File name: | Iq3x8aDXWF.dat |
Full analysis: | https://app.any.run/tasks/ec0521aa-6582-45ba-8b40-dcadee42a129 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | April 01, 2023, 07:55:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | 20C4C67957308B8AB745C1DFCE6F5A74 |
SHA1: | A1FC22BF580AAAB91C75473BCFE1F023C21E3587 |
SHA256: | 2DABADFBF69F447B4AA55EE9ED435BFE999EC47FA25140EA3AC7E0E4F9D7013E |
SSDEEP: | 6144:tIp4Y1c1tGUGHGJksYOFGwTwRqWzUTMfVHqpdtIY:tIp4Y1vHGJNtF5TwRqWzU9d7 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 0000:00:00 00:00:00 |
ImageFileCharacteristics: | Executable, No line numbers, 32-bit, No debug, DLL |
PEType: | PE32 |
LinkerVersion: | 2.35 |
CodeSize: | 108032 |
InitializedDataSize: | 170496 |
UninitializedDataSize: | 512 |
EntryPoint: | 0x13b0 |
OSVersion: | 4 |
ImageVersion: | 1 |
SubsystemVersion: | 4 |
Subsystem: | Windows command line |
FileVersionNumber: | 5.2.5.0 |
ProductVersionNumber: | 5.2.5.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Dynamic link library |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | The Tukaani Project <https://tukaani.org/> |
FileDescription: | liblzma data compression library |
FileVersion: | 5.2.5 |
InternalName: | liblzma |
OriginalFileName: | liblzma.dll |
ProductName: | XZ Utils <https://tukaani.org/xz/> |
ProductVersion: | 5.2.5 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 01-Jan-1970 00:00:00 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | The Tukaani Project <https://tukaani.org/> |
FileDescription: | liblzma data compression library |
FileVersion: | 5.2.5 |
InternalName: | liblzma |
OriginalFilename: | liblzma.dll |
ProductName: | XZ Utils <https://tukaani.org/xz/> |
ProductVersion: | 5.2.5 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 01-Jan-1970 00:00:00 |
Pointer to Symbol Table: | 0x00029E00 |
Number of symbols: | 46 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001A444 | 0x0001A600 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.19564 |
.data | 0x0001C000 | 0x00000028 | 0x00000200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.485178 |
.rdata | 0x0001D000 | 0x000079EC | 0x00007A00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.17144 |
/4 | 0x00025000 | 0x000052E4 | 0x00005400 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.88237 |
.bss | 0x0002B000 | 0x0000008C | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.edata | 0x0002C000 | 0x00000C2C | 0x00000E00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.78958 |
.idata | 0x0002D000 | 0x00000484 | 0x00000600 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.10864 |
.CRT | 0x0002E000 | 0x0000002C | 0x00000200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.190489 |
.tls | 0x0002F000 | 0x00000008 | 0x00000200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00030000 | 0x0001A756 | 0x0001B000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.91669 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.44387 | 756 | UNKNOWN | English - United States | RT_VERSION |
KERNEL32.dll |
msvcrt.dll |
Title | Ordinal | Address |
---|---|---|
Uzma_alone_decoder | 1 | 0x00009670 |
Uzma_alone_encoder | 2 | 0x00004B60 |
Uzma_auto_decoder | 3 | 0x00009A10 |
Uzma_block_buffer_bound | 4 | 0x00005220 |
Uzma_block_buffer_decode | 5 | 0x00009A90 |
Uzma_block_buffer_encode | 6 | 0x00005270 |
Uzma_block_compressed_size | 7 | 0x00001E50 |
Uzma_block_decoder | 8 | 0x0000A1C0 |
Uzma_block_encoder | 9 | 0x00005750 |
