MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 12
| SHA256 hash: | f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196 |
|---|---|
| SHA3-384 hash: | 0fe6bae4a01bb117daf9f60e5e30f965dedbf08be6b717ec6fe4b45b0ac2dfce434cad9f95941d0c6798750484e88d86 |
| SHA1 hash: | 332062182075ac647f4f71470ff871b80e79f0a4 |
| MD5 hash: | b015295b41e6934648c6aaf07acf92a9 |
| humanhash: | maryland-fanta-echo-nitrogen |
| File name: | f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196 |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 937'325 bytes |
| First seen: | 2022-05-10 19:22:39 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 2ef056f13cabaad369bfc8142f741822 (3 x Quakbot) |
| ssdeep | 12288:SQiqrqqTZ4nAQxe/k4XZdAxz6s8I1rm9JDGQkk3CDv+3wMLDUTVScZvHsvZRzIBj:HT+Hn3Ezc6NIUXHCDv+3woAJ3+ZRMBj |
| Threatray | 1'043 similar samples on MalwareBazaar |
| TLSH | T137158E32F3E18437D1732A3C9D7B7759982A7D102D78A88A6BE50D4C0F396427D292E7 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  malwarelabnet |
| Tags: | AA dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed qbot
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Trojan.PinkSbot
Status:
Malicious
First seen:
2022-05-10 19:23:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
20 of 41 (48.78%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'033 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:aa campaign:1651732978 banker stealer trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
24.178.196.158:2222
91.177.173.10:995
181.208.248.227:443
103.107.113.120:443
80.11.74.81:2222
2.50.17.128:2222
148.0.57.85:443
179.179.162.9:993
37.186.54.254:995
120.150.218.241:995
176.67.56.94:443
108.60.213.141:443
208.107.221.224:443
113.53.151.59:443
58.105.167.36:50000
141.237.86.114:995
70.46.220.114:443
74.14.7.71:2222
172.115.177.204:2222
189.146.78.175:443
194.36.28.102:443
32.221.224.140:995
113.110.253.185:995
24.152.219.253:995
197.83.230.61:443
104.34.212.7:32103
47.23.89.62:993
38.70.253.226:2222
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
2.50.4.57:443
118.161.34.21:995
67.209.195.198:443
187.207.47.198:61202
140.82.49.12:443
203.122.46.130:443
217.128.122.65:2222
118.161.34.21:443
83.110.218.155:993
5.32.41.45:443
72.76.94.99:443
76.70.9.169:2222
2.34.12.8:443
92.132.172.197:2222
75.99.168.194:61201
46.107.48.202:443
103.139.243.207:990
103.87.95.133:2222
63.143.92.99:995
173.174.216.62:443
174.69.215.101:443
86.98.208.214:2222
76.25.142.196:443
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
45.76.167.26:995
149.28.238.199:995
140.82.63.183:995
144.202.2.175:995
45.63.1.12:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
173.21.10.71:2222
73.151.236.31:443
67.165.206.193:993
45.46.53.140:2222
191.99.191.28:443
180.129.20.164:995
85.246.82.244:443
149.135.101.20:443
31.35.28.29:443
187.208.0.99:443
201.142.133.198:443
82.41.63.217:443
201.172.23.68:2222
72.252.157.172:990
190.252.242.69:443
70.51.152.61:2222
90.120.65.153:2078
217.118.46.41:2222
72.252.157.172:995
39.33.170.57:995
177.102.2.175:32101
40.134.246.185:995
5.193.104.246:2222
100.1.108.246:443
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
69.14.172.24:443
94.36.195.102:2222
89.101.97.139:443
47.156.191.217:443
179.158.105.44:443
2.191.231.178:443
37.34.253.233:443
109.12.111.14:443
41.215.148.115:995
103.157.122.130:21
93.48.80.198:995
86.195.158.178:2222
105.99.204.185:443
96.37.113.36:993
86.132.13.91:2078
183.82.103.213:443
196.203.37.215:80
89.86.33.217:443
186.64.67.8:443
67.69.166.79:2222
103.233.141.208:2222
121.74.167.191:995
190.36.233.41:2222
68.204.7.158:443
197.94.84.67:443
79.129.121.68:995
106.51.48.170:50001
72.66.116.235:995
82.152.39.39:443
72.12.115.78:22
103.139.243.207:993
89.137.52.44:443
103.246.242.202:443
191.34.199.46:443
120.61.0.220:443
98.50.191.202:443
96.45.66.216:61202
102.182.232.3:995
89.211.182.31:2222
84.241.8.23:32103
172.114.160.81:995
217.164.117.87:1194
45.9.20.200:443
47.23.89.62:995
187.172.191.97:443
24.43.99.75:443
103.88.226.30:443
