File name: | b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da |
Full analysis: | https://app.any.run/tasks/2e5980ca-089e-42bd-bb7d-3d6fa5c832e4 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | May 20, 2022, 16:19:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5: | 25148C6A350D5052BEE981DA0E7C70A6 |
SHA1: | A3F3E16804319D0B45739A5632240FB9C1AC5715 |
SHA256: | B10812B2EE1A5776905DAB0607AE87EFCA85602BD450F06F76EA12329B1E13DA |
SSDEEP: | 12288:TEujXx7EZyZCW10lLz/UzWxXhdzHbFsFKa9hAUsifQuVL:YOFEV8KvHe5hYiJ1 |
.exe | | | Win32 Executable Delphi generic (57.2) |
---|---|---|
.exe | | | Win32 Executable (generic) (18.2) |
.exe | | | Win16/32 Executable Delphi generic (8.3) |
.exe | | | Generic Win/DOS Executable (8) |
.exe | | | DOS Executable Generic (8) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x5a584 |
UninitializedDataSize: | - |
InitializedDataSize: | 205824 |
CodeSize: | 366080 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x000595B8 | 0x00059600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.51125 |
DATA | 0x0005B000 | 0x00001928 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.42846 |
BSS | 0x0005D000 | 0x00000E3D | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0005E000 | 0x000021D2 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.04256 |
.reloc | 0x00061000 | 0x00006C44 | 0x00006E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.62999 |
.rsrc | 0x00068000 | 0x00027A00 | 0x00027A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 7.35268 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.85232 | 744 | UNKNOWN | English - United States | RT_ICON |
2 | 2.80231 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4078 | 3.12374 | 876 | UNKNOWN | UNKNOWN | RT_STRING |
4079 | 3.15437 | 944 | UNKNOWN | UNKNOWN | RT_STRING |
4080 | 3.28468 | 644 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
oleaut32.dll |
user32.dll |
version.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3940 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da.exe", #1 | C:\Windows\System32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3868 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Qbot(PID) Process(3868) explorer.exe Strings (179)ipconfig /all ProfileImagePath /t4 ERROR: GetModuleFileNameW() failed with error: %u schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s" ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER net share SOFTWARE\Microsoft\Windows\CurrentVersion\Run nltest /domain_trusts /all_trusts %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d net localgroup powershell.exe Self check Self test OK. 102 qwinsta %s "$%s = \"%s\"; & $%s" jHxastDcds)oMc=jvh7wdUhxcsdt2 route print .lnk arp -a error res='%s' err=%d len=%u amstream.dll schtasks.exe /Delete /F /TN %u whoami /all nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s \System32\WindowsPowerShell\v1.0\powershell.exe "%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u 103 c:\ProgramData at.exe %u:%u "%s" /I SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList SELF_TEST_1 net view /all Self check ok! netstat -nao ProgramData \System32\WindowsPowerShel1\v1.0\powershel1.exe cmd /c set Self test FAILED!!! regsvr32.exe -s Microsoft %s \"$%s = \\\"%s\\\\; & $%s\" 1234567890 %SystemRoot%\SysWOW64\msra.exe .dll abcdefghijklmnopqrstuvwxyz coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe %SystemRoot%\System32\mobsync.exe advapi32.dll Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0 Win32_Product System32 winsta0\default C:\INTERNAL\__empty WScript.Sleep %u
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")... urlmon.dll %ProgramFiles(x86)%\Internet Explorer\iexplore.exe .dat open setupapi.dll t=%s time=[%02d:%02d:%02d-%02d/%02d/%d] %SystemRoot%\System32\xwizard.exe LastBootUpTime fmon.exe SELECT * FROM AntiVirusProduct aabcdeefghiijklmnoopqrstuuvwxyyz shlwapi.dll %SystemRoot%\SysWOW64\explorer.exe .exe ntdll.dll user32.dll select SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths Win32_PhysicalMemory frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex... vbs wpcap.dll Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName %ProgramFiles%\Internet Explorer\iexplore.exe Win32_PnPEntity %SystemRoot%\explorer.exe Win32_DiskDrive crypt32.dll Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul) wbj.go %SystemRoot%\System32\msra.exe %SystemRoot%\SysWOW64\xwizard.exe AvastSvc.exe %SystemRoot%\SysWOW64\mobsync.exe %SystemRoot%\SysWOW64\OneDriveSetup.exe ALLUSERSPROFILE FALSE SAVAdminService.exe;SavService.exe c:\hiberfil.sysss wininet.dll WQL Win32_Bios cmd.exe ccSvcHst.exe SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet iphlpapi.dll image/gif Win32_Process Content-Type: application/x-www-form-urlencoded fshoster32.exe aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz MBAMService.exe;mbamgui.exe avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe image/pjpeg \\.