analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-1952613626-10162020.zip

Full analysis: https://app.any.run/tasks/97ec8270-627d-4008-a576-cb90cf731daf
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:32:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2CF333E9F23C41AC5595447F00FAE125

SHA1:

4523001282B5046D8B96C5FFF1278029AB26A32D

SHA256:

8D3452EC0A695E2480EE0273B0D066CCC748B5DCC90661BEBC314C1FBE9A0875

SSDEEP:

384:nJnhpBKu+h5Mq2wkyIymifZvhcFYeZ9L5QoPsiv7xexgdKaT+rb:JnhpVdwlIifk1Z9NtfStZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ytfovlym.exe (PID: 2064)
      • nosto.exe (PID: 2120)
      • nosto.exe (PID: 3140)
      • ytfovlym.exe (PID: 2936)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2604)

    • QBOT was detected

      • nosto.exe (PID: 2120)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2504)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2604)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2504)
      • nosto.exe (PID: 2120)

    • Application launched itself

      • nosto.exe (PID: 2120)
      • ytfovlym.exe (PID: 2936)

    • Creates files in the user directory

      • nosto.exe (PID: 2120)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2544)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 2120)

    • Starts itself from another location

      • nosto.exe (PID: 2120)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2604)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2504)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Calculation-1952613626-10162020.xlsb
ZipUncompressedSize: 26674
ZipCompressedSize: 21414
ZipCRC: 0x175127e0
ZipModifyDate: 2020:10:19 16:22:00
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2544"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-1952613626-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2604"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2120"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3140C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2936C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2504"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1496ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2064C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3464C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 148
Read events
1 082
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2604EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5F2C.tmp.cvr
MD5:
SHA256:
2120nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:603199475063571083D0F86820839225
SHA256:002F37C4C8EE09FA065EF12E40A0EAF70322D71586E8B5BE85F250DA6C2A0403
2120nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:6F7E79206933BA2A428202CE436812E3
SHA256:89B8B1B0C62AE087EE9D99344E611D443F2E2F22F417DFE597BD16FEB98B5A26
2604EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:6F7E79206933BA2A428202CE436812E3
SHA256:89B8B1B0C62AE087EE9D99344E611D443F2E2F22F417DFE597BD16FEB98B5A26
2544WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2544.38105\Calculation-1952613626-10162020.xlsbdocument
MD5:BACEEE740B29BAFCAB4785F0A842BC13
SHA256:CE0013F1362315C7F3273E3479CFD38130DF61ADFD745A978EE3A0D1C7F17EC3
2604EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:6F7E79206933BA2A428202CE436812E3
SHA256:89B8B1B0C62AE087EE9D99344E611D443F2E2F22F417DFE597BD16FEB98B5A26
3464explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:4842605E2FDF6D510BE2C2116628F00A
SHA256:453CB9694658825EE09D703B2055815D36169C0D8316986EDEC35EECB4B1FAF4
2504cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2604
EXCEL.EXE
192.185.91.48:80
citycarmen.com
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
citycarmen.com
  • 192.185.91.48
whitelisted

Threats

PID
Process
Class
Message
2604
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2604
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2604
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2604
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2604
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2604
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-1952613626-10162020.zip