| File name: | WP#6863.html |
| Full analysis: | https://app.any.run/tasks/c87055d2-de16-4078-9f8c-65c986db7560 |
| Verdict: | Malicious activity |
| Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
| Analysis date: | December 06, 2022, 00:45:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/html |
| File info: | HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators |
| MD5: | 4D8C596A2F0F0142D183CAF829827528 |
| SHA1: | 90682DB0CAE276C546A6A5CF9F24545FAEBB6EA0 |
| SHA256: | 232CC793BE0A0FC823B6DC54D7C943B6FDB1532F3239A112F1BFA18D493E0D64 |
| SSDEEP: | 24576:mJ2EQITFEEI24ANDqiGO44MD+3NllExVNPNq:m8h8kYNDHrINV0 |
MALICIOUS
QBOT detected by memory dumps
- wermgr.exe (PID: 2992)
SUSPICIOUS
Uses RUNDLL32.EXE to load library
- powershell.exe (PID: 3548)
INFO
Manual execution by a user
- notepad++.exe (PID: 2472)
- WScript.exe (PID: 3712)
- notepad++.exe (PID: 2444)
- chrome.exe (PID: 760)
- WinRAR.exe (PID: 2616)
Reads security settings of Internet Explorer
- powershell.exe (PID: 3548)
Application launched itself
- iexplore.exe (PID: 856)
- chrome.exe (PID: 760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Qbot
(PID) Process(2992) wermgr.exe
C2 (137)75.161.233.194:995
1.216.82.134:55809
1.1.174.104:47253
187.1.1.173:4734
1.187.1.1:22474
164.195.80.1:428
139.138.8.174:257
153.132.82.1:47873
185.135.120.81:443
1.24.228.132:57352
1.1.87.223:21694
187.0.1.178:39363
1.187.0.1:6208
59.8.174.1:333
81.208.1.187:257
99.125.235.8:44545
173.239.94.212:443
1.98.145.23:17153
1.1.24.64:29243
174.1.1.109:45557
8.174.0.1:18632
104.1.187.1:268
173.82.3.225:257
11.242.219.1:47872
92.149.205.238:2222
1.183.82.100:28168
1.1.176.142:53055
187.1.1.92:6344
3.227.1.1:17783
159.8.174.1:347
12.198.125.100:257
121.161.102.1:47873
124.122.55.68:443
1.12.172.173:20995
1.1.85.231:26929
174.0.1.94:16193
1.187.1.1:45189
230.3.227.0:469
255.57.8.174:257
89.95.158.8:44545
156.217.158.177:995
1.88.126.94:1219
1.1.87.57:3543
187.1.1.102:40787
1.187.0.1:31098
223.3.227.1:472
245.102.8.174:257
172.173.82.1:53505
78.69.251.252:2222
1.76.80.180:39427
1.1.75.143:60565
187.1.1.109:2991
8.174.1.1:56737
6.1.187.1:330
243.113.195.80:257
98.154.19.1:47873
47.41.154.250:443
1.49.175.72:14337
1.1.81.229:30047
174.1.1.92:48598
8.174.1.1:21340
93.1.187.1:364
6.34.1.187:257
35.26.14.3:58113
136.232.184.134:995
1.188.54.99:62211
0.1.93.24:49294
20.1.1.75:21738
1.187.1.1:18207
183.1.187.1:336
179.151.8.174:257
155.91.69.1:47873
76.100.159.250:443
1.24.64.114:15117
1.1.46.246:62872
227.0.1.70:29544
3.227.1.1:50434
208.3.227.0:306
249.161.1.187:257
66.199.12.1:47873
216.196.245.102:2083
1.182.66.197:8961
1.1.142.161:7144
174.1.1.76:32704
1.187.1.1:23759
174.8.174.1:430
209.5.1.187:257
172.173.82.0:5377
199.83.165.233:443
1.74.66.134:6145
1.1.77.86:25324
187.1.1.90:26646
8.174.1.1:18423
63.195.83.1:364
249.139.1.187:257
176.154.83.3:58113
81.198.136.151:995
1.80.0.74:42241
1.1.71.247:2623
227.1.1.174:14994
1.187.1.1:17797
35.1.187.1:306
204.71.3.227:257
64.114.59.239:4609
47.34.30.133:443
1.12.172.173:21187
1.1.75.158:4051
187.1.1.216:50421
8.30.1.1:46500
228.1.187.1:449
207.221.1.187:257
191.164.70.1:47873
197.92.135.188:443
1.172.117.139:36355
1.1.76.20:10797
187.1.1.24:16498
8.30.1.1:18724
11.1.187.1:314
115.126.3.227:257
155.10.79.1:47873
92.98.72.220:2222
1.84.113.121:26369
1.1.2.50:12141
187.0.1.12:44205
3.222.1.1:27348
255.3.227.0:354
155.235.1.187:257
106.70.62.8:44545
108.44.207.232:443
1.24.206.27:9985
1.1.130.43:25447
227.1.1.50:17612
3.225.1.1:18222
171.1.187.0:364
6.34.3.227:257
142.218.202.1:47873
166.62.145.54:443
Version404.46
Campaign1669794048
Botnetobama224
TRiD
| .html | | | HyperText Markup Language (100) |
Total processes
102
Monitored processes
54
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details