File name: | womanizee.dll |
Full analysis: | https://app.any.run/tasks/bb9f32b5-28c7-4bb1-8ca7-570287583d76 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 05, 2022, 00:37:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5: | 91D2D62ED8DA884094C111BEF5A1660E |
SHA1: | 80ACF778171CEE3E34E16EACE73CD3F695C1F52C |
SHA256: | 984D2854F4ABF3B2640AD5D6AA5031AE26F02B561B3FD0A284AAFE272B6C0C11 |
SSDEEP: | 12288:nieL1vc1PdFjpmw5qS6xnGWvE/N285UT+QD1lNMA:i81IFnqnvEl5w9M |
.exe | | | Win32 Executable Delphi generic (57.2) |
---|---|---|
.exe | | | Win32 Executable (generic) (18.2) |
.exe | | | Win16/32 Executable Delphi generic (8.3) |
.exe | | | Generic Win/DOS Executable (8) |
.exe | | | DOS Executable Generic (8) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 1992-Jun-19 22:22:17 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 6 |
TimeDateStamp: | 1992-Jun-19 22:22:17 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 4096 | 373884 | 374272 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.51292 |
DATA | 380928 | 6584 | 6656 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.58771 |
BSS | 389120 | 4141 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 397312 | 8102 | 8192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.00912 |
.reloc | 405504 | 28932 | 29184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.62305 |
.rsrc | 438272 | 292864 | 292864 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 4.82371 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.6633 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
2 | 2.80231 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4077 | 2.89392 | 332 | UNKNOWN | UNKNOWN | RT_STRING |
4078 | 3.12374 | 876 | UNKNOWN | UNKNOWN | RT_STRING |
4079 | 3.15437 | 944 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
advapi32.dll (#2) |
comctl32.dll |
gdi32.dll |
kernel32.dll |
kernel32.dll (#2) |
kernel32.dll (#3) |
kernel32.dll (#4) |
oleaut32.dll |
oleaut32.dll (#2) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\womanizee.dll", #1 | C:\Windows\System32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1760 | C:\Windows\System32\wermgr.exe | C:\Windows\System32\wermgr.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704) Qbot(PID) Process(1760) wermgr.exe Strings (188)Start screenshot at.exe %u:%u "%s" /I powershell.exe -encodedCommand amstream.dll Self check arp -a c:\ProgramData nltest /domain_trusts /all_trusts %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d Self test OK. SoNuce]ugdiB3c[doMuce2s81*uXmcvP \System32\WindowsPowerShell\v1.0\powershell.exe net view \System32\WindowsPowerShel1\v1.0\powershel1.exe error res='%s' err=%d len=%u net share qwinsta route print .lnk regsvr32.exe Self test FAILED!!! ProfileImagePath schtasks.exe /Delete /F /TN %u "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList netstat -nao /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s" nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s /t5 whoami /all Self check ok! ProgramData powershell.exe -encodedCommand %S 89210af9 3c91e639 %s "$%s = \"%s\"; & $%s" SOFTWARE\Microsoft\Windows\CurrentVersion\Run ERROR: GetModuleFileNameW() failed with error: %u ipconfig /all schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER %s \"$%s = \\\"%s\\\\; & $%s\" net localgroup powershell.exe cmd /c set Microsoft SELF_TEST_1 %SystemRoot%\explorer.exe %ProgramFiles(x86)%\Internet Explorer\iexplore.exe WBJ_IGNORE */* SELECT * FROM Win32_Processor root\SecurityCenter2 Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet \sf2.dll Win32_Bios .cfg wpcap.dll type=0x%04X c:\hiberfil.sysss aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz bcrypt.dll Win32_ComputerSystem %SystemRoot%\SysWOW64\explorer.exe FALSE %S.%06d Win32_Product abcdefghijklmnopqrstuvwxyz image/pjpeg egui.exe;ekrn.exe https Create %SystemRoot%\SysWOW64\msra.exe SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths SubmitSamplesConsent %ProgramFiles%\Internet Explorer\iexplore.exe from kernel32.dll %s\system32\ \\.\pipe\ userenv.dll ntdll.dll ccSvcHst.exe LocalLow NTUSER.DAT select avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe Software\Microsoft Win32_PhysicalMemory wtsapi32.dll ws2_32.dll shell32.dll Initializing database... winsta0\default S:(ML;;NW;;;LW) snxhk_border_mywnd %SystemRoot%\System32\msra.exe TRUE image/gif APPDATA vbs image/jpeg %SystemRoot%\SysWOW64\wermgr.exe dwengine.exe;dwarkdaemon.exe;dwwatcher.exe ALLUSERSPROFILE wininet.dll urlmon.dll Packages SELECT * FROM Win32_OperatingSystem Winsta0 %SystemRoot%\SysWOW64\explorer.exe reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s" SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet Caption ROOT\CIMV2 %SystemRoot%\System32\OneDriveSetup.exe c:\\ aswhooka.dll aabcdeefghiijklmnoopqrstuuvwxyyz Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul) mpr.dll %SystemRoot%\SysWOW64\xwizard.exe Name coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0 LastBootUpTime %SystemRoot%\System32\wermgr.exe avp.exe;kavtray.exe Win32_Process 1234567890 %SystemRoot%\System32\mobsync.exe rundll32.exe fshoster32.exe SystemRoot advapi32.dll SpyNetReporting t=%s time=[%02d:%02d:%02d-%02d/%02d/%d] SAVAdminService.exe;SavService.exe Win32_DiskDrive cmd.exe %SystemRoot%\SysWOW64\mobsync.exe .dat open %SystemRoot%\System32\xwizard.exe {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X} Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next user32.dll bdagent.exe;vsserv.exe;vsservppl.exe SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths MsMpEng.exe Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName .dll setupapi.dll WRSA.exe System32 application/x-shockwave-flash netapi32.dll SysWOW64 frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex... WScript.Sleep %u
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")... vkise.exe;isesrv.exe;cmdagent.exe MBAMService.exe;mbamgui.exe iphlpapi.dll SOFTWARE\Microsoft\Windows Defender\SpyNet CommandLine wbj.go shlwapi.dll Win32_PnPEntity cscript.exe LOCALAPPDATA C:\INTERNAL\__empty SELECT * FROM AntiVirusProduct aswhookx.dll %SystemRoot%\explorer.exe mcshield.exe .exe pstorec.dll %SystemRoot%\SysWOW64\OneDriveSetup.exe wmic process call create 'expand "%S" "%S"' fmon.exe Content-Type: application/x-www-form-urlencoded displayName AvastSvc.exe ByteFence.exe SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet WQL crypt32.dll C2 (118)217.165.146.158:993 41.97.179.58:443 86.132.13.49:2078 197.203.50.195:443 85.245.143.94:443 86.196.181.62:2222 102.190.190.242:995 105.184.133.198:995 179.111.23.186:32101 179.251.119.206:995 84.3.85.30:443 39.44.5.104:995 197.41.235.69:995 193.3.19.137:443 186.81.122.168:443 103.173.121.17:443 41.104.80.233:443 102.189.184.12:995 156.199.90.139:443 14.168.180.223:443 41.140.98.37:995 156.205.3.210:993 139.228.33.176:2222 134.35.12.0:443 49.205.197.13:443 131.100.40.13:995 73.252.27.208:995 82.217.55.20:443 176.177.136.35:443 180.232.159.9:443 41.68.209.102:995 186.90.144.235:2222 191.92.125.254:443 41.96.204.133:443 58.186.75.42:443 85.86.242.245:443 187.193.143.111:443 200.175.173.80:443 197.49.68.15:995 186.50.139.45:995 41.68.155.190:443 186.72.236.88:995 187.150.143.159:443 105.69.189.28:995 160.177.207.113:8443 41.102.97.28:443 193.254.32.156:443 88.168.84.62:443 156.218.169.48:995 41.105.159.42:443 186.53.115.151:995 186.48.206.63:995 151.231.60.200:2083 196.217.32.15:443 102.157.212.143:443 189.189.89.32:443 181.177.156.209:443 85.94.178.73:995 201.209.4.2:443 41.69.236.243:995 74.133.189.36:443 149.126.159.254:443 41.104.132.166:443 188.157.6.170:443 197.160.22.10:443 187.189.68.8:443 109.128.221.164:995 92.98.73.123:443 154.237.235.43:995 212.102.56.47:443 110.238.39.214:443 185.233.79.238:995 154.237.60.254:995 181.206.46.7:443 186.16.163.94:443 75.71.96.226:995 181.105.32.5:443 41.227.228.31:443 197.203.142.42:443 193.3.19.137:443 118.174.89.216:443 41.107.112.236:995 105.96.207.25:443 111.125.157.230:443 68.224.229.42:443 190.44.40.48:995 88.232.207.24:443 72.88.245.71:443 119.82.111.158:443 100.1.5.250:995 96.234.66.76:995 186.64.67.34:443 197.94.84.128:443 41.96.130.46:80 88.245.168.200:2222 110.4.255.247:443 89.211.217.38:995 76.169.76.44:2222 68.53.110.74:995 41.69.103.179:995 194.166.205.204:995 89.211.223.138:2222 85.98.206.165:995 177.103.94.155:32101 72.66.96.129:995 176.42.245.2:995 186.154.92.181:443 88.231.221.198:995 102.38.97.229:995 45.51.148.111:993 87.243.113.104:995 84.38.133.191:443 123.240.131.1:443 191.84.204.214:995 91.116.160.252:443 151.234.63.48:990 99.253.251.74:443 41.40.146.5:995 Version1027.895 Campaign1664363417 Botnetobama207 |
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686 | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | af2270fb |
Value: 1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | ad635087 |
Value: 3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2 | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 15df37e2 |
Value: B713EAE0E8A1DA4145567599E629CDB49337DE281B7CD536F5A49F5F12F547236F38C1FF725361EDEDE0697F35E8F8FC5B | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 68d77868 |
Value: FDAA9851894C11466CE466C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | d06b1f0d |
Value: AD659A1C35153227A0FB6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 179e179e |
Value: 18D68B559E54F66427831576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | e5f4cf43 |
Value: 2BF73CCC9ED93B09D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424 | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD56573BD9A968E2E8B224399AEC08954AA6922C0986DA5E11E60CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560 | |||
(PID) Process: | (1760) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD56573BD9A968E2E8B224399AEC08954AA6922C0986DA581EE40CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1760 | wermgr.exe | C:\Users\admin\AppData\Local\Temp\womanizee.dll | executable | |
MD5:6C45AA6E3103E11C1486A30761328B31 | SHA256:6F517C83A81FEAAAD66CF5D9A2531446968FE6614A0A812BDEF4584176484CA0 |