File name:

JVC_41642.vbs

Full analysis: https://app.any.run/tasks/32dc2282-863a-4174-bb0b-8ec0c34213bf
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: January 22, 2020, 18:26:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
qbot
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

58BFA99CD32BE2E4E00CF1B67A7CF55E

SHA1:

02F2B74BB145BD49C1B331D50A86FF92F9AD91A5

SHA256:

95C6C6152C3E08B3D342B896C6CD5A9385E721C9C31B19C6FDBA56F7DCBE5BAC

SSDEEP:

49152:4bKLZrBmJclTgxq8Sz7VhGxsJ+BcsHxr3zGki8+jnHBHNe5te31Y9luxOeA0ft50:9Lm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ColorPick.exe (PID: 1004)
      • ColorPick.exe (PID: 2872)
      • imtaykad.exe (PID: 1500)
      • imtaykad.exe (PID: 2128)
    • QBOT was detected

      • ColorPick.exe (PID: 2872)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 1640)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 1832)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2240)
    • Creates files in the user directory

      • ColorPick.exe (PID: 2872)
    • Application launched itself

      • ColorPick.exe (PID: 2872)
      • imtaykad.exe (PID: 1500)
    • Starts itself from another location

      • ColorPick.exe (PID: 2872)
    • Executable content was dropped or overwritten

      • ColorPick.exe (PID: 2872)
      • WScript.exe (PID: 2240)
      • cmd.exe (PID: 1832)
    • Starts CMD.EXE for commands execution

      • ColorPick.exe (PID: 2872)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 1832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start wscript.exe #QBOT colorpick.exe colorpick.exe imtaykad.exe cmd.exe ping.exe no specs imtaykad.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2240"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\JVC_41642.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2872C:\Users\admin\AppData\Local\Temp\ColorPick.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exe
WScript.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
7.0.600.19
Modules
Images
c:\users\admin\appdata\local\temp\colorpick.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1004C:\Users\admin\AppData\Local\Temp\ColorPick.exe /CC:\Users\admin\AppData\Local\Temp\ColorPick.exe
ColorPick.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
7.0.600.19
Modules
Images
c:\users\admin\appdata\local\temp\colorpick.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1500C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exeC:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe
ColorPick.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
7.0.600.19
Modules
Images
c:\users\admin\appdata\roaming\microsoft\reffgfngeg\imtaykad.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1832"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\ColorPick.exe"C:\Windows\SysWOW64\cmd.exe
ColorPick.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3004ping.exe -n 6 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\ping.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2128C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe
imtaykad.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
7.0.600.19
Modules
Images
c:\users\admin\appdata\roaming\microsoft\reffgfngeg\imtaykad.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1640C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe
imtaykad.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
148
Read events
139
Write events
9
Delete events
0

Modification events

(PID) Process:(2872) ColorPick.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2872) ColorPick.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2872) ColorPick.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2872) ColorPick.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1640) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sanwe
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exe"
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2872ColorPick.exeC:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.exeexecutable
MD5:32CC06562519772FEC7951F80DADAD7C
SHA256:BA4F325364EBA4931DDC23681450C416371A7FDB95268FF5E8C660007A8B093C
1640explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.datbinary
MD5:F26E0711AF5F0AAB22B91EAF7E60028B
SHA256:719AAA8440B3B4737E8FE8AD4B42273B8F869EB8E2447F8B87B68F439D4840C4
2240WScript.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exeexecutable
MD5:32CC06562519772FEC7951F80DADAD7C
SHA256:BA4F325364EBA4931DDC23681450C416371A7FDB95268FF5E8C660007A8B093C
2872ColorPick.exeC:\Users\admin\AppData\Roaming\Microsoft\Reffgfngeg\imtaykad.datbinary
MD5:41D899B8BBBF5A9EE8F09086A9974A1C
SHA256:AA17E4AAE0595AD3267994D64C3DD3D0C96E108FA92A35373201E8C8E4103DA1
1832cmd.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2240
WScript.exe
5.61.27.159:80
alphaenergyeng.com
Nrp Network LLC
US
malicious

DNS requests

Domain
IP
Reputation
alphaenergyeng.com
  • 5.61.27.159
suspicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
Misc activity
ET INFO EXE - Served Attached HTTP
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
Process
Message
ColorPick.exe
ZBZQBZ
ColorPick.exe
ZBZQBZ
imtaykad.exe
ZBZQBZ
imtaykad.exe
ZBZQBZ