File name: | participant_628hsJI.vbs |
Full analysis: | https://app.any.run/tasks/817b5126-74f7-4f92-a933-090463cdd9e0 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | September 11, 2019, 01:25:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | AB61B5BCA9355F85BCEEC5B912918C77 |
SHA1: | 78F97CE6A5AF23B72198F70D14379441629C1ED2 |
SHA256: | 3EB3106325431FEE81168F6ECFDE906C936EC3B6203C5A0B8998A00407C91C31 |
SSDEEP: | 49152:M1WP80ifVQPjabNBoeLHL9T6+K3HYPlxptu1V3TXcMs8T:5 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\participant_628hsJI.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3152 | C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe | C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe | wmiprvse.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
1080 | C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe /C | C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe | — | UkfEnrN.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
4052 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | UkfEnrN.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
3112 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe" | C:\Windows\System32\cmd.exe | UkfEnrN.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3852 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2292 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ytfovlym.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Access Bridge for Windows Java Access Bridge for Windows Java Access Bridge for Windows Exit code: 0 Version: 2, 0, 4, 0 | ||||
3768 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | ytfovlym.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3152) UkfEnrN.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3152) UkfEnrN.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3540 | WScript.exe | C:\Users\admin\AppData\Local\Temp\VTUbUgNx | text | |
MD5:2EAB64D443B539C5697536F6E0D24F87 | SHA256:D4008BA740B0715C594F7EC4CD0662EBA4D3F60C77131A023FB06CB1EF276A4A | |||
3540 | WScript.exe | C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe | executable | |
MD5:B568AFE398DB63E74AE6C53DFF0D71A1 | SHA256:BCB7060168BCCB934FDE12225A3F02635C9B8E446A8519BB44F46FFD4C638535 | |||
3768 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:039492E9544DE2C3ED8B2321DDC45693 | SHA256:2A9214A198F212F0DBBF8A6BFBAE02C18CFD6FC21AE2912FBEE46A8DA72A7A17 | |||
3152 | UkfEnrN.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:B568AFE398DB63E74AE6C53DFF0D71A1 | SHA256:BCB7060168BCCB934FDE12225A3F02635C9B8E446A8519BB44F46FFD4C638535 | |||
3152 | UkfEnrN.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:AF644F8BC6FD8902F1153AFE43E894AE | SHA256:9DDBBB70F644C3D1863761A9662250D3640D096EAD5892D52BB2235E504848FB | |||
3112 | cmd.exe | C:\Users\admin\AppData\Local\Temp\UkfEnrN.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |