download: | ST8191902023198_875623.zip |
Full analysis: | https://app.any.run/tasks/dc5bfa09-6de4-4158-b406-6daff8e71be4 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | September 18, 2019, 19:05:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D9332929FF884CEC04A731B1423C1232 |
SHA1: | BFAAADFD21594F18731F39BF48616CF67D1BA432 |
SHA256: | 67875DCA9DCCEC4C6698F02FECA454E43191EA90D8E82ACDD8ED056F67968E85 |
SSDEEP: | 24576:9/5TNZ1yOLtXclX9k+gqxoySD2pAKgFENc8:9xNTyOy9JgxGAKHL |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 00:20:13 |
ZipCRC: | 0x41ee25e4 |
ZipCompressedSize: | 999138 |
ZipUncompressedSize: | 2000364 |
ZipFileName: | ST8191902023198_875623.vbs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3524 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ST8191902023198_875623.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3804 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3524.6969\ST8191902023198_875623.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2132 | C:\Users\admin\AppData\Local\Temp\guoLpSo.exe | C:\Users\admin\AppData\Local\Temp\guoLpSo.exe | wmiprvse.exe | |
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Java(TM) Plug-in for Internet Explorer Exit code: 0 Version: 5.0.60.5 | ||||
3484 | C:\Users\admin\AppData\Local\Temp\guoLpSo.exe /C | C:\Users\admin\AppData\Local\Temp\guoLpSo.exe | — | guoLpSo.exe |
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Java(TM) Plug-in for Internet Explorer Exit code: 0 Version: 5.0.60.5 | ||||
3404 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | guoLpSo.exe |
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Java(TM) Plug-in for Internet Explorer Exit code: 0 Version: 5.0.60.5 | ||||
2504 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\guoLpSo.exe" | C:\Windows\System32\cmd.exe | guoLpSo.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3192 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3700 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ytfovlym.exe |
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Java(TM) Plug-in for Internet Explorer Exit code: 0 Version: 5.0.60.5 | ||||
3128 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | ytfovlym.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\ST8191902023198_875623.zip | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\wshext.dll,-4802 |
Value: VBScript Script File | |||
(PID) Process: | (3524) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3804 | WScript.exe | C:\Users\admin\AppData\Local\Temp\niCEyMIv.txt | — | |
MD5:— | SHA256:— | |||
3804 | WScript.exe | C:\Users\admin\AppData\Local\Temp\niCEyMIv.txt.zip | compressed | |
MD5:DE84D740D866EB8BE330C06E80A8B4CE | SHA256:5F1B1251CB87A65E1B30518BD606B7B090BAF373886E0CCC7775BB72D3ED0438 | |||
2132 | guoLpSo.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:D1F083DB7EF7781E99B56427BF9732EF | SHA256:892E5EACBA3A83241C1D67BA051DEB25A3A7BC15DEC7D1EA14584BE61CB72BCD | |||
3804 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ujxatch | text | |
MD5:02309B752DDBE8889693D8F8EF797E91 | SHA256:C813460BBF7B95855C88AD120B11837FACB3BF94441A10CD0B5633B85F84ADCA | |||
2132 | guoLpSo.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:A74309BA974690C806EC5BC24869A549 | SHA256:16B2CF3DCE4949E4147B36372FE564E8067B8B3C24ACDA8952CF567E53C887E6 | |||
3128 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:25E5258A8A677EAB5D908748DFE645C5 | SHA256:FF4B15E7BCA56A1AAA88D3275921876C0EA403C83E527721221C37ED14A1B649 | |||
3524 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3524.6969\ST8191902023198_875623.vbs | text | |
MD5:7536EE1F2CD4AC3BDF03120FAD1565C9 | SHA256:E864DBF985DDADEBED3156FE30E78B489D04E81736AF8E6183BC317DCD3F086E | |||
3804 | WScript.exe | C:\Users\admin\AppData\Local\Temp\guoLpSo.exe | executable | |
MD5:A74309BA974690C806EC5BC24869A549 | SHA256:16B2CF3DCE4949E4147B36372FE564E8067B8B3C24ACDA8952CF567E53C887E6 | |||
2504 | cmd.exe | C:\Users\admin\AppData\Local\Temp\guoLpSo.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |