File name:

replica_957KGuid.vbs

Full analysis: https://app.any.run/tasks/36a737d3-2af1-42ae-9241-c840ec64bfde
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: September 11, 2019, 10:41:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

9A13180407BC8B23693373C908F19BC8

SHA1:

CAC247AC995E7952D1551E06243B18E267D63962

SHA256:

012F3EFDB2CADCECA6BF7983A55DA3ACC7ACDFD945C3F489F4021CB76DD61806

SSDEEP:

49152:2O+s8Afokj04PRp/coDRwxbBha6tc9pJ609qg3e1:2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbjIKIQpt.exe (PID: 2156)
      • vbjIKIQpt.exe (PID: 3168)
      • ytfovlym.exe (PID: 4072)
      • ytfovlym.exe (PID: 2296)

    • QBOT was detected

      • vbjIKIQpt.exe (PID: 3168)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3244)

  • SUSPICIOUS

    • Executed via WMI

      • vbjIKIQpt.exe (PID: 3168)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2888)
      • vbjIKIQpt.exe (PID: 3168)
      • cmd.exe (PID: 3244)

    • Application launched itself

      • vbjIKIQpt.exe (PID: 3168)
      • ytfovlym.exe (PID: 4072)

    • Creates files in the user directory

      • vbjIKIQpt.exe (PID: 3168)

    • Starts itself from another location

      • vbjIKIQpt.exe (PID: 3168)

    • Starts CMD.EXE for commands execution

      • vbjIKIQpt.exe (PID: 3168)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 3244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start wscript.exe #QBOT vbjikiqpt.exe vbjikiqpt.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2056C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2156C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe /CC:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exevbjIKIQpt.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows
Exit code:
0
Version:
2, 0, 4, 0
Modules
Images
c:\users\admin\appdata\local\temp\vbjikiqpt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rasapi32.dll
2296C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows
Exit code:
0
Version:
2, 0, 4, 0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\zulycjadyc\ytfovlym.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rasapi32.dll
2888"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\replica_957KGuid.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3168C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exeC:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe
wmiprvse.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows
Exit code:
0
Version:
2, 0, 4, 0
Modules
Images
c:\users\admin\appdata\local\temp\vbjikiqpt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rasapi32.dll
3244"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exe"C:\Windows\System32\cmd.exe
vbjIKIQpt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3856ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
4072C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exevbjIKIQpt.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows
Exit code:
0
Version:
2, 0, 4, 0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\zulycjadyc\ytfovlym.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rasapi32.dll
Total events
101
Read events
97
Write events
4
Delete events
0

Modification events

(PID) Process:(3168) vbjIKIQpt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3168) vbjIKIQpt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3168vbjIKIQpt.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:
SHA256:
2888WScript.exeC:\Users\admin\AppData\Local\Temp\HxjlyqUytext
MD5:
SHA256:
3168vbjIKIQpt.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:
SHA256:
2888WScript.exeC:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exeexecutable
MD5:
SHA256:
2056explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:
SHA256:
3244cmd.exeC:\Users\admin\AppData\Local\Temp\vbjIKIQpt.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
replica_957KGuid.vbs