MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d521d0bac4c3686c76cb620df77379d0061b190704d9ac05ce34d32e8f5cdcc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 10
| SHA256 hash: | d521d0bac4c3686c76cb620df77379d0061b190704d9ac05ce34d32e8f5cdcc9 |
|---|---|
| SHA3-384 hash: | 8b3f74e4e96b00aac42fb34de29e07aa5ec90baeaa5afc4c4c6d8b09a69c3666fe9b088756bfaef479c667c10610a689 |
| SHA1 hash: | 5d6fe322541c686ae63196d1f2bbe541480ed72c |
| MD5 hash: | 5c74a198e84a5041d849ed8aa52da3f4 |
| humanhash: | nitrogen-zulu-lemon-september |
| File name: | Astop.OOCCXX |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 819'712 bytes |
| First seen: | 2022-05-11 23:13:41 UTC |
| Last seen: | 2022-05-11 23:56:45 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 99335be05eea85d920eaf8f6f5246fc1 (2 x Quakbot) |
| ssdeep | 12288:pg2boKKRrRYEr991kYgwHXdBRPBPSjpho0vqLks2n2BpJBJC8QEydhIjtkI90N+a:pgD1P96YlbGjwks22B/QBhCfG+6F3ld |
| Threatray | 1'054 similar samples on MalwareBazaar |
| TLSH | T1EB05AFB875147CD6E66F567BDADABCDC03B6272299CBA4CD80647BC30563372EE02805 |
| TrID | 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 26.3% (.EXE) Win32 Executable (generic) (4505/5/1) 11.8% (.EXE) OS/2 Executable (generic) (2029/13) 11.6% (.EXE) Generic Win/DOS Executable (2002/3) 11.6% (.EXE) DOS Executable Generic (2000/1) |
| Reporter |  pr0xylife |
| Tags: | dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Result
Threat name:
Qbot
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
Allocates memory in foreign processes
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Quakbot
Status:
Malicious
First seen:
2022-05-11 23:14:08 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
21 of 26 (80.77%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'044 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama183 campaign:1652254401 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Qakbot/Qbot
Malware Config
C2 Extraction:
140.82.49.12:443
41.228.22.180:443
75.99.168.194:443
93.48.80.198:995
148.64.96.100:443
86.132.13.91:2078
82.152.39.39:443
41.38.167.179:995
2.50.4.57:443
217.128.122.65:2222
172.114.160.81:995
186.90.153.162:2222
118.161.15.217:443
37.34.253.233:443
2.34.12.8:443
46.107.48.202:443
72.76.94.99:443
124.40.244.118:2222
201.42.3.27:32101
78.100.235.8:2222
76.70.9.169:2222
45.241.145.155:993
203.122.46.130:443
202.134.152.2:2222
75.99.168.194:61201
119.158.122.112:995
183.82.103.213:443
201.210.162.138:2222
173.174.216.62:443
80.11.74.81:2222
86.98.208.214:2222
140.82.63.183:995
149.28.238.199:443
144.202.2.175:995
45.76.167.26:995
144.202.3.39:443
45.63.1.12:995
149.28.238.199:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
144.202.3.39:995
45.63.1.12:443
89.101.97.139:443
103.107.113.84:443
39.44.23.250:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
148.0.57.85:443
208.107.221.224:443
172.115.177.204:2222
37.186.54.254:995
70.46.220.114:443
118.161.15.217:995
46.103.186.43:995
197.89.6.37:443
181.208.248.227:443
103.246.242.202:443
83.110.89.191:443
76.25.142.196:443
108.60.213.141:443
188.50.241.63:995
86.97.246.216:2222
45.46.53.140:2222
92.132.172.197:2222
121.74.167.191:995
78.100.197.230:6883
120.150.218.241:995
101.51.76.46:443
86.98.78.177:993
39.44.86.21:995
74.14.7.71:2222
86.97.8.200:443
84.241.8.23:32103
86.97.246.216:1194
32.221.224.140:995
47.23.89.60:993
38.70.253.226:2222
182.191.92.203:995
39.52.54.195:995
175.145.235.37:443
185.249.85.200:443
173.21.10.71:2222
174.69.215.101:443
5.32.41.45:443
73.151.236.31:443
190.252.242.69:443
85.246.82.244:443
82.41.63.217:443
187.208.0.99:443
47.156.191.217:443
70.51.137.64:2222
72.252.157.172:990
72.252.157.172:995
100.1.108.246:443
201.142.133.198:443
102.182.232.3:995
201.1.202.82:32101
40.134.246.185:995
24.139.72.117:443
