File name:

C:\Users\admin\Downloads\Unconfirmed 799419.crdownload

Full analysis: https://app.any.run/tasks/7cd07de3-7a49-45b4-9488-09382f44a8f3
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: September 18, 2019, 21:27:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FCE04EC565F466C2A60CD3105E73376E

SHA1:

A8418A10DF517A70BEAA1C6E37068426DB3EA860

SHA256:

6D68FC18EDE3952C7625E3D3E779E6DB02175C3DA003EA8214D33551C2E670E1

SSDEEP:

49152:252mWJClr1+Y6SneCoWIneT+35x7j0d1QFhbcoa07uMR0IcMgSVYbYiWj3jb1Ox:25KJorfJ3c/3j0bihco97u2Vjjb1s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GoqDOzjG.exe (PID: 3736)
      • GoqDOzjG.exe (PID: 1464)
      • ytfovlym.exe (PID: 3316)
      • ytfovlym.exe (PID: 3424)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2008)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 3844)

    • QBOT was detected

      • GoqDOzjG.exe (PID: 3736)

  • SUSPICIOUS

    • Application launched itself

      • GoqDOzjG.exe (PID: 3736)
      • ytfovlym.exe (PID: 3424)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3140)
      • cmd.exe (PID: 2008)
      • GoqDOzjG.exe (PID: 3736)

    • Executed via WMI

      • GoqDOzjG.exe (PID: 3736)

    • Creates files in the user directory

      • GoqDOzjG.exe (PID: 3736)

    • Starts itself from another location

      • GoqDOzjG.exe (PID: 3736)

    • Starts CMD.EXE for commands execution

      • GoqDOzjG.exe (PID: 3736)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 3140)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:09:12 21:44:04
ZipCRC: 0xa6e9566b
ZipCompressedSize: 3224486
ZipUncompressedSize: 8221128
ZipFileName: downcast_406dmF.vbs
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs wscript.exe #QBOT goqdozjg.exe goqdozjg.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1464C:\Users\admin\AppData\Local\Temp\GoqDOzjG.exe /CC:\Users\admin\AppData\Local\Temp\GoqDOzjG.exeGoqDOzjG.exe
User:
admin
Company:
Ringroad Warecorp
Integrity Level:
MEDIUM
Description:
BurnNorth
Exit code:
0
Version:
11.6.14.59
Modules
Images
c:\users\admin\appdata\local\temp\goqdozjg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2008"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\GoqDOzjG.exe"C:\Windows\System32\cmd.exe
GoqDOzjG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2740ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2920"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Unconfirmed 799419.crdownload.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3140"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\downcast_406dmF.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3316C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
Ringroad Warecorp
Integrity Level:
MEDIUM
Description:
BurnNorth
Exit code:
0
Version:
11.6.14.59
Modules
Images
c:\users\admin\appdata\roaming\microsoft\zulycjadyc\ytfovlym.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3424C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeGoqDOzjG.exe
User:
admin
Company:
Ringroad Warecorp
Integrity Level:
MEDIUM
Description:
BurnNorth
Exit code:
0
Version:
11.6.14.59
Modules
Images
c:\users\admin\appdata\roaming\microsoft\zulycjadyc\ytfovlym.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3736C:\Users\admin\AppData\Local\Temp\GoqDOzjG.exeC:\Users\admin\AppData\Local\Temp\GoqDOzjG.exe
wmiprvse.exe
User:
admin
Company:
Ringroad Warecorp
Integrity Level:
MEDIUM
Description:
BurnNorth
Exit code:
0
Version:
11.6.14.59
Modules
Images
c:\users\admin\appdata\local\temp\goqdozjg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3844C:\Windows\explorer.exeC:\Windows\explorer.exe
ytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
540
Read events
514
Write events
26
Delete events
0

Modification events

(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2920) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Unconfirmed 799419.crdownload.zip
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2920) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4802
Value:
VBScript Script File
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1A01000033000000DA04000028020000
Executable files
3
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2920WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2920.9195\downcast_406dmF.vbs
MD5:
SHA256:
3140WScript.exeC:\Users\admin\AppData\Local\Temp\GoqDOzjG.exeexecutable
MD5:
SHA256:
3844explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:
SHA256:
2008cmd.exeC:\Users\admin\AppData\Local\Temp\GoqDOzjG.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
3140WScript.exeC:\Users\admin\AppData\Local\Temp\lmTmwyDuutext
MD5:
SHA256:
3736GoqDOzjG.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:
SHA256:
3736GoqDOzjG.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\Downloads\Unconfirmed 799419.crdownload