File name: | Calculation-1952613626-10162020.zip |
Full analysis: | https://app.any.run/tasks/97ec8270-627d-4008-a576-cb90cf731daf |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 20, 2020, 01:32:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2CF333E9F23C41AC5595447F00FAE125 |
SHA1: | 4523001282B5046D8B96C5FFF1278029AB26A32D |
SHA256: | 8D3452EC0A695E2480EE0273B0D066CCC748B5DCC90661BEBC314C1FBE9A0875 |
SSDEEP: | 384:nJnhpBKu+h5Mq2wkyIymifZvhcFYeZ9L5QoPsiv7xexgdKaT+rb:JnhpVdwlIifk1Z9NtfStZ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Calculation-1952613626-10162020.xlsb |
---|---|
ZipUncompressedSize: | 26674 |
ZipCompressedSize: | 21414 |
ZipCRC: | 0x175127e0 |
ZipModifyDate: | 2020:10:19 16:22:00 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2544 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-1952613626-10162020.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2604 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2120 | "C:\Hromo\Nivadalo\nosto.exe" | C:\Hromo\Nivadalo\nosto.exe | EXCEL.EXE | |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3140 | C:\Hromo\Nivadalo\nosto.exe /C | C:\Hromo\Nivadalo\nosto.exe | — | nosto.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
2936 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | nosto.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
2504 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe" | C:\Windows\System32\cmd.exe | nosto.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1496 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2064 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ytfovlym.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3464 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | ytfovlym.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR5F2C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2120 | nosto.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:603199475063571083D0F86820839225 | SHA256:002F37C4C8EE09FA065EF12E40A0EAF70322D71586E8B5BE85F250DA6C2A0403 | |||
2120 | nosto.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:6F7E79206933BA2A428202CE436812E3 | SHA256:89B8B1B0C62AE087EE9D99344E611D443F2E2F22F417DFE597BD16FEB98B5A26 | |||
2604 | EXCEL.EXE | C:\Hromo\Nivadalo\nosto.exe | executable | |
MD5:6F7E79206933BA2A428202CE436812E3 | SHA256:89B8B1B0C62AE087EE9D99344E611D443F2E2F22F417DFE597BD16FEB98B5A26 | |||
2544 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2544.38105\Calculation-1952613626-10162020.xlsb | document | |
MD5:BACEEE740B29BAFCAB4785F0A842BC13 | SHA256:CE0013F1362315C7F3273E3479CFD38130DF61ADFD745A978EE3A0D1C7F17EC3 | |||
2604 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].png | executable | |
MD5:6F7E79206933BA2A428202CE436812E3 | SHA256:89B8B1B0C62AE087EE9D99344E611D443F2E2F22F417DFE597BD16FEB98B5A26 | |||
3464 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:4842605E2FDF6D510BE2C2116628F00A | SHA256:453CB9694658825EE09D703B2055815D36169C0D8316986EDEC35EECB4B1FAF4 | |||
2504 | cmd.exe | C:\Hromo\Nivadalo\nosto.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2604 | EXCEL.EXE | 192.185.91.48:80 | citycarmen.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
citycarmen.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2604 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2604 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2604 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
2604 | EXCEL.EXE | A Network Trojan was detected | AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious |
2604 | EXCEL.EXE | Misc activity | ET INFO EXE - Served Attached HTTP |
2604 | EXCEL.EXE | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |