download: | CO4164755428077540939.zip |
Full analysis: | https://app.any.run/tasks/ca29d2bc-274a-4d42-a22b-7ddf97a4ef2d |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | September 18, 2019, 17:29:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2F3B8594EBD4ADBF31649619A2C402B7 |
SHA1: | 4620C8A1D791318DEA600BD3B264E4B94C08EB9F |
SHA256: | A825D47643CBBCFDC28388FC05E63F32BFE6F390D2EB99FA6D47A44E2764D248 |
SSDEEP: | 49152:aKe//ZVuyr4xwUEeKRivzGmoxyTRnQ92PuFm/wEtPTV:a7zN0xw4K86meEnLGUwcV |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 21:52:04 |
ZipCRC: | 0x97bdc409 |
ZipCompressedSize: | 2172914 |
ZipUncompressedSize: | 4288220 |
ZipFileName: | CO4164755428077540939.vbs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2888 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CO4164755428077540939.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2736 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2888.29812\CO4164755428077540939.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3752 | C:\Users\admin\AppData\Local\Temp\ACOQsTn.exe | C:\Users\admin\AppData\Local\Temp\ACOQsTn.exe | wmiprvse.exe | |
User: admin Company: Allowdone Fishbowl Inventory Integrity Level: MEDIUM Description: PlanGrass Exit code: 0 Version: 12.1.25.40 | ||||
3584 | "C:\Program Files\WinRAR\WinRAR.exe" -elevate2888 | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: HIGH Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3860 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
356 | "C:\Windows\System32\WScript.exe" "C:\CO4164755428077540939.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3664 | C:\Users\admin\AppData\Local\Temp\ACOQsTn.exe /C | C:\Users\admin\AppData\Local\Temp\ACOQsTn.exe | — | ACOQsTn.exe |
User: admin Company: Allowdone Fishbowl Inventory Integrity Level: MEDIUM Description: PlanGrass Exit code: 0 Version: 12.1.25.40 | ||||
3168 | "C:\Windows\System32\Notepad.exe" C:\CO4164755428077540939.vbs | C:\Windows\System32\Notepad.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3832 | "C:\Windows\System32\WScript.exe" "C:\CO4164755428077540939.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
1816 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ACOQsTn.exe |
User: admin Company: Allowdone Fishbowl Inventory Integrity Level: MEDIUM Description: PlanGrass Exit code: 0 Version: 12.1.25.40 |
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\CO4164755428077540939.zip | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\wshext.dll,-4802 |
Value: VBScript Script File | |||
(PID) Process: | (2888) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2888 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2888.29812\CO4164755428077540939.vbs | — | |
MD5:— | SHA256:— | |||
2736 | WScript.exe | C:\Users\admin\AppData\Local\Temp\WOZMUjswN.txt | — | |
MD5:— | SHA256:— | |||
3584 | WinRAR.exe | C:\CO4164755428077540939.vbs | — | |
MD5:— | SHA256:— | |||
3568 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:319049D8CB728704939CB0576F799082 | SHA256:AD6AB80CA838864AC3C233C370300C474A57009C40FA3F49DED866F3DA32749F | |||
3752 | ACOQsTn.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:71375A441A725D774B9E59E5A9AAF15D | SHA256:E45BFB235195EA1C8427C5319F09B0172974700DAA31E6936AC42E23B1AFB263 | |||
2736 | WScript.exe | C:\Users\admin\AppData\Local\Temp\usrEEpqjQ | text | |
MD5:22B12F52AEF40B1EB8D077A865E6A402 | SHA256:EC5B05A90E8287B0F5079AD202DC5534B6B5B39370F274E9292D1CA57E41F9BF | |||
2736 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ACOQsTn.exe | executable | |
MD5:71375A441A725D774B9E59E5A9AAF15D | SHA256:E45BFB235195EA1C8427C5319F09B0172974700DAA31E6936AC42E23B1AFB263 | |||
3752 | ACOQsTn.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:0067F8BA4322ACAF3C0879FBD5D04F35 | SHA256:4BEA9F08780A55824CC1172403802D94C137D38DB6E8011DBFACFFB707129782 | |||
2736 | WScript.exe | C:\Users\admin\AppData\Local\Temp\WOZMUjswN.txt.zip | compressed | |
MD5:125F5A27FDDF85950748476D04FB09F8 | SHA256:CB2851EFAE5EB7AC5D8156526D9BDD53CA9327B7A489E90F7766795FE5BDF7CE | |||
2924 | cmd.exe | C:\Users\admin\AppData\Local\Temp\ACOQsTn.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |