MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f9f66753da2318852f55d387769b340ab5694eb0d2872b44e7c6f7e0c807dd07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Quakbot
Vendor detections: 12
| SHA256 hash: | f9f66753da2318852f55d387769b340ab5694eb0d2872b44e7c6f7e0c807dd07 |
|---|---|
| SHA3-384 hash: | 212cd28fd35a9be8b0a7e271032ae7eddda9f9d4e50cabf59312bd2838bce229559fb324b2ce9e77938918cdadb0f566 |
| SHA1 hash: | a61887c7763c50aa583626df6b8b29a0a02e4b10 |
| MD5 hash: | 4bf656c14b12dcef0c11e6bd0e2ef2fc |
| humanhash: | hotel-yellow-blue-cat |
| File name: | f9f66753da2318852f55d387769b340ab5694eb0d2872b44e7c6f7e0c807dd07 |
| Download: | download sample |
| Signature | Quakbot |
| File size: | 834'078 bytes |
| First seen: | 2022-05-12 17:20:43 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 2a66b42b84311cd61a2b1eea3a6a1d9b (3 x Quakbot) |
| ssdeep | 12288:Za/XnRl4R8v0u5snt7/JTRSrJ3exDKgu63BThvkIdIhOhs6k5sifQu8:MvsR4o9XSNuC63B1DMX6RiJ |
| Threatray | 1'057 similar samples on MalwareBazaar |
| TLSH | T14005AE22B7F1443BC1B32A7D9D7B63A5882B7D012D78948A7BE40E4C4E356517A383B7 |
| TrID | 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner) |
| Reporter |  malwarelabnet |
| Tags: | AA dll Qakbot Quakbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Modifying an executable file
Searching for synchronization primitives
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control.exe greyware keylogger overlay packed update.exe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qakbot
Verdict:
Malicious
Threat name:
Win32.Trojan.PinkSbot
Status:
Malicious
First seen:
2022-05-12 17:21:08 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
25 of 40 (62.50%)
Threat level:
5/5
Verdict:
malicious
Label(s):
qakbot
Similar samples:
+ 1'047 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Score:
10/10
Tags:
family:qakbot botnet:aa campaign:1652357106 banker stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
Qakbot/Qbot
Malware Config
C2 Extraction:
24.55.67.176:443
148.0.57.85:443
39.44.86.21:995
103.139.243.207:990
181.208.248.227:443
172.115.177.204:2222
70.46.220.114:443
37.186.54.254:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
39.44.66.76:995
86.97.8.200:443
86.132.13.91:2078
179.158.105.44:443
174.69.215.101:443
189.26.55.114:443
187.207.131.50:61202
86.98.78.177:993
217.164.119.236:1194
67.209.195.198:443
196.203.37.215:80
41.84.248.225:443
108.60.213.141:443
37.210.156.191:2222
103.107.113.84:443
176.45.216.134:995
120.150.218.241:995
182.191.92.203:995
86.195.158.178:2222
93.48.80.198:995
74.14.7.71:2222
82.152.39.39:443
47.23.89.60:993
92.132.172.197:2222
197.162.117.38:995
38.70.253.226:2222
185.249.85.200:443
102.65.16.245:443
37.34.253.233:443
32.221.224.140:995
45.241.145.155:993
41.228.22.180:443
75.99.168.194:443
86.190.159.132:443
148.64.96.100:443
202.134.152.2:2222
2.50.4.57:443
140.82.49.12:443
217.128.122.65:2222
80.11.74.81:2222
89.101.97.139:443
79.129.121.68:995
41.84.247.0:995
46.103.186.43:995
39.52.77.241:995
172.114.160.81:995
186.90.153.162:2222
90.120.65.153:2078
102.182.232.3:995
89.86.33.217:443
2.34.12.8:443
46.107.48.202:443
86.98.208.214:2222
72.76.94.99:443
76.70.9.169:2222
124.40.244.118:2222
203.122.46.130:443
183.82.103.213:443
201.1.202.82:32101
45.76.167.26:995
140.82.63.183:443
144.202.3.39:995
45.76.167.26:443
45.63.1.12:443
149.28.238.199:443
140.82.63.183:995
144.202.3.39:443
144.202.2.175:995
149.28.238.199:995
144.202.2.175:443
75.99.168.194:61201
45.63.1.12:995
85.107.161.25:443
173.22.32.101:443
103.246.242.202:443
197.89.20.113:443
83.110.93.158:443
1.161.66.82:443
118.172.251.136:443
175.145.235.37:443
217.164.119.236:2222
37.208.145.168:6883
201.42.3.27:32101
39.49.48.82:995
121.74.167.191:995
208.107.221.224:443
120.61.3.164:443
73.151.236.31:443
173.21.10.71:2222
45.46.53.140:2222
187.172.191.97:443
193.136.1.58:443
191.99.191.28:443
190.252.242.69:443
201.142.133.198:443
187.208.122.239:443
189.146.87.77:443
70.51.137.64:2222
47.156.191.217:443
201.172.23.68:2222
76.25.142.196:443
187.251.132.144:22
40.134.246.185:995
24.139.72.117:443
69.14.172.24:443
100.1.108.246:443
