MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a6056ecb46f32f17f730ecea827f345d3f5bf8db283dd170d08d264f827b493d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 9
| SHA256 hash: | a6056ecb46f32f17f730ecea827f345d3f5bf8db283dd170d08d264f827b493d |
|---|---|
| SHA3-384 hash: | 4eb250502ef7bcca2e4be5b68567c9306a03712f29896a6f6eda3cb97a74ac811632bdd5db1691eae9be4a4a6867d388 |
| SHA1 hash: | 69535e6a4924621bb213f08b18e448b251185f54 |
| MD5 hash: | 39d6896f8ca751594e5ae4f5ac0b2819 |
| humanhash: | minnesota-golf-whiskey-river |
| File name: | a6056ecb46f32f17f730ecea827f345d3f5bf8db283dd170d08d264f827b493d |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 3'364'351 bytes |
| First seen: | 2021-12-04 20:10:35 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 8b19210b7f518d4bf95111e66512866a (2 x Quakbot) |
| ssdeep | 98304:ZB8BOjkSSPvguCeY/1r5dtXCfPBrEc0kAerr7nI+O6IY9O9oCmydIgl3sjX2IpJP:HkSSHguCeY/1r5dtXC3Boc0kAerr7Izw |
| Threatray | 414 similar samples on MalwareBazaar |
| TLSH | T169F53AF179DE613CD4E76167CE22E6119458585BCFFB0ACB01C626B5C23C6C3E92A272 |
| File icon (PE): |  |
| dhash icon | ec6ae6e67afc2008 (2 x Quakbot, 1 x SnakeKeylogger) |
| Reporter |  malwarelabnet |
| Tags: | exe Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
468
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6056ecb46f32f17f730ecea827f345d3f5bf8db283dd170d08d264f827b493d
Verdict:
No threats detected
Analysis date:
2021-12-04 20:14:59 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
overlay packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2021-12-04 20:11:19 UTC
File Type:
PE (Dll)
Extracted files:
5
AV detection:
23 of 28 (82.14%)
Threat level:
5/5
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 404 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:tr campaign:1638522901 banker evasion stealer trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Windows security bypass
Qakbot/Qbot
Malware Config
C2 Extraction:
189.252.173.60:32101
136.143.11.232:443
2.222.167.138:443
186.64.87.195:443
197.89.12.237:443
218.101.110.3:995
103.142.10.177:443
117.248.109.38:21
123.252.190.14:443
190.73.3.148:2222
89.137.52.44:443
194.36.28.26:443
93.48.80.198:995
217.17.56.163:2222
187.121.121.141:995
117.198.159.240:443
140.82.49.12:443
136.232.34.70:443
78.180.170.159:995
185.53.147.51:443
102.65.38.57:443
45.46.53.140:2222
39.49.120.191:995
75.188.35.168:995
71.74.12.34:443
76.25.142.196:443
173.21.10.71:2222
67.165.206.193:993
189.135.34.124:443
50.194.160.233:443
73.151.236.31:443
94.60.254.81:443
181.4.52.159:465
72.252.201.34:995
68.204.7.158:443
24.55.112.61:443
81.250.153.227:2222
100.1.119.41:443
89.101.97.139:443
189.147.174.121:443
50.194.160.233:32100
120.150.218.241:995
109.12.111.14:443
24.229.150.54:995
24.139.72.117:443
93.48.58.123:2222
207.246.112.221:443
207.246.112.221:995
216.238.71.31:443
182.176.180.73:443
198.207.129.250:443
86.8.177.143:443
188.55.203.55:995
105.198.236.99:995
101.50.103.248:995
187.192.68.210:80
174.206.110.67:443
91.178.126.51:995
38.70.253.226:2222
182.181.86.190:995
75.169.58.229:32100
217.165.237.42:443
73.25.109.183:2222
103.116.178.85:993
86.97.10.14:443
27.5.4.111:2222
80.6.192.58:443
65.100.174.110:8443
94.200.181.154:995
65.100.174.110:995
63.143.92.99:995
75.66.88.33:443
189.219.51.124:443
94.202.54.1:995
86.120.85.147:443
103.150.40.76:995
41.228.22.180:443
111.250.17.237:443
73.140.38.124:443
176.63.117.1:22
111.91.87.187:443
220.255.25.187:2222
92.59.35.196:2222
72.252.201.34:465
209.210.95.228:443
68.186.192.69:443
103.168.241.143:995
103.168.241.143:465
86.190.203.103:443
93.147.212.206:443
5.238.149.217:61202
24.152.219.253:995
96.37.113.36:993
45.9.20.200:2211
136.143.11.232:443
2.222.167.138:443
186.64.87.195:443
197.89.12.237:443
218.101.110.3:995
103.142.10.177:443
117.248.109.38:21
123.252.190.14:443
190.73.3.148:2222
89.137.52.44:443
194.36.28.26:443
93.48.80.198:995
217.17.56.163:2222
187.121.121.141:995
117.198.159.240:443
140.82.49.12:443
136.232.34.70:443
78.180.170.159:995
185.53.147.51:443
102.65.38.57:443
45.46.53.140:2222
39.49.120.191:995
75.188.35.168:995
71.74.12.34:443
76.25.142.196:443
173.21.10.71:2222
67.165.206.193:993
189.135.34.124:443
50.194.160.233:443
73.151.236.31:443
94.60.254.81:443
181.4.52.159:465
72.252.201.34:995
68.204.7.158:443
24.55.112.61:443
81.250.153.227:2222
100.1.119.41:443
89.101.97.139:443
189.147.174.121:443
50.194.160.233:32100
120.150.218.241:995
109.12.111.14:443
24.229.150.54:995
24.139.72.117:443
93.48.58.123:2222
207.246.112.221:443
207.246.112.221:995
216.238.71.31:443
182.176.180.73:443
198.207.129.250:443
86.8.177.143:443
188.55.203.55:995
105.198.236.99:995
101.50.103.248:995
187.192.68.210:80
174.206.110.67:443
91.178.126.51:995
38.70.253.226:2222
182.181.86.190:995
75.169.58.229:32100
217.165.237.42:443
73.25.109.183:2222
103.116.178.85:993
86.97.10.14:443
27.5.4.111:2222
80.6.192.58:443
65.100.174.110:8443
94.200.181.154:995
65.100.174.110:995
63.143.92.99:995
75.66.88.33:443
189.219.51.124:443
94.202.54.1:995
86.120.85.147:443
103.150.40.76:995
41.228.22.180:443
111.250.17.237:443
73.140.38.124:443
176.63.117.1:22
111.91.87.187:443
220.255.25.187:2222
92.59.35.196:2222
72.252.201.34:465
209.210.95.228:443
68.186.192.69:443
103.168.241.143:995
103.168.241.143:465
86.190.203.103:443
93.147.212.206:443
5.238.149.217:61202
24.152.219.253:995
96.37.113.36:993
45.9.20.200:2211
Unpacked files
SH256 hash:
60601a36d15c4ca21abfc6b78baec72f46078a1eb53f29d5228a908770e73f43
MD5 hash:
01bc21a273dfbc7a1992fbeae779c01e
SHA1 hash:
f74b278c87f2d5d195157a1c1f61982c9dd331b7
SH256 hash:
a6056ecb46f32f17f730ecea827f345d3f5bf8db283dd170d08d264f827b493d
MD5 hash:
39d6896f8ca751594e5ae4f5ac0b2819
SHA1 hash:
69535e6a4924621bb213f08b18e448b251185f54
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.