MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79
SHA3-384 hash: fdfa5988b479ce14d62872486560bb3a8887f02e53f9dd05b207adab0136dc93ceb2af288653bd0fa471067905045716
SHA1 hash: 7dd531ba3bcd3b35b2e6d11746bdda16872fab52
MD5 hash: ac8f17902d9a77736a028e84dc9e2238
humanhash: mike-six-maine-rugby
File name:xe1.ocx
Download: download sample
Signature Quakbot
Create hunting rule
File size:1'252'467 bytes
First seen:2022-02-21 14:49:54 UTC
Last seen:2022-02-28 13:05:26 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 84687bd7bcf9c6a61feea037640c3685 (20 x Quakbot)
ssdeep 24576:qvX1yuIdR7er92iaov9wxPqgSG3Sul9ObCAekHEtZuvtua3lS:B2H7v9wtAUSuPc0kktZuvtuK
Threatray 33 similar samples on MalwareBazaar
TLSH T17E45F6AEB1E06ECCF5F139BC3D5463A80F9A5EB60F7E607AB403088606711FD1C55A5A
Reporter ffforward
Tags:dll Qakbot qbot Quakbot tr

Intelligence

File Origin
# of uploads :
3
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242980/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6744.16876.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6213a6a9ac8ad0468b615462/reports/fe26ef4a-cb47-4998-81e2-63a0a180e4de/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df8853b4-e0e0-4c83-8a82-d871a306597c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 14:50:19 UTC
File Type:
PE (Dll)
Extracted files:
65
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
224b3d58500a108f6e4eaaf685bfe9c7d01e4a7e6d29cd271938ef2471ea963a
Quakbot
532f5a32f685a1acdb7c0982bb4fd721852af1e9fb278bf5d0faa82a6741f3c8
Quakbot
790951787b259b98ea0f3b7face9c805643bd5e36b2d8a9d92d6d20a7107971b
Quakbot
aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec
Quakbot
bcdecf8b43d8ed3c3faff97989ddf1aea315b4dd8c6db67f012b1b10b45bc7f4
Quakbot
eea21591ee32015987607e5a47b39f123e5bbf163d2f7b08bf66a3fa99a741a6
Quakbot
f2bd4c95a2c6850d4f00438069a65dd740871dc56eee4e523f819a814104a9f6
Quakbot
f6710a55cf52bc8ddc529ef256c6c25dae476d55fa0794f7e116d7ab040d705f
Quakbot
+ 23 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1645202931 banker stealer trojan
Link:
https://tria.ge/reports/220221-r7m13sbehj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Qakbot/Qbot
Malware Config
C2 Extraction:
217.128.122.65:2222
39.49.75.245:995
217.165.146.122:32101
173.174.216.62:443
208.107.221.224:443
92.177.45.46:2078
119.158.116.122:995
67.209.195.198:443
32.221.231.1:443
89.211.179.202:2222
109.12.111.14:443
70.45.27.254:443
173.220.98.101:443
75.156.151.34:443
103.87.95.131:2222
190.206.211.182:443
2.50.41.69:61200
82.152.39.39:443
89.101.97.139:443
176.45.252.83:995
75.99.168.194:61201
74.15.2.252:2222
139.64.34.193:995
217.164.115.166:2222
102.47.31.216:995
149.135.101.20:443
197.92.132.79:443
41.232.210.78:443
105.184.190.206:995
190.73.3.148:2222
96.21.251.127:2222
176.67.56.94:443
66.230.104.103:443
206.217.0.154:995
186.64.87.194:443
70.51.137.204:2222
47.180.172.159:443
209.210.95.228:32100
75.99.168.194:443
180.233.150.134:995
140.82.49.12:443
190.189.33.6:443
173.21.10.71:2222
47.180.172.159:50010
41.84.246.64:995
86.98.11.110:443
5.89.175.136:443
111.125.245.116:995
196.74.177.152:443
24.178.196.158:2222
100.1.108.246:443
196.203.37.215:80
72.252.201.34:990
114.79.148.170:443
120.150.218.241:995
105.184.116.32:995
31.35.28.29:443
78.96.235.245:443
72.252.201.34:995
102.65.38.67:443
144.202.2.175:995
136.232.34.70:443
69.14.172.24:443
136.143.11.232:443
103.139.242.30:990
71.74.12.34:443
217.164.117.243:2222
116.74.119.75:443
103.142.10.177:443
39.44.150.120:995
182.191.92.203:995
46.176.197.48:995
1.161.88.84:995
217.164.117.243:1194
180.183.99.37:2222
103.17.101.139:995
78.180.172.122:995
175.137.153.178:443
41.84.234.250:443
128.106.122.39:443
39.52.94.159:995
89.137.52.44:443
81.213.206.182:443
78.101.202.183:443
86.98.55.231:995
45.46.53.140:2222
203.99.177.128:443
73.151.236.31:443
76.25.142.196:443
189.146.51.56:443
37.211.176.26:61202
67.165.206.193:993
86.198.170.170:2222
108.4.67.252:443
177.204.115.148:443
217.128.171.34:2222
41.230.62.211:993
200.104.16.99:993
181.98.246.214:443
139.64.13.189:443
217.165.109.191:993
197.89.21.163:443
41.238.52.249:3389
31.215.206.13:443
45.241.208.225:995
39.52.202.55:995
188.210.148.245:443
185.113.58.135:443
39.53.173.222:995
124.41.193.166:443
120.61.1.152:443
39.52.21.207:993
1.161.88.84:443
75.188.35.168:443
72.66.116.235:995
184.149.30.83:2222
41.228.22.180:443
45.9.20.200:443
24.231.158.110:995
24.152.219.253:995
96.246.158.154:995
86.108.123.52:443
107.171.241.236:2222
89.86.33.217:443
5.48.205.15:443
86.98.151.68:995
103.116.178.85:443
182.176.180.73:443
102.132.145.147:443
47.180.172.159:993
177.205.182.145:443
24.53.49.240:443
72.12.115.90:22
72.12.115.90:995
72.12.115.90:2083
72.12.115.90:990
161.142.53.137:443
72.12.115.90:993
72.12.115.90:2078
72.12.115.90:465
72.12.115.90:3389
72.12.115.90:443
41.205.12.24:443
68.204.7.158:443
Unpacked files
SH256 hash:
ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79
MD5 hash:
ac8f17902d9a77736a028e84dc9e2238
SHA1 hash:
7dd531ba3bcd3b35b2e6d11746bdda16872fab52
Link:
https://www.unpac.me/results/ea85eb9c-f0bb-45d3-b68e-60428ebba147/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Quakbot

DLL dll ee9aabd2fec3932993038ecf48b2fa192ca5d22c539b5c62be77019a0e77ef79

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242980/

Comments