MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 11
| SHA256 hash: | c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b |
|---|---|
| SHA3-384 hash: | d8edf912dda2e197e4a032b809d5a24c804c55e4d5acd19613f19d0c602ae038f5754848a95db567d9f606cc97f3921e |
| SHA1 hash: | 64b74b5e795247f243bf32b3d0abf3522956ce31 |
| MD5 hash: | 9083bda9e608a440320ea165bd2cc5a0 |
| humanhash: | fix-butter-cola-network |
| File name: | c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 722'944 bytes |
| First seen: | 2022-06-21 22:46:49 UTC |
| Last seen: | 2022-06-21 23:52:51 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | c7f3e11e6f6fe8a9de8b31827060af69 (8 x Quakbot) |
| ssdeep | 12288:pSHEVZKP1O+hamzhv1fm3k7yxZF0WGNY:eSi7NvEyMeY |
| Threatray | 1'265 similar samples on MalwareBazaar |
| TLSH | T1D2F49F76B3E04837C1771A7C8D1BB66898297D113E3C988A7BE41D4C5F3A780376A297 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  malwarelabnet |
| Tags: | dll obama190 Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Modifying an executable file
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
greyware keylogger
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2022-06-21 22:47:07 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
20 of 26 (76.92%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'255 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama190 campaign:1655819798 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
100.38.242.113:995
173.21.10.71:2222
72.252.157.93:995
72.252.157.93:990
72.252.157.93:993
202.134.152.2:2222
45.241.205.91:993
90.120.209.197:2078
188.136.218.225:61202
41.228.22.180:443
76.25.142.196:443
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
63.143.92.99:995
83.110.94.105:443
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
104.34.212.7:32103
102.182.232.3:995
120.150.218.241:995
208.107.221.224:443
92.137.225.8:2222
88.251.195.142:443
24.139.72.117:443
2.34.12.8:443
24.55.67.176:443
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
210.246.4.69:995
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
39.52.59.14:995
31.215.70.37:443
175.145.235.37:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
109.12.111.14:443
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
173.21.10.71:2222
72.252.157.93:995
72.252.157.93:990
72.252.157.93:993
202.134.152.2:2222
45.241.205.91:993
90.120.209.197:2078
188.136.218.225:61202
41.228.22.180:443
76.25.142.196:443
24.178.196.158:2222
80.11.74.81:2222
69.14.172.24:443
63.143.92.99:995
83.110.94.105:443
38.70.253.226:2222
47.23.89.60:993
177.45.64.254:32101
104.34.212.7:32103
102.182.232.3:995
120.150.218.241:995
208.107.221.224:443
92.137.225.8:2222
88.251.195.142:443
24.139.72.117:443
2.34.12.8:443
24.55.67.176:443
94.59.252.166:2222
201.176.6.24:995
87.109.229.215:995
74.14.5.179:2222
86.132.14.70:2078
86.98.157.42:993
189.78.107.163:32101
108.60.213.141:443
217.128.122.65:2222
148.0.46.240:443
71.13.93.154:2222
91.177.173.10:995
81.250.191.49:2222
173.174.216.62:443
70.46.220.114:443
24.43.99.75:443
32.221.224.140:995
1.161.124.241:443
67.209.195.198:443
117.248.109.38:21
40.134.246.185:995
193.253.44.249:2222
111.125.245.116:995
5.32.41.45:443
37.34.253.233:443
179.158.105.44:443
182.191.92.203:995
172.115.177.204:2222
93.48.80.198:995
148.64.96.100:443
186.90.153.162:2222
67.165.206.193:993
191.250.120.152:443
210.246.4.69:995
39.41.59.177:995
121.7.223.45:2222
176.205.21.139:1194
196.203.37.215:80
39.52.59.14:995
31.215.70.37:443
175.145.235.37:443
197.89.11.167:443
1.161.124.241:995
84.241.8.23:32103
45.46.53.140:2222
174.69.215.101:443
81.193.30.90:443
47.156.131.10:443
187.250.202.2:443
187.208.115.219:443
187.172.164.12:443
109.12.111.14:443
201.172.23.68:2222
41.84.249.56:995
70.51.132.161:2222
162.252.222.118:443
191.34.121.84:443
113.53.152.11:443
86.195.158.178:2222
39.57.60.246:995
109.228.220.196:443
82.41.63.217:443
82.152.39.39:443
106.51.48.188:50001
103.246.242.202:443
94.36.193.176:2222
176.205.21.139:2222
41.38.167.179:995
98.50.191.202:443
190.252.242.69:443
89.101.97.139:443
185.56.243.146:443
186.105.113.65:443
39.49.69.116:995
39.44.30.209:995
68.204.15.28:443
47.157.227.70:443
187.251.132.144:22
31.35.28.29:443
148.252.128.73:443
42.103.128.35:2222
180.129.108.214:995
138.186.28.253:443
184.97.29.26:443
89.137.52.44:443
120.61.2.218:443
122.118.131.132:995
188.55.215.137:995
101.50.110.17:995
89.86.33.217:443
75.99.168.194:61201
103.91.182.114:2222
37.210.156.247:2222
58.105.167.36:50000
197.94.94.206:443
187.207.131.50:61202
76.70.9.169:2222
189.253.206.105:443
176.67.56.94:443
103.116.178.85:995
143.0.219.6:995
79.80.80.29:2222
37.186.58.115:995
96.37.113.36:993
78.101.194.193:6883
72.27.33.160:443
Unpacked files
SH256 hash:
aa4d244d4457c46e970df34318e43fa8aafd5010ab2af02e139ea8c1c1aa7ca3
MD5 hash:
4dc5296bbe08efa0ae068af09c275f60
SHA1 hash:
d64988cf117599c39e193a42d7081d626376fc40
SH256 hash:
1cfa8764c472987678175aa86d34aaf9b06bf1e7eb243b0e9abc2b512700c755
MD5 hash:
0a1b1909869db6a5d3521d757c39d5cf
SHA1 hash:
be04fbcfb11bff35332443d0e3d0d313b30548d5
Detections:
win_qakbot_auto
Parent samples :
414b150d1512e748414e70c380278d819616a4c4c0c0f8a1679f0264685f3cd3
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff
b5ff7b3e2e573f000fc57ac50e27bccd05baecbe72022746f7e13ad755efa4fb
7043dc865d6c6de28e2ff6e5c7614586c739060dc6deeaa2e27a0e208ad084e2
9cfc5f8eecf8f5e91f6e7151f759f4708010139a2597b69a2d47ce24df97f74e
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
b66154c1bf3c8ec382e169b80d5fb6d9b3fa46ddc01d3bc4e7e249858b4db4ff
SH256 hash:
c0b483db178c827da049412903494593c97d8aab30035dd39b65c9618157726b
MD5 hash:
9083bda9e608a440320ea165bd2cc5a0
SHA1 hash:
64b74b5e795247f243bf32b3d0abf3522956ce31
Malware family:
QBot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | exploit_any_poppopret |
|---|---|
| Author: | Jeff White [karttoon@gmail.com] @noottrak |
| Description: | Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.