MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d59e2f51017cbdba301b87bf66bcda4b2db53e98acd39e25744b9afa4649c117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 8
Maldoc score: 1
| SHA256 hash: | d59e2f51017cbdba301b87bf66bcda4b2db53e98acd39e25744b9afa4649c117 |
|---|---|
| SHA3-384 hash: | 1026dca6513096c134a44941aac4350605077aa4ae1785a2eed89158486a701ff817c9cf775cc46c5fba25d62d216324 |
| SHA1 hash: | eb32d61b321d96dad430a229e10cf8e29b39fa8f |
| MD5 hash: | 58ad025a1b774784958e9759167eacef |
| humanhash: | freddie-hamper-wyoming-massachusetts |
| File name: | Claim-1230392319-02092021.xls |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 106'496 bytes |
| First seen: | 2021-02-09 15:52:01 UTC |
| Last seen: | 2021-02-09 17:54:06 UTC |
| File type: |  xls |
| MIME type: | application/vnd.ms-excel |
| ssdeep | 3072:tcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOM0t/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/r:tcPiTQAVW/89BQnmlcGvgZ7r3J8YUOM3 |
| TLSH | 27A393917E12E029F3598BB6446B426C1FE1EC42AB8165CF33267B995F702893EC3D17 |
| Reporter |  malware_traffic |
| Tags: | macros Qakbot qbot Quakbot xls |
Office OLE Information
This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.
OLE id
| Maldoc score: 1 |
| Application name is Microsoft Excel |
| Office document is in OLE format |
OLE dump
MalwareBazaar was able to identify 3 sections in this file using oledump:
| Section ID | Section size | Section name |
|---|---|---|
| 1 | 4096 bytes | DocumentSummaryInformation |
| 2 | 4096 bytes | SummaryInformation |
| 3 | 96249 bytes | Book |
OLE vba
MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:
| Type | Keyword | Description |
|---|---|---|
| AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
Intelligence
File Origin
# of uploads :
2
# of downloads :
934
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Claim-1230392319-02092021.xls
Verdict:
Malicious activity
Analysis date:
2021-02-09 15:57:54 UTC
Tags:
macros loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Result
Verdict:
Clean
File Type:
Legacy Office File
Result
Verdict:
MALICIOUS
Threat name:
Document-Word.Backdoor.Quakbot
Status:
Malicious
First seen:
2021-02-09 15:52:15 UTC
File Type:
Document
Extracted files:
3
AV detection:
16 of 29 (55.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:obama03 campaign:1612873476 banker macro stealer trojan xlm
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Process spawned unexpected child process
Qakbot/Qbot
Malware Config
C2 Extraction:
86.220.60.133:2222
176.181.247.197:443
71.74.12.34:443
47.22.148.6:443
97.69.160.4:2222
103.51.20.143:2222
176.205.222.30:2078
105.226.10.142:443
90.101.117.122:2222
80.11.5.65:2222
82.12.157.95:995
196.151.252.84:443
45.77.115.208:2222
47.146.169.85:443
76.94.200.148:995
23.240.70.80:443
82.127.125.209:990
196.221.207.137:995
85.58.200.50:2222
45.32.211.207:2222
173.70.165.101:995
207.246.116.237:8443
149.28.99.97:995
149.28.101.90:8443
45.63.107.192:443
207.246.116.237:995
207.246.77.75:443
149.28.98.196:443
45.32.211.207:443
144.202.38.185:443
144.202.38.185:995
149.28.98.196:995
149.28.101.90:995
207.246.77.75:8443