Uzma_block_header_decode | 10 | 0x0000A230 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2688 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\Iq3x8aDXWF.dat.exe", Uzma_alone_decoder | C:\Windows\System32\rundll32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3616 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1048 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3488 | rundll32 Iq3x8aDXWF.dat.exe,X555 | C:\Windows\System32\rundll32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3604 | C:\Windows\System32\wermgr.exe | C:\Windows\System32\wermgr.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704) Modules
Qbot(PID) Process(3604) wermgr.exe Botnetobama247 Campaign1680268923 Version404.909 C2 (120)103.113.68.33:443 103.140.174.20:2222 104.35.24.154:443 109.159.119.176:2222 109.218.244.210:2222 116.72.250.18:443 116.74.163.227:443 119.82.123.160:443 12.172.173.82:20 12.172.173.82:2087 12.172.173.82:21 12.172.173.82:32101 12.172.173.82:465 12.172.173.82:50001 12.172.173.82:993 12.172.173.82:995 125.99.76.102:443 136.35.241.159:443 142.126.173.85:2222 151.62.55.207:443 151.65.57.194:443 161.142.103.5:995 162.248.14.107:443 172.115.17.50:443 173.178.151.233:443 174.118.63.123:443 174.4.89.3:443 174.58.146.57:443 176.133.4.230:995 176.142.207.63:443 178.152.121.81:443 178.175.187.254:443 184.153.132.82:443 184.161.74.73:443 197.0.175.118:443 197.204.216.170:443 198.2.51.242:993 2.237.150.131:2222 2.98.147.157:995 200.84.207.143:2222 201.244.108.183:995 202.142.98.62:443 209.93.207.224:2222 213.66.245.200:2222 213.91.235.146:443 217.165.69.89:2222 24.117.237.157:443 24.236.90.196:2078 27.109.19.90:2078 27.99.32.26:2222 31.48.18.52:443 35.143.97.145:995 37.14.229.220:2222 41.228.56.8:995 45.243.143.141:995 45.50.233.214:443 47.132.248.132:443 47.149.137.40:443 47.16.74.194:2222 47.21.51.138:443 47.34.30.133:443 49.245.95.124:2222 50.68.204.71:443 50.68.204.71:993 65.94.84.173:2222 66.35.127.94:2222 67.10.2.240:995 67.219.197.94:443 69.133.162.35:443 70.112.206.5:443 70.48.189.240:2222 70.51.153.108:2222 71.171.83.69:443 71.31.100.192:443 71.38.155.217:443 72.134.124.16:443 72.200.109.104:443 72.203.216.98:2222 72.88.245.71:443 74.66.134.24:443 74.92.243.115:50000 75.143.236.149:443 75.90.114.237:995 76.170.252.153:995 77.86.98.236:443 78.16.156.25:443 78.192.109.105:2222 78.218.230.28:443 78.69.251.252:2222 78.92.133.215:443 80.42.186.99:2222 81.150.42.123:443 81.229.117.95:2222 82.155.108.153:443 84.155.13.118:995 84.216.198.124:6881 84.35.26.14:995 85.231.105.49:2222 85.241.180.94:443 86.130.9.243:2222 86.143.119.184:995 86.154.216.221:2222 86.225.214.138:2222 86.97.67.62:2222 86.98.23.66:443 87.202.101.164:50000 87.223.92.143:443 90.93.132.149:2222 91.160.70.68:32100 91.68.227.219:443 92.136.51.189:2222 92.154.17.149:2222 92.186.32.33:2222 92.97.45.55:2222 93.150.183.229:2222 94.30.31.47:50000 94.30.98.134:32100 95.60.243.24:995 96.87.28.170:2222 98.145.23.67:443 | |||||||||||||||
3892 | ping -n 3 yahoo.com | C:\Windows\System32\PING.EXE | — | wermgr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3884 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3604) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686 | |||
(PID) Process: | (3884) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{B21E441B-43BF-4047-8ED5-55A41F39C578}\{2AFAFD8E-8154-4106-9133-D0D1DEF16A3F} |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (3884) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{B21E441B-43BF-4047-8ED5-55A41F39C578} |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (3884) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{FF8103AF-F056-4683-9140-A80EF8023750} |
Operation: | delete key | Name: | (default) |
Value: |
Domain | IP | Reputation |
---|---|---|
yahoo.com |
| whitelisted |