File name: | replica_957KGuid.vbs |
Full analysis: | https://app.any.run/tasks/36a737d3-2af1-42ae-9241-c840ec64bfde |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | September 11, 2019, 10:41:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 9A13180407BC8B23693373C908F19BC8 |
SHA1: | CAC247AC995E7952D1551E06243B18E267D63962 |
SHA256: | 012F3EFDB2CADCECA6BF7983A55DA3ACC7ACDFD945C3F489F4021CB76DD61806 |
SSDEEP: | 49152:2O+s8Afokj04PRp/coDRwxbBha6tc9pJ609qg3e1:2 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2888 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\replica_957KGuid.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3168 | C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe | C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe | wmiprvse.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
2156 | C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe /C | C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe | — | vbjIKIQpt.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
4072 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | vbjIKIQpt.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
3244 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe" | C:\Windows\System32\cmd.exe | vbjIKIQpt.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3856 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2296 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ytfovlym.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
2056 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | ytfovlym.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3168) vbjIKIQpt.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3168) vbjIKIQpt.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2056 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:543D9CAD2EA562B8885B3D7691E68339 | SHA256:689856FC91C1F1768D9C41224DBCA689C5F1BB34030AC658734B86E0672975E7 | |||
3168 | vbjIKIQpt.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:C04E4827403539074A3900BFEB0BB338 | SHA256:8D09AD7C4E03345DE1077571EC7A0A26AF2C6DBA652DF896329E43BF366C5ADC | |||
2888 | WScript.exe | C:\Users\admin\AppData\Local\Temp\HxjlyqUy | text | |
MD5:D15AB9CA4C706A0DA9F22270EE98CE4E | SHA256:0D5CDED8556268403E52F372200B80DF71D13C5E6F4B12D497D52C3E551D9499 | |||
3168 | vbjIKIQpt.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:B568AFE398DB63E74AE6C53DFF0D71A1 | SHA256:BCB7060168BCCB934FDE12225A3F02635C9B8E446A8519BB44F46FFD4C638535 | |||
2888 | WScript.exe | C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe | executable | |
MD5:B568AFE398DB63E74AE6C53DFF0D71A1 | SHA256:BCB7060168BCCB934FDE12225A3F02635C9B8E446A8519BB44F46FFD4C638535 | |||
3244 | cmd.exe | C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |