File name: | Calculation-586665708-10162020.zip |
Full analysis: | https://app.any.run/tasks/7c484d26-36ef-451d-bbe6-33d7c3ef031b |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 20, 2020, 01:27:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C0AB96C98553A66C60506A8384DD8E35 |
SHA1: | C830E65B2697BFF062BBC4A3273B0CFA664F4547 |
SHA256: | 72773C67B585B4D57F039F63CA934B9C8F984C7BF702508A47DDC82D1F85815C |
SSDEEP: | 384:ugGvXzg6Zr4VCNmoWOjLhHmd1sKFfcL73TL6idzRSyJdwk/hwmVp3JIEorlJoAdS:kg6Zr4VFNkh3KFfg6K5Jdw+hzXOLlJoT |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:10:19 16:24:18 |
ZipCRC: | 0xa095190b |
ZipCompressedSize: | 21428 |
ZipUncompressedSize: | 26689 |
ZipFileName: | Calculation-586665708-10162020.xlsb |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2452 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-586665708-10162020.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2464 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3804 | "C:\Hromo\Nivadalo\nosto.exe" | C:\Hromo\Nivadalo\nosto.exe | EXCEL.EXE | |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
2168 | C:\Hromo\Nivadalo\nosto.exe /C | C:\Hromo\Nivadalo\nosto.exe | — | nosto.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
2676 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | nosto.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3836 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe" | C:\Windows\System32\cmd.exe | nosto.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
544 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2356 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ytfovlym.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3832 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | ytfovlym.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7479.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2452 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2452.13354\Calculation-586665708-10162020.xlsb | document | |
MD5:0C6B7CFC5148D1934427FC6AE5A9D5A0 | SHA256:F68AC2F84FEC57F83C3F716A874DDA614FFBA330BAA6543D6665F645CA89A152 | |||
2464 | EXCEL.EXE | C:\Hromo\Nivadalo\nosto.exe | executable | |
MD5:9F32DC9769471997C0E0D0615E5BCAE6 | SHA256:2745F0DF4728EF0556D3A5A8B43CDCB9B20FDA088FB1917E23AB3CBABB342790 | |||
2464 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].png | executable | |
MD5:9F32DC9769471997C0E0D0615E5BCAE6 | SHA256:2745F0DF4728EF0556D3A5A8B43CDCB9B20FDA088FB1917E23AB3CBABB342790 | |||
3804 | nosto.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:F26E4A04970902E5BBCA5D9D2A5EF9C1 | SHA256:3864E0C58FB5C429F2291456581E2E7688A9A5885337054AF8BD8B7BEC750E1F | |||
3832 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | pgc | |
MD5:F4048B9158B620366A3B90EC2F503ED9 | SHA256:37B321AA7BA52396E9B61806D2355D901B86F30BCB0470E193F08BF155490058 | |||
3804 | nosto.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:9F32DC9769471997C0E0D0615E5BCAE6 | SHA256:2745F0DF4728EF0556D3A5A8B43CDCB9B20FDA088FB1917E23AB3CBABB342790 | |||
3836 | cmd.exe | C:\Hromo\Nivadalo\nosto.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2464 | EXCEL.EXE | GET | 200 | 183.181.83.123:80 | http://home-delivery-cleaning.net/ecbmuibsl/3415201.png | JP | executable | 1.02 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2464 | EXCEL.EXE | 183.181.83.123:80 | home-delivery-cleaning.net | SAKURA Internet Inc. | JP | malicious |
Domain | IP | Reputation |
---|---|---|
home-delivery-cleaning.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2464 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2464 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2464 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
2464 | EXCEL.EXE | A Network Trojan was detected | AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious |
2464 | EXCEL.EXE | Misc activity | ET INFO EXE - Served Attached HTTP |
2464 | EXCEL.EXE | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |