File name: | JVC_41642.vbs |
Full analysis: | https://app.any.run/tasks/32dc2282-863a-4174-bb0b-8ec0c34213bf |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | January 22, 2020, 18:26:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 58BFA99CD32BE2E4E00CF1B67A7CF55E |
SHA1: | 02F2B74BB145BD49C1B331D50A86FF92F9AD91A5 |
SHA256: | 95C6C6152C3E08B3D342B896C6CD5A9385E721C9C31B19C6FDBA56F7DCBE5BAC |
SSDEEP: | 49152:4bKLZrBmJclTgxq8Sz7VhGxsJ+BcsHxr3zGki8+jnHBHNe5te31Y9luxOeA0ft50:9Lm |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2240 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\JVC_41642.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2872 | C:\Users\admin\AppData\Local\Temp\ColorPick.exe | C:\Users\admin\AppData\Local\Temp\ColorPick.exe | WScript.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 7.0.600.19 Modules
| |||||||||||||||
1004 | C:\Users\admin\AppData\Local\Temp\ColorPick.exe /C | C:\Users\admin\AppData\Local\Temp\ColorPick.exe | ColorPick.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 7.0.600.19 Modules
| |||||||||||||||
1500 | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe | ColorPick.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 7.0.600.19 Modules
| |||||||||||||||
1832 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\ColorPick.exe" | C:\Windows\SysWOW64\cmd.exe | ColorPick.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3004 | ping.exe -n 6 127.0.0.1 | C:\Windows\SysWOW64\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2128 | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe | imtaykad.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 7.0.600.19 Modules
| |||||||||||||||
1640 | C:\Windows\SysWOW64\explorer.exe | C:\Windows\SysWOW64\explorer.exe | imtaykad.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2872) ColorPick.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2872) ColorPick.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2872) ColorPick.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2872) ColorPick.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1640) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | sanwe |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe" |
PID | Process | Filename | Type | |
---|---|---|---|---|
2872 | ColorPick.exe | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe | executable | |
MD5:32CC06562519772FEC7951F80DADAD7C | SHA256:BA4F325364EBA4931DDC23681450C416371A7FDB95268FF5E8C660007A8B093C | |||
1640 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.dat | binary | |
MD5:F26E0711AF5F0AAB22B91EAF7E60028B | SHA256:719AAA8440B3B4737E8FE8AD4B42273B8F869EB8E2447F8B87B68F439D4840C4 | |||
2240 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ColorPick.exe | executable | |
MD5:32CC06562519772FEC7951F80DADAD7C | SHA256:BA4F325364EBA4931DDC23681450C416371A7FDB95268FF5E8C660007A8B093C | |||
2872 | ColorPick.exe | C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.dat | binary | |
MD5:41D899B8BBBF5A9EE8F09086A9974A1C | SHA256:AA17E4AAE0595AD3267994D64C3DD3D0C96E108FA92A35373201E8C8E4103DA1 | |||
1832 | cmd.exe | C:\Users\admin\AppData\Local\Temp\ColorPick.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2240 | WScript.exe | 5.61.27.159:80 | alphaenergyeng.com | Nrp Network LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
alphaenergyeng.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
Process | Message |
---|---|
ColorPick.exe | ZBZQBZ |
ColorPick.exe | ZBZQBZ |
imtaykad.exe | ZBZQBZ |
imtaykad.exe | ZBZQBZ |