analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

ST8191902023198_875623.zip

Full analysis: https://app.any.run/tasks/dc5bfa09-6de4-4158-b406-6daff8e71be4
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: September 18, 2019, 19:05:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D9332929FF884CEC04A731B1423C1232

SHA1:

BFAAADFD21594F18731F39BF48616CF67D1BA432

SHA256:

67875DCA9DCCEC4C6698F02FECA454E43191EA90D8E82ACDD8ED056F67968E85

SSDEEP:

24576:9/5TNZ1yOLtXclX9k+gqxoySD2pAKgFENc8:9xNTyOy9JgxGAKHL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • guoLpSo.exe (PID: 2132)
      • ytfovlym.exe (PID: 3404)
      • guoLpSo.exe (PID: 3484)
      • ytfovlym.exe (PID: 3700)
    • QBOT was detected

      • guoLpSo.exe (PID: 2132)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2504)
  • SUSPICIOUS

    • Application launched itself

      • guoLpSo.exe (PID: 2132)
      • ytfovlym.exe (PID: 3404)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3804)
      • guoLpSo.exe (PID: 2132)
      • cmd.exe (PID: 2504)
    • Executes scripts

      • WinRAR.exe (PID: 3524)
    • Executed via WMI

      • guoLpSo.exe (PID: 2132)
    • Creates files in the user directory

      • guoLpSo.exe (PID: 2132)
    • Starts itself from another location

      • guoLpSo.exe (PID: 2132)
    • Starts CMD.EXE for commands execution

      • guoLpSo.exe (PID: 2132)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:09:18 00:20:13
ZipCRC: 0x41ee25e4
ZipCompressedSize: 999138
ZipUncompressedSize: 2000364
ZipFileName: ST8191902023198_875623.vbs
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs wscript.exe #QBOT guolpso.exe guolpso.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ST8191902023198_875623.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3804"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3524.6969\ST8191902023198_875623.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2132C:\Users\admin\AppData\Local\Temp\guoLpSo.exeC:\Users\admin\AppData\Local\Temp\guoLpSo.exe
wmiprvse.exe
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Java(TM) Plug-in for Internet Explorer
Exit code:
0
Version:
5.0.60.5
3484C:\Users\admin\AppData\Local\Temp\guoLpSo.exe /CC:\Users\admin\AppData\Local\Temp\guoLpSo.exeguoLpSo.exe
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Java(TM) Plug-in for Internet Explorer
Exit code:
0
Version:
5.0.60.5
3404C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeguoLpSo.exe
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Java(TM) Plug-in for Internet Explorer
Exit code:
0
Version:
5.0.60.5
2504"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\guoLpSo.exe"C:\Windows\System32\cmd.exe
guoLpSo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3192ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3700C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Java(TM) Plug-in for Internet Explorer
Exit code:
0
Version:
5.0.60.5
3128C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
907
Read events
883
Write events
24
Delete events
0

Modification events

(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ST8191902023198_875623.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4802
Value:
VBScript Script File
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3804WScript.exeC:\Users\admin\AppData\Local\Temp\niCEyMIv.txt
MD5:
SHA256:
3804WScript.exeC:\Users\admin\AppData\Local\Temp\niCEyMIv.txt.zipcompressed
MD5:DE84D740D866EB8BE330C06E80A8B4CE
SHA256:5F1B1251CB87A65E1B30518BD606B7B090BAF373886E0CCC7775BB72D3ED0438
2132guoLpSo.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:D1F083DB7EF7781E99B56427BF9732EF
SHA256:892E5EACBA3A83241C1D67BA051DEB25A3A7BC15DEC7D1EA14584BE61CB72BCD
3804WScript.exeC:\Users\admin\AppData\Local\Temp\ujxatchtext
MD5:02309B752DDBE8889693D8F8EF797E91
SHA256:C813460BBF7B95855C88AD120B11837FACB3BF94441A10CD0B5633B85F84ADCA
2132guoLpSo.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:A74309BA974690C806EC5BC24869A549
SHA256:16B2CF3DCE4949E4147B36372FE564E8067B8B3C24ACDA8952CF567E53C887E6
3128explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:25E5258A8A677EAB5D908748DFE645C5
SHA256:FF4B15E7BCA56A1AAA88D3275921876C0EA403C83E527721221C37ED14A1B649
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3524.6969\ST8191902023198_875623.vbstext
MD5:7536EE1F2CD4AC3BDF03120FAD1565C9
SHA256:E864DBF985DDADEBED3156FE30E78B489D04E81736AF8E6183BC317DCD3F086E
3804WScript.exeC:\Users\admin\AppData\Local\Temp\guoLpSo.exeexecutable
MD5:A74309BA974690C806EC5BC24869A549
SHA256:16B2CF3DCE4949E4147B36372FE564E8067B8B3C24ACDA8952CF567E53C887E6
2504cmd.exeC:\Users\admin\AppData\Local\Temp\guoLpSo.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info