45.63.107.192:2222
149.28.101.90:443
207.246.116.237:443
45.32.211.207:8443
45.32.211.207:995
1.32.35.2:443
45.77.115.208:443
45.63.107.192:995
144.202.38.185:2222
149.28.98.196:2222
149.28.101.90:2222
207.246.77.75:995
207.246.116.237:2222
207.246.77.75:2222
83.110.12.140:2222
184.189.122.72:443
189.210.115.207:443
201.171.77.138:443
208.126.142.17:443
86.236.77.68:2222
82.76.47.211:443
92.59.35.196:2222
45.77.115.208:8443
2.7.69.217:2222
45.77.115.208:995
172.87.157.235:3389
213.60.147.140:443
125.209.114.182:995
24.50.118.93:443
108.46.145.30:443
197.35.14.18:443
89.3.198.238:443
197.51.82.72:443
81.88.254.62:443
106.51.85.162:443
105.198.236.101:443
70.126.76.75:443
115.69.252.0:22
160.3.187.114:443
96.61.23.88:995
85.132.36.111:2222
86.98.93.124:2078
41.40.16.117:443
66.227.200.160:443
50.244.112.106:443
77.211.30.202:995
89.137.211.239:995
140.82.49.12:443
209.210.187.52:995
59.90.246.200:443
80.11.173.82:8443
78.22.58.205:3389
83.110.103.152:443
98.224.100.33:443
24.115.218.15:995
190.85.91.154:443
47.187.115.228:443
81.150.181.168:2222
142.68.28.22:443
71.88.193.17:443
86.160.137.132:443
219.74.195.175:443
193.248.221.184:2222
80.227.5.69:443
173.25.45.66:443
68.186.192.69:443
151.60.178.141:443
144.139.47.206:443
31.215.70.185:443
105.198.236.99:443
38.92.225.121:443
197.45.110.165:995
70.168.130.172:995
71.187.170.235:443
46.153.118.161:995
188.25.63.105:443
216.201.162.158:443
81.97.154.100:443
68.225.60.77:995
81.214.126.173:2222
87.202.87.210:2222
78.63.226.32:443
108.31.15.10:995
83.110.108.181:2222
202.188.138.162:443
96.21.251.127:2222
106.51.52.111:443
74.222.204.82:995
75.136.40.155:443
24.95.61.62:443
203.194.110.74:443
86.245.46.27:2222
84.72.35.226:443
68.50.197.143:443
75.67.192.125:443
77.27.204.204:995
171.103.138.122:995
95.77.223.148:443
193.252.48.200:443
69.123.179.70:443
154.125.125.77:995
60.50.255.183:443
27.223.92.142:995
115.133.243.6:443
189.223.234.23:995
2.232.253.79:995
88.252.96.34:443
47.188.182.209:995
50.29.166.232:995
76.25.142.196:443
182.190.28.202:3389
2.50.31.69:443
75.136.26.147:443
45.46.53.140:2222
122.148.156.131:995
173.21.10.71:2222
176.181.247.197:443
71.74.12.34:443
47.22.148.6:443
97.69.160.4:2222
103.51.20.143:2222
176.205.222.30:2078
105.226.10.142:443
90.101.117.122:2222
80.11.5.65:2222
82.12.157.95:995
196.151.252.84:443
45.77.115.208:2222
47.146.169.85:443
76.94.200.148:995
23.240.70.80:443
82.127.125.209:990
196.221.207.137:995
85.58.200.50:2222
45.32.211.207:2222
173.70.165.101:995
207.246.116.237:8443
149.28.99.97:995
149.28.101.90:8443
45.63.107.192:443
207.246.116.237:995
207.246.77.75:443
149.28.98.196:443
45.32.211.207:443
144.202.38.185:443
144.202.38.185:995
149.28.98.196:995
149.28.101.90:995
207.246.77.75:8443
45.63.107.192:2222
149.28.101.90:443
207.246.116.237:443
45.32.211.207:8443
45.32.211.207:995
1.32.35.2:443
45.77.115.208:443
45.63.107.192:995
144.202.38.185:2222
149.28.98.196:2222
149.28.101.90:2222
207.246.77.75:995
207.246.116.237:2222
207.246.77.75:2222
83.110.12.140:2222
184.189.122.72:443
189.210.115.207:443
201.171.77.138:443
208.126.142.17:443
86.236.77.68:2222
82.76.47.211:443
92.59.35.196:2222
45.77.115.208:8443
2.7.69.217:2222
45.77.115.208:995
172.87.157.235:3389
213.60.147.140:443
125.209.114.182:995
24.50.118.93:443
108.46.145.30:443
197.35.14.18:443
89.3.198.238:443
197.51.82.72:443
81.88.254.62:443
106.51.85.162:443
105.198.236.101:443
70.126.76.75:443
115.69.252.0:22
160.3.187.114:443
96.61.23.88:995
85.132.36.111:2222
86.98.93.124:2078
41.40.16.117:443
66.227.200.160:443
50.244.112.106:443
77.211.30.202:995
89.137.211.239:995
140.82.49.12:443
209.210.187.52:995
59.90.246.200:443
80.11.173.82:8443
78.22.58.205:3389
83.110.103.152:443
98.224.100.33:443
24.115.218.15:995
190.85.91.154:443
47.187.115.228:443
81.150.181.168:2222
142.68.28.22:443
71.88.193.17:443
86.160.137.132:443
219.74.195.175:443
193.248.221.184:2222
80.227.5.69:443
173.25.45.66:443
68.186.192.69:443
151.60.178.141:443
144.139.47.206:443
31.215.70.185:443
105.198.236.99:443
38.92.225.121:443
197.45.110.165:995
70.168.130.172:995
71.187.170.235:443
46.153.118.161:995
188.25.63.105:443
216.201.162.158:443
81.97.154.100:443
68.225.60.77:995
81.214.126.173:2222
87.202.87.210:2222
78.63.226.32:443
108.31.15.10:995
83.110.108.181:2222
202.188.138.162:443
96.21.251.127:2222
106.51.52.111:443
74.222.204.82:995
75.136.40.155:443
24.95.61.62:443
203.194.110.74:443
86.245.46.27:2222
84.72.35.226:443
68.50.197.143:443
75.67.192.125:443
77.27.204.204:995
171.103.138.122:995
95.77.223.148:443
193.252.48.200:443
69.123.179.70:443
154.125.125.77:995
60.50.255.183:443
27.223.92.142:995
115.133.243.6:443
189.223.234.23:995
2.232.253.79:995
88.252.96.34:443
47.188.182.209:995
50.29.166.232:995
76.25.142.196:443
182.190.28.202:3389
2.50.31.69:443
75.136.26.147:443
45.46.53.140:2222
122.148.156.131:995
173.21.10.71:2222
Dropper Extraction:
http://batarey.net/bcorucporp/3806249.jpg
http://panic-studios.dk/zqbvc/3806249.jpg
http://unit4.space/bjpeqzfvs/3806249.jpg
http://interluxcargo.kz/xncvbcbzw/3806249.jpg
http://immanta.com/zrqzfrsvu/3806249.jpg
http://lagacetadelopositor.com/sdrbzodvwi/3806249.jpg
http://test.frogmood.com/wssxsgqu/3806249.jpg
http://panic-studios.dk/zqbvc/3806249.jpg
http://unit4.space/bjpeqzfvs/3806249.jpg
http://interluxcargo.kz/xncvbcbzw/3806249.jpg
http://immanta.com/zrqzfrsvu/3806249.jpg
http://lagacetadelopositor.com/sdrbzodvwi/3806249.jpg
http://test.frogmood.com/wssxsgqu/3806249.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | INDICATOR_DOC_PhishingPatterns |
|---|---|
| Author: | ditekSHen |
| Description: | Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings |
| Rule name: | IPPort_combo_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | Select_from_enumeration |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | SharedStrings |
|---|---|
| Author: | Katie Kleemola |
| Description: | Internal names found in LURK0/CCTV0 samples |
| Rule name: | SUSP_EnableContent_String_Gen |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious string that asks to enable active content in Office Doc |
| Reference: | Internal Research |
| Rule name: | UAC_bypass_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | UAC bypass in files like avemaria |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.