62dbcb860917c0dede1200b675d1368e10e8ce63e3d332818d
MD5 hash:
92e1539ba1cde566b8ee96610203807f
SHA1 hash:
bacb20ef62b8c1173bd6f68edeb0be3a32f6aa9e
SH256 hash:
898fa15b790b45f2806672ef27c1803407ca2c66b347013b0955d9fd7ea4cd78
MD5 hash:
c67783eeb3c1982e0676133160331051
SHA1 hash:
6f65d1871454414ff9aa950620031c3ca0d08298
Malware family:
CryptOne
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
xlsx Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.