MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c3cba8b38b1c9d930d6352803848798e6e9b8ef37e52523b97d5b94dd52fc732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 10
| SHA256 hash: | c3cba8b38b1c9d930d6352803848798e6e9b8ef37e52523b97d5b94dd52fc732 |
|---|---|
| SHA3-384 hash: | 5e4ed111f12bf83a833aac521cfe2c3db2a3d2f8c810c29034f9dcf5869afd47c41afc14a8ac846d2821388e55ece3b7 |
| SHA1 hash: | 95f1d5ee8c95b24ffb62d61d597ac1e1c5e44b31 |
| MD5 hash: | d5134f77ca508e33eace820c4877e6c0 |
| humanhash: | mike-eight-sodium-river |
| File name: | 555555555png |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 940'568 bytes |
| First seen: | 2020-09-16 09:12:31 UTC |
| Last seen: | 2020-09-16 13:35:51 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | a847cd72b1f7bfaf97d49dd38246ae25 (4 x Quakbot) |
| ssdeep | 6144:x3bDksaZLLP8OvtzpfzzlPFAAfwG44X0m+Z1Af61g8nKB17M1hRJZ:VvksaZLwOvTzRP6Af44ajACi8Kr7M1j |
| Threatray | 420 similar samples on MalwareBazaar |
| TLSH | 4915D00AFB77DC11D2E42FB6059307AC9967E8E9B932900725A72F197DF63E07C26508 |
| Reporter |  JAMESWT_WT |
| Tags: | Equal Cash Technologies Limited Qakbot Quakbot signed |
Code Signing Certificate
| Organisation: | Equal Cash Technologies Limited |
|---|---|
| Issuer: | Sectigo RSA Code Signing CA |
| Algorithm: | sha256WithRSAEncryption |
| Valid from: | Sep 5 00:00:00 2020 GMT |
| Valid to: | Sep 5 23:59:59 2021 GMT |
| Serial number: | 70E1EBD170DB8102D8C28E58392E5632 |
| Intelligence: | 2 malware samples on MalwareBazaar are signed with this code signing certificate |
| MalwareBazaar Blocklist: | This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB) |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 90D67006BE03F2254E1DA76D4EA7DC24372C4F30B652857890F9D9A391E9279C |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Qbot
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Detection:
qakbot
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2020-09-15 21:18:44 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 410 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
trojan banker stealer family:qakbot
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Qakbot/Qbot
Malware Config
C2 Extraction:
134.0.196.46:995
187.200.69.215:443
66.222.88.126:995
151.73.125.102:443
186.94.248.208:2078
71.56.53.127:443
87.65.204.240:995
63.155.74.135:995
68.184.45.73:443
82.77.105.236:2222
23.240.70.80:443
24.138.77.61:443
76.111.128.194:443
75.136.40.155:443
75.182.214.87:443
73.216.60.90:2222
148.240.52.146:443
108.185.113.12:443
216.163.4.136:443
66.215.32.224:443
35.134.202.234:443
84.247.55.190:443
77.159.149.74:443
72.204.242.138:32102
24.27.82.216:2222
207.255.161.8:465
206.183.190.53:993
134.228.24.29:443
96.41.93.96:443
84.232.238.30:443
184.98.103.204:995
72.186.1.237:443
81.133.234.36:2222
189.163.185.110:443
71.84.5.114:995
68.225.56.31:443
108.178.66.82:995
172.87.134.226:443
216.201.162.158:443
67.6.55.77:443
76.170.77.99:995
94.53.92.42:443
74.195.88.59:995
64.121.114.87:443
166.62.180.194:2078
209.182.122.217:443
189.150.107.132:443
72.240.200.181:2222
73.32.115.251:443
72.223.123.155:443
75.90.53.37:443
205.178.7.90:443
187.213.52.174:995
45.32.155.12:443
76.179.54.116:443
71.187.170.235:443
69.167.206.238:50001
207.255.161.8:2078
207.255.161.8:32100
31.5.21.66:443
178.222.113.168:995
86.162.13.18:2222
71.126.139.251:443
100.1.39.62:443
5.13.144.137:995
67.165.206.193:993
50.244.112.10:995
72.204.242.138:465
47.44.217.98:443
72.36.59.46:2222
2.90.87.34:995
213.120.109.73:2222
47.146.32.175:443
176.223.8.159:2222
69.11.247.242:443
75.81.25.223:443
50.232.172.114:443
184.180.157.203:2222
190.30.187.34:443
96.18.240.158:443
37.210.186.213:61201
75.136.26.147:443
96.255.188.58:443
207.255.161.8:993
173.26.189.151:443
70.123.92.175:2222
72.82.15.220:443
108.46.145.30:443
5.15.29.67:443
74.75.237.11:443
68.174.15.223:443
156.213.179.139:443