182.191.92.203:995
39.44.144.64:995
45.241.254.110:993
39.57.56.19:995
121.7.223.59:2222
94.140.8.55:2222
172.114.160.81:443
39.49.69.112:995
102.65.23.65:443
103.116.178.85:995
91.177.173.10:995
181.208.248.227:443
103.107.113.120:443
80.11.74.81:2222
2.50.17.128:2222
148.0.57.85:443
179.179.162.9:993
37.186.54.254:995
120.150.218.241:995
176.67.56.94:443
108.60.213.141:443
208.107.221.224:443
113.53.151.59:443
58.105.167.36:50000
141.237.86.114:995
70.46.220.114:443
74.14.7.71:2222
172.115.177.204:2222
189.146.78.175:443
194.36.28.102:443
32.221.224.140:995
113.110.253.185:995
24.152.219.253:995
197.83.230.61:443
104.34.212.7:32103
47.23.89.62:993
38.70.253.226:2222
75.99.168.194:443
41.228.22.180:443
148.64.96.100:443
2.50.4.57:443
118.161.34.21:995
67.209.195.198:443
187.207.47.198:61202
140.82.49.12:443
203.122.46.130:443
217.128.122.65:2222
118.161.34.21:443
83.110.218.155:993
5.32.41.45:443
72.76.94.99:443
76.70.9.169:2222
2.34.12.8:443
92.132.172.197:2222
75.99.168.194:61201
46.107.48.202:443
103.139.243.207:990
103.87.95.133:2222
63.143.92.99:995
173.174.216.62:443
174.69.215.101:443
86.98.208.214:2222
76.25.142.196:443
45.63.1.12:443
144.202.3.39:443
144.202.3.39:995
149.28.238.199:443
45.76.167.26:995
149.28.238.199:995
140.82.63.183:995
144.202.2.175:995
45.63.1.12:995
140.82.63.183:443
144.202.2.175:443
45.76.167.26:443
173.21.10.71:2222
73.151.236.31:443
67.165.206.193:993
45.46.53.140:2222
191.99.191.28:443
180.129.20.164:995
85.246.82.244:443
149.135.101.20:443
31.35.28.29:443
187.208.0.99:443
201.142.133.198:443
82.41.63.217:443
201.172.23.68:2222
72.252.157.172:990
190.252.242.69:443
70.51.152.61:2222
90.120.65.153:2078
217.118.46.41:2222
72.252.157.172:995
39.33.170.57:995
177.102.2.175:32101
40.134.246.185:995
5.193.104.246:2222
100.1.108.246:443
24.139.72.117:443
24.55.67.176:443
187.102.135.141:2222
69.14.172.24:443
94.36.195.102:2222
89.101.97.139:443
47.156.191.217:443
179.158.105.44:443
2.191.231.178:443
37.34.253.233:443
109.12.111.14:443
41.215.148.115:995
103.157.122.130:21
93.48.80.198:995
86.195.158.178:2222
105.99.204.185:443
96.37.113.36:993
86.132.13.91:2078
183.82.103.213:443
196.203.37.215:80
89.86.33.217:443
186.64.67.8:443
67.69.166.79:2222
103.233.141.208:2222
121.74.167.191:995
190.36.233.41:2222
68.204.7.158:443
197.94.84.67:443
79.129.121.68:995
106.51.48.170:50001
72.66.116.235:995
82.152.39.39:443
72.12.115.78:22
103.139.243.207:993
89.137.52.44:443
103.246.242.202:443
191.34.199.46:443
120.61.0.220:443
98.50.191.202:443
96.45.66.216:61202
102.182.232.3:995
89.211.182.31:2222
84.241.8.23:32103
172.114.160.81:995
217.164.117.87:1194
45.9.20.200:443
47.23.89.62:995
187.172.191.97:443
24.43.99.75:443
103.88.226.30:443
182.191.92.203:995
39.44.144.64:995
45.241.254.110:993
39.57.56.19:995
121.7.223.59:2222
94.140.8.55:2222
172.114.160.81:443
39.49.69.112:995
102.65.23.65:443
103.116.178.85:995
Unpacked files
SH256 hash:
8ece4939aa614bbe96eb34360e83d5d9b211976575f06ba555675d3e9bc03a6b
MD5 hash:
23a45ed7bb72cd05ecd10abaebdd8645
SHA1 hash:
4e449040c71982a9f612b318ee47dc7c15b94a9f
SH256 hash:
d3095f08ae2d3f9b31dd5696bd593e5de14b4ca665389f0d480ad12318af2682
MD5 hash:
e110303afe7c390d9130805818e3bf76
SHA1 hash:
83cd9be98486c753da2dfe8972123caf4b655785
Detections:
win_qakbot_auto
Parent samples :
4ae4b557d53199a33e8273f5fbc5007fb4b981a0687640d0282023f58fe3838f
1a5dbff80ba1a6061196db8b27033a38c154d1822f6de2f9affc0631bf8e82ee
d52343262162d81a5c2651aa871ae1315f4bd4f35ceecde414d4445664e4f9e4
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
1a5dbff80ba1a6061196db8b27033a38c154d1822f6de2f9affc0631bf8e82ee
d52343262162d81a5c2651aa871ae1315f4bd4f35ceecde414d4445664e4f9e4
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
cbd9a472f9588a205390a6ee56722f15aaefe8364bccfeccf7a8ca04b2ec07d1
SH256 hash:
f8f1e802ba50a82412132f70e3094abcdc99f3daf55355a6e8639f4d23e09196
MD5 hash:
b015295b41e6934648c6aaf07acf92a9
SHA1 hash:
332062182075ac647f4f71470ff871b80e79f0a4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.