MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 12
| SHA256 hash: | a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254 |
|---|---|
| SHA3-384 hash: | 4d67cb08d466641f0999408ab83e55a29a58ed552daff34238b0470bce6adc7a51b6f306331a2cd3012b5f3ecb63282d |
| SHA1 hash: | cbca482150c3dd28031f7c223a9823c2fe6b6d8b |
| MD5 hash: | eb3c3444fbcaeed6902e9bf50ee10d47 |
| humanhash: | diet-low-bravo-cardinal |
| File name: | a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254 |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 752'129 bytes |
| First seen: | 2022-06-21 16:50:39 UTC |
| Last seen: | 2022-06-21 17:48:52 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | c7f3e11e6f6fe8a9de8b31827060af69 (8 x Quakbot) |
| ssdeep | 12288:0SHEVZKP1O+hamzhv1fm3R7yhZF0WGNYW:xSi7NvE9EeYW |
| Threatray | 1'260 similar samples on MalwareBazaar |
| TLSH | T110F49E72B3E04837C1771A7C8D1BB66898297D113E3C988A7BF41D4C5F3A781366A297 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  pr0xylife |
| Tags: | AA dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2022-06-21 16:51:11 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'250 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:aa campaign:1655814286 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
202.134.152.2:2222
100.38.242.113:995
41.228.22.180:443
45.241.205.91:993
90.120.209.197:2078
210.246.4.69:995
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
120.150.218.241:995
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
2.34.12.8:443
104.34.212.7:32103
88.251.195.142:443
92.137.225.8:2222
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
188.136.218.225:61202
39.52.59.14:995
31.215.70.37:443
83.110.94.105:443
175.145.235.37:443
208.107.221.224:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
173.21.10.71:2222
76.25.142.196:443
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
72.252.157.93:990
72.252.157.93:995
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
102.182.232.3:995
72.252.157.93:993
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
63.143.92.99:995
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
208.101.82.0:443
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
202.134.152.2:2222
100.38.242.113:995
41.228.22.180:443
45.241.205.91:993
90.120.209.197:2078
210.246.4.69:995
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
120.150.218.241:995
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
2.34.12.8:443
104.34.212.7:32103
88.251.195.142:443
92.137.225.8:2222
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
188.136.218.225:61202
39.52.59.14:995
31.215.70.37:443
83.110.94.105:443
175.145.235.37:443
208.107.221.224:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
173.21.10.71:2222
76.25.142.196:443
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
72.252.157.93:990
72.252.157.93:995
24.139.72.117:443
24.55.67.176:443
109.12.111.14:443
102.182.232.3:995
72.252.157.93:993
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
63.143.92.99:995
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
208.101.82.0:443
Unpacked files
SH256 hash:
674b5e1d7f0951639847a498222aab467b3787167658cc018c8be738e6a6b74e
MD5 hash:
c0b9aa389d866497ee135a089617623a
SHA1 hash:
9133145783827c4c46209ef211c2b4ca587b98fe
SH256 hash:
717230d2a493174a3282d15d93283642a08fed5bc02eadbf30daea1cac8fa55d
MD5 hash:
467b538d0a7c8a9a3ffa2e03c3681222
SHA1 hash:
c3a8515dcd97fbae4f066f9379724a7ce9c26f34
Detections:
win_qakbot_auto
SH256 hash:
a36c0298f193030753cdadef0a7f78afb02f25244d6ef552bd4afaa4550a8254
MD5 hash:
eb3c3444fbcaeed6902e9bf50ee10d47
SHA1 hash:
cbca482150c3dd28031f7c223a9823c2fe6b6d8b
Malware family:
QBot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | exploit_any_poppopret |
|---|---|
| Author: | Jeff White [karttoon@gmail.com] @noottrak |
| Description: | Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries. |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | unpacked_qbot |
|---|---|
| Description: | Detects unpacked or memory-dumped QBot samples |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.