24.55.67.176:443
179.158.105.44:443
201.172.23.68:2222
90.120.65.153:2078
187.102.135.141:2222
189.146.87.77:443
187.251.132.144:22
191.99.191.28:443
41.84.236.194:995
63.143.92.99:995
186.106.206.47:443
39.49.7.132:995
79.129.121.68:995
69.14.172.24:443
109.12.111.14:443
196.203.37.215:80
86.195.158.178:2222
197.162.117.38:995
189.26.55.114:443
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
187.207.47.198:61202
94.36.195.102:2222
128.106.123.187:443
86.190.159.132:443
103.157.122.130:21
67.209.195.198:443
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
88.228.251.169:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.105.32:995
191.251.134.129:443
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
103.139.243.207:990
39.52.54.195:993
81.215.196.174:443
217.118.46.41:2222
89.86.33.217:443
120.61.3.169:443
2.50.17.128:2222
180.129.20.164:995
41.228.22.180:443
75.99.168.194:443
93.48.80.198:995
148.64.96.100:443
86.132.13.91:2078
82.152.39.39:443
41.38.167.179:995
2.50.4.57:443
217.128.122.65:2222
172.114.160.81:995
186.90.153.162:2222
118.161.15.217:443
37.34.253.233:443
2.34.12.8:443
46.107.48.202:443
72.76.94.99:443
124.40.244.118:2222
201.42.3.27:32101
78.100.235.8:2222
76.70.9.169:2222
45.241.145.155:993
203.122.46.130:443
202.134.152.2:2222
75.99.168.194:61201
119.158.122.112:995
183.82.103.213:443
201.210.162.138:2222
173.174.216.62:443
80.11.74.81:2222
86.98.208.214:2222
140.82.63.183:995
149.28.238.199:443
144.202.2.175:995
45.76.167.26:995
144.202.3.39:443
45.63.1.12:995
149.28.238.199:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
144.202.3.39:995
45.63.1.12:443
89.101.97.139:443
103.107.113.84:443
39.44.23.250:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
148.0.57.85:443
208.107.221.224:443
172.115.177.204:2222
37.186.54.254:995
70.46.220.114:443
118.161.15.217:995
46.103.186.43:995
197.89.6.37:443
181.208.248.227:443
103.246.242.202:443
83.110.89.191:443
76.25.142.196:443
108.60.213.141:443
188.50.241.63:995
86.97.246.216:2222
45.46.53.140:2222
92.132.172.197:2222
121.74.167.191:995
78.100.197.230:6883
120.150.218.241:995
101.51.76.46:443
86.98.78.177:993
39.44.86.21:995
74.14.7.71:2222
86.97.8.200:443
84.241.8.23:32103
86.97.246.216:1194
32.221.224.140:995
47.23.89.60:993
38.70.253.226:2222
182.191.92.203:995
39.52.54.195:995
175.145.235.37:443
185.249.85.200:443
173.21.10.71:2222
174.69.215.101:443
5.32.41.45:443
73.151.236.31:443
190.252.242.69:443
85.246.82.244:443
82.41.63.217:443
187.208.0.99:443
47.156.191.217:443
70.51.137.64:2222
72.252.157.172:990
72.252.157.172:995
100.1.108.246:443
201.142.133.198:443
102.182.232.3:995
201.1.202.82:32101
40.134.246.185:995
24.139.72.117:443
24.55.67.176:443
179.158.105.44:443
201.172.23.68:2222
90.120.65.153:2078
187.102.135.141:2222
189.146.87.77:443
187.251.132.144:22
191.99.191.28:443
41.84.236.194:995
63.143.92.99:995
186.106.206.47:443
39.49.7.132:995
79.129.121.68:995
69.14.172.24:443
109.12.111.14:443
196.203.37.215:80
86.195.158.178:2222
197.162.117.38:995
189.26.55.114:443
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
187.207.47.198:61202
94.36.195.102:2222
128.106.123.187:443
86.190.159.132:443
103.157.122.130:21
67.209.195.198:443
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
88.228.251.169:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.105.32:995
191.251.134.129:443
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
103.139.243.207:990
39.52.54.195:993
81.215.196.174:443
217.118.46.41:2222
89.86.33.217:443
120.61.3.169:443
2.50.17.128:2222
180.129.20.164:995
Unpacked files
SH256 hash:
d521d0bac4c3686c76cb620df77379d0061b190704d9ac05ce34d32e8f5cdcc9
MD5 hash:
5c74a198e84a5041d849ed8aa52da3f4
SHA1 hash:
5d6fe322541c686ae63196d1f2bbe541480ed72c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.