72.252.157.172:995
187.102.135.141:2222
72.252.157.172:990
94.36.195.102:2222
31.215.102.193:2078
186.105.98.35:443
109.12.111.14:443
82.41.63.217:443
191.251.134.129:443
173.174.216.62:443
84.241.8.23:32103
41.38.167.179:995
201.210.162.138:2222
118.161.15.217:995
182.182.255.93:995
5.32.41.45:443
63.143.92.99:995
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
128.106.123.187:443
103.157.122.130:21
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.165.129:995
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
148.0.57.85:443
39.44.86.21:995
103.139.243.207:990
181.208.248.227:443
172.115.177.204:2222
70.46.220.114:443
37.186.54.254:995
24.178.196.158:2222
91.177.173.10:995
176.67.56.94:443
39.44.66.76:995
86.97.8.200:443
86.132.13.91:2078
179.158.105.44:443
174.69.215.101:443
189.26.55.114:443
187.207.131.50:61202
86.98.78.177:993
217.164.119.236:1194
67.209.195.198:443
196.203.37.215:80
41.84.248.225:443
108.60.213.141:443
37.210.156.191:2222
103.107.113.84:443
176.45.216.134:995
120.150.218.241:995
182.191.92.203:995
86.195.158.178:2222
93.48.80.198:995
74.14.7.71:2222
82.152.39.39:443
47.23.89.60:993
92.132.172.197:2222
197.162.117.38:995
38.70.253.226:2222
185.249.85.200:443
102.65.16.245:443
37.34.253.233:443
32.221.224.140:995
45.241.145.155:993
41.228.22.180:443
75.99.168.194:443
86.190.159.132:443
148.64.96.100:443
202.134.152.2:2222
2.50.4.57:443
140.82.49.12:443
217.128.122.65:2222
80.11.74.81:2222
89.101.97.139:443
79.129.121.68:995
41.84.247.0:995
46.103.186.43:995
39.52.77.241:995
172.114.160.81:995
186.90.153.162:2222
90.120.65.153:2078
102.182.232.3:995
89.86.33.217:443
2.34.12.8:443
46.107.48.202:443
86.98.208.214:2222
72.76.94.99:443
76.70.9.169:2222
124.40.244.118:2222
203.122.46.130:443
183.82.103.213:443
201.1.202.82:32101
45.76.167.26:995
140.82.63.183:443
144.202.3.39:995
45.76.167.26:443
45.63.1.12:443
149.28.238.199:443
140.82.63.183:995
144.202.3.39:443
144.202.2.175:995
149.28.238.199:995
144.202.2.175:443
75.99.168.194:61201
45.63.1.12:995
85.107.161.25:443
173.22.32.101:443
103.246.242.202:443
197.89.20.113:443
83.110.93.158:443
1.161.66.82:443
118.172.251.136:443
175.145.235.37:443
217.164.119.236:2222
37.208.145.168:6883
201.42.3.27:32101
39.49.48.82:995
121.74.167.191:995
208.107.221.224:443
120.61.3.164:443
73.151.236.31:443
173.21.10.71:2222
45.46.53.140:2222
187.172.191.97:443
193.136.1.58:443
191.99.191.28:443
190.252.242.69:443
201.142.133.198:443
187.208.122.239:443
189.146.87.77:443
70.51.137.64:2222
47.156.191.217:443
201.172.23.68:2222
76.25.142.196:443
187.251.132.144:22
40.134.246.185:995
24.139.72.117:443
69.14.172.24:443
100.1.108.246:443
72.252.157.172:995
187.102.135.141:2222
72.252.157.172:990
94.36.195.102:2222
31.215.102.193:2078
186.105.98.35:443
109.12.111.14:443
82.41.63.217:443
191.251.134.129:443
173.174.216.62:443
84.241.8.23:32103
41.38.167.179:995
201.210.162.138:2222
118.161.15.217:995
182.182.255.93:995
5.32.41.45:443
63.143.92.99:995
121.7.223.59:2222
58.105.167.36:50000
67.165.206.193:993
128.106.123.187:443
103.157.122.130:21
101.50.67.212:995
106.51.48.170:50001
109.228.220.196:443
104.34.212.7:32103
181.222.130.143:993
24.152.219.253:995
111.125.245.118:995
39.53.165.129:995
197.205.106.232:443
103.139.243.207:993
116.30.161.215:995
Unpacked files
SH256 hash:
b0e2c4d0601f6e2f6ab13777d1ea9ab8ee5be71e579116c086f7df4f5fd8fb67
MD5 hash:
7be691f53d28443afa0ffc2ce378358b
SHA1 hash:
567ed2629c501ede8b69d0a463c007e90d8d8dcc
SH256 hash:
6f357576bd8c1fc60e3061395cfa42849f658c78b6dc0bd770f4203a6a24e549
MD5 hash:
f11ee8b593f0bb639dd0c7a246156605
SHA1 hash:
c1790fbb4a046950be8bcdd86e82c1dc5fc552fc
Detections:
win_qakbot_auto
SH256 hash:
f9f66753da2318852f55d387769b340ab5694eb0d2872b44e7c6f7e0c807dd07
MD5 hash:
4bf656c14b12dcef0c11e6bd0e2ef2fc
SHA1 hash:
a61887c7763c50aa583626df6b8b29a0a02e4b10
Malware family:
CryptOne
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | QakBot |
|---|---|
| Author: | kevoreilly |
| Description: | QakBot Payload |
| Rule name: | win_qakbot_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.qakbot. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.