File name:

WP#6863.html

Full analysis: https://app.any.run/tasks/c87055d2-de16-4078-9f8c-65c986db7560
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: December 06, 2022, 00:45:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5:

4D8C596A2F0F0142D183CAF829827528

SHA1:

90682DB0CAE276C546A6A5CF9F24545FAEBB6EA0

SHA256:

232CC793BE0A0FC823B6DC54D7C943B6FDB1532F3239A112F1BFA18D493E0D64

SSDEEP:

24576:mJ2EQITFEEI24ANDqiGO44MD+3NllExVNPNq:m8h8kYNDHrINV0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • QBOT detected by memory dumps

      • wermgr.exe (PID: 2992)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • powershell.exe (PID: 3548)
  • INFO

    • Manual execution by a user

      • notepad++.exe (PID: 2472)
      • WScript.exe (PID: 3712)
      • notepad++.exe (PID: 2444)
      • chrome.exe (PID: 760)
      • WinRAR.exe (PID: 2616)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 3548)
    • Application launched itself

      • iexplore.exe (PID: 856)
      • chrome.exe (PID: 760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(2992) wermgr.exe
C2 (137)75.161.233.194:995
1.216.82.134:55809
1.1.174.104:47253
187.1.1.173:4734
1.187.1.1:22474
164.195.80.1:428
139.138.8.174:257
153.132.82.1:47873
185.135.120.81:443
1.24.228.132:57352
1.1.87.223:21694
187.0.1.178:39363
1.187.0.1:6208
59.8.174.1:333
81.208.1.187:257
99.125.235.8:44545
173.239.94.212:443
1.98.145.23:17153
1.1.24.64:29243
174.1.1.109:45557
8.174.0.1:18632
104.1.187.1:268
173.82.3.225:257
11.242.219.1:47872
92.149.205.238:2222
1.183.82.100:28168
1.1.176.142:53055
187.1.1.92:6344
3.227.1.1:17783
159.8.174.1:347
12.198.125.100:257
121.161.102.1:47873
124.122.55.68:443
1.12.172.173:20995
1.1.85.231:26929
174.0.1.94:16193
1.187.1.1:45189
230.3.227.0:469
255.57.8.174:257
89.95.158.8:44545
156.217.158.177:995
1.88.126.94:1219
1.1.87.57:3543
187.1.1.102:40787
1.187.0.1:31098
223.3.227.1:472
245.102.8.174:257
172.173.82.1:53505
78.69.251.252:2222
1.76.80.180:39427
1.1.75.143:60565
187.1.1.109:2991
8.174.1.1:56737
6.1.187.1:330
243.113.195.80:257
98.154.19.1:47873
47.41.154.250:443
1.49.175.72:14337
1.1.81.229:30047
174.1.1.92:48598
8.174.1.1:21340
93.1.187.1:364
6.34.1.187:257
35.26.14.3:58113
136.232.184.134:995
1.188.54.99:62211
0.1.93.24:49294
20.1.1.75:21738
1.187.1.1:18207
183.1.187.1:336
179.151.8.174:257
155.91.69.1:47873
76.100.159.250:443
1.24.64.114:15117
1.1.46.246:62872
227.0.1.70:29544
3.227.1.1:50434
208.3.227.0:306
249.161.1.187:257
66.199.12.1:47873
216.196.245.102:2083
1.182.66.197:8961
1.1.142.161:7144
174.1.1.76:32704
1.187.1.1:23759
174.8.174.1:430
209.5.1.187:257
172.173.82.0:5377
199.83.165.233:443
1.74.66.134:6145
1.1.77.86:25324
187.1.1.90:26646
8.174.1.1:18423
63.195.83.1:364
249.139.1.187:257
176.154.83.3:58113
81.198.136.151:995
1.80.0.74:42241
1.1.71.247:2623
227.1.1.174:14994
1.187.1.1:17797
35.1.187.1:306
204.71.3.227:257
64.114.59.239:4609
47.34.30.133:443
1.12.172.173:21187
1.1.75.158:4051
187.1.1.216:50421
8.30.1.1:46500
228.1.187.1:449
207.221.1.187:257
191.164.70.1:47873
197.92.135.188:443
1.172.117.139:36355
1.1.76.20:10797
187.1.1.24:16498
8.30.1.1:18724
11.1.187.1:314
115.126.3.227:257
155.10.79.1:47873
92.98.72.220:2222
1.84.113.121:26369
1.1.2.50:12141
187.0.1.12:44205
3.222.1.1:27348
255.3.227.0:354
155.235.1.187:257
106.70.62.8:44545
108.44.207.232:443
1.24.206.27:9985
1.1.130.43:25447
227.1.1.50:17612
3.225.1.1:18222
171.1.187.0:364
6.34.3.227:257
142.218.202.1:47873
166.62.145.54:443
Version404.46
Campaign1669794048
Botnetobama224
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
102
Monitored processes
54
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs wscript.exe no specs powershell.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs #QBOT wermgr.exe no specs