\pipe\ .cfg NTUSER.DAT SystemRoot ROOT\CIMV2 Winsta0 shell32.dll SpyNetReporting Initializing database... rundll32.exe SubmitSamplesConsent dwengine.exe;dwarkdaemon.exe;dwwatcher.exe root\SecurityCenter2 ByteFence.exe image/jpeg Caption %SystemRoot%\System32\OneDriveSetup.exe mpr.dll c:\\ MsMpEng.exe from Win32_ComputerSystem SysWOW64 \sf2.dll snxhk_border_mywnd TRUE SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet */* %SystemRoot%\SysWOW64\explorer.exe wmic process call create 'expand "%S" "%S"' mcshield.exe Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next Create bdagent.exe;vsserv.exe;vsservppl.exe avp.exe;kavtray.exe CommandLine https %S.%06d LocalLow WRSA.exe aswhooka.dll SOFTWARE\Microsoft\Windows Defender\SpyNet netapi32.dll application/x-shockwave-flash %s\system32\ SELECT * FROM Win32_Processor reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s" ws2_32.dll displayName aswhookx.dll cscript.exe type=0x%04X S:(ML;;NW;;;LW) {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X} SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet userenv.dll SELECT * FROM Win32_OperatingSystem Packages SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths WBJ_IGNORE %SystemRoot%\explorer.exe Software\Microsoft kernel32.dll Name egui.exe;ekrn.exe vkise.exe;isesrv.exe;cmdagent.exe wtsapi32.dll Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status SaltjHxastDcds)oMc=jvh7wdUhxcsdt2 C2 (150)108.60.213.141:443 89.211.185.1:2222 91.177.173.10:995 121.7.223.59:2222 70.46.220.114:443 124.40.244.118:2222 37.34.253.233:443 172.115.177.204:2222 175.145.235.37:443 176.67.56.94:443 41.228.22.180:443 2.34.12.8:443 67.209.195.198:443 118.161.37.101:443 45.241.215.15:993 140.82.49.12:443 182.191.92.203:995 187.207.131.50:61202 74.14.7.71:2222 172.114.160.81:995 2.50.4.57:443 24.178.196.158:2222 32.221.224.140:995 113.53.145.118:443 120.150.218.241:995 93.48.80.198:995 80.11.74.81:2222 38.70.253.226:2222 148.64.96.100:443 119.158.103.16:995 95.12.16.233:443 103.246.242.202:443 75.99.168.194:61201 75.99.168.194:443 5.54.49.78:995 39.49.44.239:995 179.145.13.69:32101 197.89.8.179:443 208.107.221.224:443 83.110.94.23:443 173.174.216.62:443 181.208.248.227:443 217.128.122.65:2222 39.44.46.206:995 186.90.153.162:2222 86.98.208.214:2222 47.23.89.60:993 31.215.69.115:443 76.70.9.169:2222 148.0.15.41:443 92.132.172.197:2222 39.44.66.76:995 140.82.63.183:995 140.82.63.183:443 144.202.3.39:995 149.28.238.199:443 45.63.1.12:443 144.202.2.175:443 45.76.167.26:443 45.76.167.26:995 149.28.238.199:995 144.202.3.39:443 45.63.1.12:995 144.202.2.175:995 39.52.94.22:995 117.248.109.38:21 217.165.109.187:993 31.215.185.244:2222 113.89.6.31:995 174.69.215.101:443 73.151.236.31:443 173.21.10.71:2222 76.25.142.196:443 39.33.216.128:995 67.165.206.193:993 189.223.134.157:443 190.252.242.69:443 82.41.63.217:443 187.208.122.239:443 47.157.227.70:443 102.182.232.3:995 69.14.172.24:443 200.148.9.225:32101 24.139.72.117:443 72.76.94.99:443 40.134.246.185:995 100.1.108.246:443 24.55.67.176:443 79.80.80.29:2222 179.158.105.44:443 45.46.53.140:2222 70.51.137.64:2222 41.84.236.153:995 197.92.130.121:443 81.129.112.49:2078 86.195.158.178:2222 109.12.111.14:443 82.152.39.39:443 187.16.64.194:2222 79.129.121.68:995 41.84.233.96:443 201.172.23.68:2222 196.203.37.215:80 103.107.113.82:443 90.120.65.153:2078 180.129.108.214:995 183.82.103.213:443 84.241.8.23:32103 31.215.185.244:1194 203.122.46.130:443 197.165.163.159:995 37.186.54.254:995 41.38.167.179:995 118.161.37.101:995 106.51.48.170:50001 37.208.158.83:6883 67.69.166.79:2222 85.246.82.244:443 72.252.157.172:995 72.252.157.172:990 191.250.188.54:443 81.215.196.174:443 63.143.92.99:995 187.251.132.144:22 186.106.219.136:443 68.204.7.158:443 103.116.178.85:995 177.157.156.136:443 194.36.28.62:443 46.107.48.202:443 187.172.240.32:443 200.109.56.159:2222 5.32.41.45:443 5.193.138.70:2222 111.125.245.118:995 173.22.32.101:443 94.36.195.102:2222 76.23.237.163:995 92.184.97.99:443 120.61.2.22:443 43.248.68.33:2222 96.37.113.36:993 122.118.146.205:995 189.146.87.77:443 131.0.196.234:443 197.162.117.38:995 191.99.191.28:443 109.228.220.196:443 102.65.12.78:443 103.73.101.14:995 Version1027.688 Campaign1652945863 BotnetAA |
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686 | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | af2270fb |
Value: 1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | ad635087 |
Value: 3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2 | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 15df37e2 |
Value: B713E0E0E8A1F46224E8E96656AEB48CB16FB37C10DDF57BC9E2BA44012409C924B05210D64AFCB609BC5C | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 68d77868 |
Value: FDAA9851894C4F9EDDE566C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | d06b1f0d |
Value: AD659A1C35157F491BFA6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 179e179e |
Value: 18D68B559E54BB0A9C821576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | e5f4cf43 |
Value: 2BF73CCC9ED9C700D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424 | |||
(PID) Process: | (3868) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD56573BD9AF68E2E8B224399AEC08954AA6912B0083D95911E70CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3868 | explorer.exe | C:\Users\admin\AppData\Local\Temp\b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da.exe | executable | |
MD5:2064AB980E4FADE3E6CCBA52E6F32843 | SHA256:ECE51B5C22E75FB3DD3FB0CF9E2FC1207F2B8D6E696421375C9E65D39C874822 |