analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

qtetep.rar

Full analysis: https://app.any.run/tasks/229a91b6-5128-4823-be90-d4e5e1d612e0
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: July 13, 2020, 05:32:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FF3F3EC19FD9E9D95A486A718FE21A91

SHA1:

A5E57F4377A9B1BA596B820CBCBFA90D83881580

SHA256:

73EBBFE5A07B67702556C2DFA70FA0512E84145AD0D50DFC67C06C7CB051ADC1

SSDEEP:

6144:E15Y9jWIaA1YyAVMUj9pv6Xwm1cXDci2dQVl4/ORv+c93D:TsOYyAjLiXIJRG1c9T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QBOT was detected

      • qtetep.exe (PID: 2020)

    • Application was dropped or rewritten from another process

      • qtetep.exe (PID: 2020)
      • qtetep.exe (PID: 2696)
      • ytfovlym.exe (PID: 2620)
      • ytfovlym.exe (PID: 2480)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 4028)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1860)
      • qtetep.exe (PID: 2020)
      • cmd.exe (PID: 4028)

    • Application launched itself

      • qtetep.exe (PID: 2020)
      • ytfovlym.exe (PID: 2480)

    • Creates files in the user directory

      • qtetep.exe (PID: 2020)

    • Starts CMD.EXE for commands execution

      • qtetep.exe (PID: 2020)

    • Starts itself from another location

      • qtetep.exe (PID: 2020)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe #QBOT qtetep.exe qtetep.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1860"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\qtetep.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2020"C:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2696C:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exe /CC:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exeqtetep.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2480C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeqtetep.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4028"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exe"C:\Windows\System32\cmd.exe
qtetep.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
820ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2620C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1592C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
506
Read events
488
Write events
18
Delete events
0

Modification events

(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1860) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1860) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\qtetep.rar
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
Executable files
3
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1592explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:E58628CE4354734D960A43B814E7CB2E
SHA256:0B16C90E8B4146EAC7E4BC894564A810403686BBBCA5FC10803472A7C3D714F9
2020qtetep.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:9600ECF4B3F21DF21A05622E733FAE12
SHA256:9E9D403A6170352ABD5104C9BE08966F49B9EDEBE0291AD3CF9B17133D08FAB8
2020qtetep.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:97A02E359B6F85368EC48D1E12ACA050
SHA256:72CDCC6DD51CC23B99E6CCA88F18D7D5AC4D270BD4B6EAC65237DD2321ECB127
1860WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exeexecutable
MD5:97A02E359B6F85368EC48D1E12ACA050
SHA256:72CDCC6DD51CC23B99E6CCA88F18D7D5AC4D270BD4B6EAC65237DD2321ECB127
4028cmd.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1860.19338\qtetep.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
qtetep.rar