MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac7c1309673ad7a15d5764425e854a4e8606c2f946d17e7a4d3d8160af5ddfbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Quakbot

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	ac7c1309673ad7a15d5764425e854a4e8606c2f946d17e7a4d3d8160af5ddfbe
SHA3-384 hash:	5c195e56bf6aa58445682074d468187a15de6a017fde7a3530a3c1a7e9acafee73e4f173fae178fe522307c38046242a
SHA1 hash:	f47f23c5d59d1f9aecb1ca77af4e5b548140903d
MD5 hash:	533588ac7065340fde23cd1865c50085
humanhash:	triple-whiskey-cola-alanine
File name:	CVEL17.zip
Download:	download sample
Signature	Quakbot Create hunting rule
File size:	419'898 bytes
First seen:	2022-11-15 12:37:44 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: NG11
ssdeep	6144:DDDFaeUjE6OueT5NUJ6PTRgsCmBmoPwTyytc8CqAEF5ircFsvI4DOnXDXznzsqj5:wwPedsfBhPqygz31KO3w/pwL
TLSH	T1589423B773A5791A818085CF0FF096B763411086C607A207D7ACBAD7EDEC3A5CA66D07
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	pr0xylife
Tags:	1668492308 BB06 pw-NG11 Qakbot Quakbot zip

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

File Archive Information

This file is a password protected archive. The password is: NG11

This file archive contains 5 file(s), sorted by their relevance:

File name:	CV.vbs
File size:	9'711 bytes
SHA256 hash:	aa253df003b9ad4b801cf0581c1bd69bbef2a6e7fe9905b42593e475002f19f0
MD5 hash:	4b12b9ab6d6e95fa854f75926254913f
MIME type:	text/plain
Signature	Quakbot

File name:	flouring.jpg
File size:	57'820 bytes
SHA256 hash:	3660d56813016cdf794d7f5b2dfae97c9d4e3c51ab7e172bb805f95588286ccc
MD5 hash:	2de6bed278031ecf9e3d5c0caec07e38
MIME type:	image/jpeg
Signature	Quakbot

File name:	data.txt
File size:	3 bytes
SHA256 hash:	b899a596c6e0b8530a74e073f4b8c95532a52b5c2f57da7c4e0f9c56461d02be
MD5 hash:	d115ade3856952ac1dd5ae80da693bd0
MIME type:	text/plain
Signature	Quakbot

File name:	lucky.gif
File size:	20'840 bytes
SHA256 hash:	0644ecb1431aef7f50e7a2a02a20c442f714e4623dcb932e15f0c7669297a0b6
MD5 hash:	e631d4da5c472be160173fca7451b6f6
MIME type:	image/gif
Signature	Quakbot

File name:	nissan.tmp
File size:	636'416 bytes
SHA256 hash:	2cb8f04d41fe34706ff61cba06788faaaca87494721fcf8e86d20b897890a3b1
MD5 hash:	cab39f756b7ab98d799939819a248b54
MIME type:	application/x-dosexec
Signature	Quakbot

Vendor Threat Intelligence

Gathering data

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/ac7c1309673ad7a15d5764425e854a4e8606c2f946d17e7a4d3d8160af5ddfbe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac7c1309673ad7a15d5764425e854a4e8606c2f946d17e7a4d3d8160af5ddfbe/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vr6bgclhhll2cxkxmrbf5bkkj2danqxzi3ix46snhwawbl25367a._file

Result

Malware family:

qakbot

Score:

10/10

Tags:

family:qakbot botnet:bb06 campaign:1668492308 banker stealer trojan

Link:

https://tria.ge/reports/221115-qec5qshh3s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Qakbot/Qbot

Malware Config

C2 Extraction:

49.175.72.56:443
81.229.117.95:2222
47.41.154.250:443
69.133.162.35:443
84.35.26.14:995
68.47.128.161:443
156.217.219.147:995
87.65.160.87:995
174.101.111.4:443
82.127.174.33:2222
91.169.12.198:32100
24.28.121.122:443
157.231.42.190:995
90.89.95.158:2222
74.33.84.227:443
24.64.114.59:2222
80.13.179.151:2222
64.207.237.118:443
24.206.27.39:443
170.253.25.35:443
151.30.53.233:443
86.225.214.138:2222
76.80.180.154:995
24.142.218.202:443
67.10.175.47:2222
90.104.22.28:2222
105.103.27.80:32103
80.0.74.165:443
142.161.27.232:2222
108.6.249.139:443
47.34.30.133:443
92.207.132.174:2222
172.117.139.142:995
137.186.193.226:3389
184.153.132.82:443
74.66.134.24:443
105.184.161.242:443
94.63.65.146:443
70.64.77.115:443
92.189.214.236:2222
58.247.115.126:995
100.16.107.117:443
2.84.98.228:2222
109.11.175.42:2222
193.92.233.183:995
174.0.224.214:443
172.90.139.138:2222
102.157.73.215:995
82.31.37.241:443
58.162.223.233:443
81.129.134.53:443
91.165.188.74:50000
87.223.80.45:443
46.177.99.230:995
180.151.104.143:443
174.77.209.5:443
157.231.42.190:443
24.49.232.96:443
73.165.119.20:443
82.41.186.124:443
213.91.235.146:443
50.68.204.71:443
99.229.146.120:443
193.3.19.137:443
73.36.196.11:443
24.116.45.121:443
76.80.180.154:993
199.83.165.233:443
41.96.224.19:443
86.133.237.3:443
85.59.61.52:2222
98.30.233.14:443
98.145.23.67:443
24.49.232.96:995
27.110.134.202:995
173.239.94.212:443
50.68.204.71:995
176.142.207.63:443
75.99.125.238:2222
90.221.5.105:443
64.123.103.123:443
79.37.204.67:443
76.68.34.167:2222
84.209.52.11:443
78.69.251.252:2222
76.127.192.23:443
149.126.159.224:443
77.126.81.208:443
186.64.67.39:443
123.3.240.16:995
70.50.3.214:2222
190.24.45.24:995
92.106.70.62:2222
24.228.132.224:2222
84.113.121.103:443
75.143.236.149:443
170.249.59.153:443
75.98.154.19:443
74.92.243.113:50000
174.104.184.149:443
200.233.108.153:995
190.18.236.175:443
76.9.168.249:443
92.109.39.207:443
190.78.64.132:993
131.106.168.223:443
2.88.219.187:443
79.92.15.6:443
73.88.173.113:443
94.70.37.145:2222
70.121.198.103:2078
174.115.87.57:443
82.154.201.177:443
41.109.78.231:995
209.171.163.72:995
72.82.136.90:443
200.93.14.206:2222

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Qakbot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ac7c1309673ad7a15d5764425e854a4e8606c2f946d17e7a4d3d8160af5ddfbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PassProtected_ZIP_ISO_file Create hunting rule
Author:	_jc
Description:	Detects container formats commonly smuggled through password-protected zips

Rule name:	QakBot Create hunting rule
Author:	kevoreilly
Description:	QakBot Payload

Rule name:	unpacked_qbot Create hunting rule
Description:	Detects unpacked or memory-dumped QBot samples

Rule name:	win_qakbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

Rule name:	win_qakbot_malped Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.qakbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample