MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b564bf1a18dd98c00a9b99e80a6cc11e1f800d3fd0a4a4d234d9c7763359d74e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 9
| SHA256 hash: | b564bf1a18dd98c00a9b99e80a6cc11e1f800d3fd0a4a4d234d9c7763359d74e |
|---|---|
| SHA3-384 hash: | 2c41a8b0bdcaa4525a57dd3423e151d5d631db9dff88e7782fec8f68a51ad3c116b81a291e02656ff0373963853f7dc2 |
| SHA1 hash: | 5ccc9584355f0fc21e7bb3f2486ebb06566d92d1 |
| MD5 hash: | dfee71363ea3fd56804cd78d7aa7b625 |
| humanhash: | utah-happy-pip-pip |
| File name: | 44621.6628975694.dat |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 1'048'576 bytes |
| First seen: | 2022-03-01 14:57:32 UTC |
| Last seen: | 2022-03-01 17:11:26 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | f3a2b34cbcfe1640f11d8b0978b1dab8 (3 x Quakbot) |
| ssdeep | 24576:HBl4LBmTVxqyZWUgxB31FFbDt3xywiDSR6bs2:HTaGGxB3LZB3Z |
| Threatray | 102 similar samples on MalwareBazaar |
| TLSH | T19C25BE61A2D155BFC1733B7DAC3B2194DC24BE912D10DC8CB7CD1A9E0F296A227215BE |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  pr0xylife |
| Tags: | dll obama161 Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Trojan.KBot
Status:
Malicious
First seen:
2022-03-01 14:58:11 UTC
File Type:
PE (Dll)
Extracted files:
91
AV detection:
17 of 28 (60.71%)
Threat level:
5/5
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 92 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama161 campaign:1646125875 banker evasion stealer trojan
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Suspicious use of NtCreateProcessExOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
39.49.63.64:995
92.177.45.46:2078
2.50.27.78:443
69.14.172.24:443
220.129.52.36:443
67.209.195.198:443
75.67.194.204:443
217.128.122.65:2222
31.215.84.57:2222
120.150.218.241:995
32.221.231.1:443
176.45.240.198:995
136.143.11.232:443
81.229.130.188:443
82.152.39.39:443
89.211.185.240:2222
190.189.33.6:32101
180.233.150.134:995
76.70.9.169:2222
39.44.58.183:995
118.161.12.23:995
80.14.188.219:2222
139.228.65.100:2222
197.89.109.221:443
89.101.97.139:443
80.123.141.226:443
78.100.194.138:6883
96.21.251.127:2222
149.135.101.20:443
2.50.41.69:61200
74.15.2.252:2222
209.210.95.228:32100
63.153.150.20:443
86.97.247.128:1194
41.230.62.211:993
117.248.109.38:21
75.156.151.34:443
185.249.85.209:443
182.191.92.203:995
86.98.156.238:993
180.183.100.147:2222
80.11.74.81:2222
196.203.37.215:80
197.167.46.225:995
190.73.3.148:2222
183.82.103.213:443
197.164.171.102:995
102.156.225.86:443
86.97.247.128:2222
63.143.92.99:995
144.202.2.175:443
176.67.56.94:443
66.230.104.103:443
47.180.172.159:443
39.52.38.109:995
140.82.49.12:443
75.99.168.194:443
41.43.13.54:995
47.180.172.159:50010
151.69.0.8:995
24.178.196.158:2222
76.69.155.202:2222
208.107.221.224:443
103.230.180.119:443
118.189.242.45:2083
93.48.80.198:995
41.84.244.135:443
105.157.113.234:443
47.23.89.60:993
173.174.216.62:443
167.86.202.26:443
141.237.140.181:995
86.98.148.83:995
197.167.46.225:993
75.99.168.194:61201
70.57.207.83:443
103.139.242.30:990
184.100.174.73:443
186.64.67.40:443
176.88.238.122:995
115.69.247.95:443
114.79.148.170:443
41.84.233.53:995
120.61.0.254:443
76.169.147.192:32103
193.253.44.249:2222
38.70.253.226:2222
41.228.22.180:443
5.88.12.21:443
39.41.139.127:995
102.140.70.201:443
102.65.38.67:443
105.184.116.32:995
144.202.2.175:995
76.25.142.196:443
103.87.95.131:2222
121.74.187.191:995
75.188.35.168:443
58.105.167.35:50000
128.106.122.206:443
67.165.206.193:993
71.74.12.34:443
173.21.10.71:2222
118.189.242.45:2222
189.253.111.123:995
73.151.236.31:443
70.51.153.159:2222
82.41.63.217:443
201.103.17.10:443
108.16.33.18:443
100.1.108.246:443
24.55.67.176:443
40.134.247.125:995
72.252.201.34:995
208.101.87.135:443
78.96.235.245:443
86.198.170.170:2222
105.184.190.210:995
72.252.201.34:990
176.110.96.225:443
109.12.111.14:443
47.156.191.217:443
45.46.53.140:2222
68.204.7.158:443
84.241.8.23:32103
124.41.193.166:443
78.191.34.56:995
121.7.223.188:2222
89.137.52.44:443
218.111.147.237:443
161.142.63.168:443
86.139.33.187:443
86.98.51.143:995
101.50.110.176:995
189.146.51.56:443
31.215.70.101:443
197.165.161.159:995
81.213.206.182:443
206.217.0.154:995
191.99.191.28:443
216.46.32.83:443
67.69.166.79:2222
186.69.101.54:443
47.158.25.67:443
72.252.201.34:993
39.52.196.53:995
190.206.211.182:443
31.35.28.29:443
69.144.42.24:443
92.177.45.46:2078
2.50.27.78:443
69.14.172.24:443
220.129.52.36:443
67.209.195.198:443
75.67.194.204:443
217.128.122.65:2222
31.215.84.57:2222
120.150.218.241:995
32.221.231.1:443
176.45.240.198:995
136.143.11.232:443
81.229.130.188:443
82.152.39.39:443
89.211.185.240:2222
190.189.33.6:32101
180.233.150.134:995
76.70.9.169:2222
39.44.58.183:995
118.161.12.23:995
80.14.188.219:2222
139.228.65.100:2222
197.89.109.221:443
89.101.97.139:443
80.123.141.226:443
78.100.194.138:6883
96.21.251.127:2222
149.135.101.20:443
2.50.41.69:61200
74.15.2.252:2222
209.210.95.228:32100
63.153.150.20:443
86.97.247.128:1194
41.230.62.211:993
117.248.109.38:21
75.156.151.34:443
185.249.85.209:443
182.191.92.203:995
86.98.156.238:993
180.183.100.147:2222
80.11.74.81:2222
196.203.37.215:80
197.167.46.225:995
190.73.3.148:2222
183.82.103.213:443
197.164.171.102:995
102.156.225.86:443
86.97.247.128:2222
63.143.92.99:995
144.202.2.175:443
176.67.56.94:443
66.230.104.103:443
47.180.172.159:443
39.52.38.109:995
140.82.49.12:443
75.99.168.194:443
41.43.13.54:995
47.180.172.159:50010
151.69.0.8:995
24.178.196.158:2222
76.69.155.202:2222
208.107.221.224:443
103.230.180.119:443
118.189.242.45:2083
93.48.80.198:995
41.84.244.135:443
105.157.113.234:443
47.23.89.60:993
173.174.216.62:443
167.86.202.26:443
141.237.140.181:995
86.98.148.83:995
197.167.46.225:993
75.99.168.194:61201
70.57.207.83:443
103.139.242.30:990
184.100.174.73:443
186.64.67.40:443
176.88.238.122:995
115.69.247.95:443
114.79.148.170:443
41.84.233.53:995
120.61.0.254:443
76.169.147.192:32103
193.253.44.249:2222
38.70.253.226:2222
41.228.22.180:443
5.88.12.21:443
39.41.139.127:995
102.140.70.201:443
102.65.38.67:443
105.184.116.32:995
144.202.2.175:995
76.25.142.196:443
103.87.95.131:2222
121.74.187.191:995
75.188.35.168:443
58.105.167.35:50000
128.106.122.206:443
67.165.206.193:993
71.74.12.34:443
173.21.10.71:2222
118.189.242.45:2222
189.253.111.123:995
73.151.236.31:443
70.51.153.159:2222
82.41.63.217:443
201.103.17.10:443
108.16.33.18:443
100.1.108.246:443
24.55.67.176:443
40.134.247.125:995
72.252.201.34:995
208.101.87.135:443
78.96.235.245:443
86.198.170.170:2222
105.184.190.210:995
72.252.201.34:990
176.110.96.225:443
109.12.111.14:443
47.156.191.217:443
45.46.53.140:2222
68.204.7.158:443
84.241.8.23:32103
124.41.193.166:443
78.191.34.56:995
121.7.223.188:2222
89.137.52.44:443
218.111.147.237:443
161.142.63.168:443
86.139.33.187:443
86.98.51.143:995
101.50.110.176:995
189.146.51.56:443
31.215.70.101:443
197.165.161.159:995
81.213.206.182:443
206.217.0.154:995
191.99.191.28:443
216.46.32.83:443
67.69.166.79:2222
186.69.101.54:443
47.158.25.67:443
72.252.201.34:993
39.52.196.53:995
190.206.211.182:443
31.35.28.29:443
69.144.42.24:443
Unpacked files
SH256 hash:
e1e569efa05b8fd0515e244c7f8e25f4eae2a28c37c2254e47e47dfde1fd2ec7
MD5 hash:
dc9cd341440a687ec27d6e3a1abec712
SHA1 hash:
7a291b258696450657a7bcc8f703df86157c096f
SH256 hash:
8e9ec927709e51a2915b308fced41440107a7945f4eccb47a41588af2644fbaa
MD5 hash:
ed6e2e22be5afc3e2111f4de93f24713
SHA1 hash:
f0c147a51f7e136927c0c2216a3a718581f508ab
SH256 hash:
b564bf1a18dd98c00a9b99e80a6cc11e1f800d3fd0a4a4d234d9c7763359d74e
MD5 hash:
dfee71363ea3fd56804cd78d7aa7b625
SHA1 hash:
5ccc9584355f0fc21e7bb3f2486ebb06566d92d1
Malware family:
CryptOne
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.