analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-586665708-10162020.zip

Full analysis: https://app.any.run/tasks/7c484d26-36ef-451d-bbe6-33d7c3ef031b
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:27:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C0AB96C98553A66C60506A8384DD8E35

SHA1:

C830E65B2697BFF062BBC4A3273B0CFA664F4547

SHA256:

72773C67B585B4D57F039F63CA934B9C8F984C7BF702508A47DDC82D1F85815C

SSDEEP:

384:ugGvXzg6Zr4VCNmoWOjLhHmd1sKFfcL73TL6idzRSyJdwk/hwmVp3JIEorlJoAdS:kg6Zr4VFNkh3KFfg6K5Jdw+hzXOLlJoT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2464)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2464)

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 3804)
      • nosto.exe (PID: 2168)
      • ytfovlym.exe (PID: 2676)
      • ytfovlym.exe (PID: 2356)

    • QBOT was detected

      • nosto.exe (PID: 3804)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3836)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2452)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 3804)
      • cmd.exe (PID: 3836)

    • Creates files in the user directory

      • nosto.exe (PID: 3804)

    • Application launched itself

      • nosto.exe (PID: 3804)
      • ytfovlym.exe (PID: 2676)

    • Starts itself from another location

      • nosto.exe (PID: 3804)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 3804)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2464)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2464)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:19 16:24:18
ZipCRC: 0xa095190b
ZipCompressedSize: 21428
ZipUncompressedSize: 26689
ZipFileName: Calculation-586665708-10162020.xlsb
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2452"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-586665708-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2464"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3804"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2168C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2676C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3836"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
544ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2356C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3832C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 153
Read events
1 087
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2464EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7479.tmp.cvr
MD5:
SHA256:
2452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2452.13354\Calculation-586665708-10162020.xlsbdocument
MD5:0C6B7CFC5148D1934427FC6AE5A9D5A0
SHA256:F68AC2F84FEC57F83C3F716A874DDA614FFBA330BAA6543D6665F645CA89A152
2464EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:9F32DC9769471997C0E0D0615E5BCAE6
SHA256:2745F0DF4728EF0556D3A5A8B43CDCB9B20FDA088FB1917E23AB3CBABB342790
2464EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:9F32DC9769471997C0E0D0615E5BCAE6
SHA256:2745F0DF4728EF0556D3A5A8B43CDCB9B20FDA088FB1917E23AB3CBABB342790
3804nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:F26E4A04970902E5BBCA5D9D2A5EF9C1
SHA256:3864E0C58FB5C429F2291456581E2E7688A9A5885337054AF8BD8B7BEC750E1F
3832explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datpgc
MD5:F4048B9158B620366A3B90EC2F503ED9
SHA256:37B321AA7BA52396E9B61806D2355D901B86F30BCB0470E193F08BF155490058
3804nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:9F32DC9769471997C0E0D0615E5BCAE6
SHA256:2745F0DF4728EF0556D3A5A8B43CDCB9B20FDA088FB1917E23AB3CBABB342790
3836cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2464
EXCEL.EXE
GET
200
183.181.83.123:80
http://home-delivery-cleaning.net/ecbmuibsl/3415201.png
JP
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2464
EXCEL.EXE
183.181.83.123:80
home-delivery-cleaning.net
SAKURA Internet Inc.
JP
malicious

DNS requests

Domain
IP
Reputation
home-delivery-cleaning.net
  • 183.181.83.123
malicious

Threats

PID
Process
Class
Message
2464
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2464
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2464
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2464
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2464
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2464
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-586665708-10162020.zip