199.247.22.145:443
188.51.33.232:995
50.244.112.106:443
94.59.227.197:995
47.28.131.209:443
118.167.118.227:443
71.182.142.63:443
141.158.47.123:443
72.204.242.138:990
80.14.209.42:2222
208.93.202.49:443
41.228.24.11:443
72.179.13.59:443
24.187.59.203:2222
24.37.178.158:443
50.104.68.223:443
5.12.0.239:443
173.245.152.231:443
72.214.55.195:995
66.57.216.53:993
189.231.196.236:443
67.209.195.198:443
24.231.54.185:2222
98.240.24.57:443
207.255.161.8:995
86.98.89.62:2222
217.165.164.132:2222
51.223.158.125:443
45.77.193.83:443
207.246.75.201:443
95.179.247.224:443
199.247.16.80:443
73.228.1.246:443
24.229.150.54:995
209.137.209.163:995
45.32.154.10:443
5.193.181.221:2078
41.232.231.135:995
148.101.68.96:443
190.85.91.154:443
144.139.47.206:443
72.190.101.70:443
80.195.103.146:2222
2.91.109.154:995
95.77.144.238:443
47.180.66.10:443
77.27.174.49:995
195.162.106.93:2222
190.220.8.10:443
191.84.7.1:443
5.234.221.88:995
117.218.208.239:443
84.117.176.32:443
73.227.232.166:443
96.30.198.161:443
47.146.169.85:443
46.53.26.66:443
72.204.242.138:20
187.200.69.215:443
66.222.88.126:995
151.73.125.102:443
186.94.248.208:2078
71.56.53.127:443
87.65.204.240:995
63.155.74.135:995
68.184.45.73:443
82.77.105.236:2222
23.240.70.80:443
24.138.77.61:443
76.111.128.194:443
75.136.40.155:443
75.182.214.87:443
73.216.60.90:2222
148.240.52.146:443
108.185.113.12:443
216.163.4.136:443
66.215.32.224:443
35.134.202.234:443
84.247.55.190:443
77.159.149.74:443
72.204.242.138:32102
24.27.82.216:2222
207.255.161.8:465
206.183.190.53:993
134.228.24.29:443
96.41.93.96:443
84.232.238.30:443
184.98.103.204:995
72.186.1.237:443
81.133.234.36:2222
189.163.185.110:443
71.84.5.114:995
68.225.56.31:443
108.178.66.82:995
172.87.134.226:443
216.201.162.158:443
67.6.55.77:443
76.170.77.99:995
94.53.92.42:443
74.195.88.59:995
64.121.114.87:443
166.62.180.194:2078
209.182.122.217:443
189.150.107.132:443
72.240.200.181:2222
73.32.115.251:443
72.223.123.155:443
75.90.53.37:443
205.178.7.90:443
187.213.52.174:995
45.32.155.12:443
76.179.54.116:443
71.187.170.235:443
69.167.206.238:50001
207.255.161.8:2078
207.255.161.8:32100
31.5.21.66:443
178.222.113.168:995
86.162.13.18:2222
71.126.139.251:443
100.1.39.62:443
5.13.144.137:995
67.165.206.193:993
50.244.112.10:995
72.204.242.138:465
47.44.217.98:443
72.36.59.46:2222
2.90.87.34:995
213.120.109.73:2222
47.146.32.175:443
176.223.8.159:2222
69.11.247.242:443
75.81.25.223:443
50.232.172.114:443
184.180.157.203:2222
190.30.187.34:443
96.18.240.158:443
37.210.186.213:61201
75.136.26.147:443
96.255.188.58:443
207.255.161.8:993
173.26.189.151:443
70.123.92.175:2222
72.82.15.220:443
108.46.145.30:443
5.15.29.67:443
74.75.237.11:443
68.174.15.223:443
156.213.179.139:443
199.247.22.145:443
188.51.33.232:995
50.244.112.106:443
94.59.227.197:995
47.28.131.209:443
118.167.118.227:443
71.182.142.63:443
141.158.47.123:443
72.204.242.138:990
80.14.209.42:2222
208.93.202.49:443
41.228.24.11:443
72.179.13.59:443
24.187.59.203:2222
24.37.178.158:443
50.104.68.223:443
5.12.0.239:443
173.245.152.231:443
72.214.55.195:995
66.57.216.53:993
189.231.196.236:443
67.209.195.198:443
24.231.54.185:2222
98.240.24.57:443
207.255.161.8:995
86.98.89.62:2222
217.165.164.132:2222
51.223.158.125:443
45.77.193.83:443
207.246.75.201:443
95.179.247.224:443
199.247.16.80:443
73.228.1.246:443
24.229.150.54:995
209.137.209.163:995
45.32.154.10:443
5.193.181.221:2078
41.232.231.135:995
148.101.68.96:443
190.85.91.154:443
144.139.47.206:443
72.190.101.70:443
80.195.103.146:2222
2.91.109.154:995
95.77.144.238:443
47.180.66.10:443
77.27.174.49:995
195.162.106.93:2222
190.220.8.10:443
191.84.7.1:443
5.234.221.88:995
117.218.208.239:443
84.117.176.32:443
73.227.232.166:443
96.30.198.161:443
47.146.169.85:443
46.53.26.66:443
72.204.242.138:20
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
qbot
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.