analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Contract#4115.iso

Full analysis: https://app.any.run/tasks/fbebe4c0-f39a-4f8c-9d8b-3fc44dc46b73
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: October 04, 2022, 21:58:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'CD_ROM'
MD5:

255E8EB50654B3413D3025AB46C112C7

SHA1:

BBAFF6350C529B92BD6030B010D5F9698A0F6E7B

SHA256:

5140F0D1ED4BF989558F4DB7E1F385AE4DE5E9082E7203F36505E3F6BE4FD728

SSDEEP:

24576:X2j1do5WFEJ4B38MPwFOHrwcwjHmvwiK7Jb0y/cT5SL8uj3HH:X5lJI3BwFOHrwcwjHmvwiKb1/cT5S53n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3132)
    • QBOT detected by memory dumps

      • wermgr.exe (PID: 2332)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 984)
  • SUSPICIOUS

    • Reads the computer name

      • cmd.exe (PID: 392)
      • WinRAR.exe (PID: 3132)
      • WScript.exe (PID: 2456)
      • WScript.exe (PID: 2116)
    • Checks supported languages

      • cmd.exe (PID: 392)
      • WinRAR.exe (PID: 3132)
      • WScript.exe (PID: 2456)
      • cmd.exe (PID: 2936)
      • WScript.exe (PID: 2116)
      • cmd.exe (PID: 652)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3132)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3132)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2116)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 652)
  • INFO

    • Manual execution by user

      • WScript.exe (PID: 2456)
      • cmd.exe (PID: 2936)
      • WScript.exe (PID: 2116)
    • Checks Windows Trust Settings

      • WScript.exe (PID: 2456)
      • WScript.exe (PID: 2116)
    • Checks supported languages

      • rundll32.exe (PID: 984)
      • wermgr.exe (PID: 2332)
    • Reads the computer name

      • rundll32.exe (PID: 984)
      • wermgr.exe (PID: 2332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs winrar.exe cmd.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs rundll32.exe no specs #QBOT wermgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Windows\System32\cmd.exe" /k C:\Users\admin\Desktop\Contract#4115.isoC:\Windows\System32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3132"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Contract#4115.iso"C:\Program Files\WinRAR\WinRAR.exe
cmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2936C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\Contract#4115\publish\muscularityPearlwort.cmd" "C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2456"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Contract#4115\publish\millivoltAuthentic.vbs" C:\Windows\System32\WScript.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2116"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Contract#4115\publish\millivoltAuthentic.vbs" C:\Windows\System32\WScript.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
652C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\Contract#4115\publish\muscularityPearlwort.cmd" rund"C:\Windows\system32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
984rundll32 publish\adversary.dat,DllRegisterServerC:\Windows\system32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2332C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704)
Total events
1 267
Read events
1 238
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\depredating.txttext
MD5:EF9B0C9024A61D59A0C5BBD34D298416
SHA256:BDFB4CDB6191E3CF7214C077DEE595B42372A6D1D36001D1427DED9E38B86973
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\millivoltAuthentic.vbstext
MD5:9F87D3709936AC2566304FEE09CC5BF5
SHA256:F3ADF5363951C623CD8A456F06C1EBCAEBB0E344383C45D4CB434C7D38F77D1F
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\purge.jpgimage
MD5:0B9167D578DDD702BB820640ED0F1A95
SHA256:A11B700BABDC7B22BDAA833790716B432E82C9E196AAAAB344BD6D4EFEB7E94C
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\Contract.lnklnk
MD5:8D89AD1A6E4A5BDC87EA50243C52A285
SHA256:CCCE762623F3769E4587168540E7C734D4A3F2703FAE0A3671A7D0ACAEC4CDB9
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\grandparents.txttext
MD5:045925086490CB719CECC322E1B05603
SHA256:9FE812C674791B472E17F062C9F94200D558FC6FC85F851CCE0E06B4EECF3EEF
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\adversary.datexecutable
MD5:30F49310CDDD30D2EE78F3CE0AC99CF3
SHA256:E59E68973EE13A5A7525E73E48D6837AB85C9C3B129FB8DF9B9519C6B3EBA472
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\muscularityPearlwort.cmdtext
MD5:4F44A509D0D4D6289196D007A98E09B0
SHA256:D813CF52ADAA76F61A01D2F48CB9F2565011F52860E57242A8A20BA2E9FF0CC2
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\thrusters.txttext
MD5:A754896E91E5BB19211368939EA012B4
SHA256:6384AC1CA3AA1E5B0135231E362AF6F34B1A3B82B1282268D0D9241A20A5D9E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info