analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da

Full analysis: https://app.any.run/tasks/2e5980ca-089e-42bd-bb7d-3d6fa5c832e4
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: May 20, 2022, 16:19:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

25148C6A350D5052BEE981DA0E7C70A6

SHA1:

A3F3E16804319D0B45739A5632240FB9C1AC5715

SHA256:

B10812B2EE1A5776905DAB0607AE87EFCA85602BD450F06F76EA12329B1E13DA

SSDEEP:

12288:TEujXx7EZyZCW10lLz/UzWxXhdzHbFsFKa9hAUsifQuVL:YOFEV8KvHe5hYiJ1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • explorer.exe (PID: 3868)

    • QBOT detected by memory dumps

      • explorer.exe (PID: 3868)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 3868)

    • Drops a file with a compile date too recent

      • explorer.exe (PID: 3868)

  • INFO

    • Checks supported languages

      • rundll32.exe (PID: 3940)
      • explorer.exe (PID: 3868)

    • Loads main object executable

      • rundll32.exe (PID: 3940)

    • Reads the computer name

      • explorer.exe (PID: 3868)
      • rundll32.exe (PID: 3940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(3868) explorer.exe
Strings (179)ipconfig /all
ProfileImagePath
/t4
ERROR: GetModuleFileNameW() failed with error: %u
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
net share
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nltest /domain_trusts /all_trusts
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
net localgroup
powershell.exe
Self check
Self test OK.
102
qwinsta
%s "$%s = \"%s\"; & $%s"
jHxastDcds)oMc=jvh7wdUhxcsdt2
route print
.lnk
arp -a
error res='%s' err=%d len=%u
amstream.dll
schtasks.exe /Delete /F /TN %u
whoami /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
\System32\WindowsPowerShell\v1.0\powershell.exe
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
103
c:\ProgramData
at.exe %u:%u "%s" /I
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SELF_TEST_1
net view /all
Self check ok!
netstat -nao
ProgramData
\System32\WindowsPowerShel1\v1.0\powershel1.exe
cmd /c set
Self test FAILED!!!
regsvr32.exe -s
Microsoft
%s \"$%s = \\\"%s\\\\; & $%s\"
1234567890
%SystemRoot%\SysWOW64\msra.exe
.dll
abcdefghijklmnopqrstuvwxyz
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
%SystemRoot%\System32\mobsync.exe
advapi32.dll
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Win32_Product
System32
winsta0\default
C:\INTERNAL\__empty
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
urlmon.dll
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
.dat
open
setupapi.dll
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
%SystemRoot%\System32\xwizard.exe
LastBootUpTime
fmon.exe
SELECT * FROM AntiVirusProduct
aabcdeefghiijklmnoopqrstuuvwxyyz
shlwapi.dll
%SystemRoot%\SysWOW64\explorer.exe
.exe
ntdll.dll
user32.dll
select
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Win32_PhysicalMemory
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex...
vbs
wpcap.dll
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
%ProgramFiles%\Internet Explorer\iexplore.exe
Win32_PnPEntity
%SystemRoot%\explorer.exe
Win32_DiskDrive
crypt32.dll
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
wbj.go
%SystemRoot%\System32\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
AvastSvc.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\OneDriveSetup.exe
ALLUSERSPROFILE
FALSE
SAVAdminService.exe;SavService.exe
c:\hiberfil.sysss
wininet.dll
WQL
Win32_Bios
cmd.exe
ccSvcHst.exe
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
iphlpapi.dll
image/gif
Win32_Process
Content-Type: application/x-www-form-urlencoded
fshoster32.exe
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
MBAMService.exe;mbamgui.exe
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
image/pjpeg
\\.\pipe\
.cfg
NTUSER.DAT
SystemRoot
ROOT\CIMV2
Winsta0
shell32.dll
SpyNetReporting
Initializing database...
rundll32.exe
SubmitSamplesConsent
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
root\SecurityCenter2
ByteFence.exe
image/jpeg
Caption
%SystemRoot%\System32\OneDriveSetup.exe
mpr.dll
c:\\
MsMpEng.exe
from
Win32_ComputerSystem
SysWOW64
\sf2.dll
snxhk_border_mywnd
TRUE
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
*/*
%SystemRoot%\SysWOW64\explorer.exe
wmic process call create 'expand "%S" "%S"'
mcshield.exe
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Create
bdagent.exe;vsserv.exe;vsservppl.exe
avp.exe;kavtray.exe
CommandLine
https
%S.%06d
LocalLow
WRSA.exe
aswhooka.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
netapi32.dll
application/x-shockwave-flash
%s\system32\
SELECT * FROM Win32_Processor
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
ws2_32.dll
displayName
aswhookx.dll
cscript.exe
type=0x%04X
S:(ML;;NW;;;LW)
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
userenv.dll
SELECT * FROM Win32_OperatingSystem
Packages
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
WBJ_IGNORE
%SystemRoot%\explorer.exe
Software\Microsoft
kernel32.dll
Name
egui.exe;ekrn.exe
vkise.exe;isesrv.exe;cmdagent.exe
wtsapi32.dll
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
C2 (150)108.60.213.141:443
89.211.185.1:2222
91.177.173.10:995
121.7.223.59:2222
70.46.220.114:443
124.40.244.118:2222
37.34.253.233:443
172.115.177.204:2222
175.145.235.37:443
176.67.56.94:443
41.228.22.180:443
2.34.12.8:443
67.209.195.198:443
118.161.37.101:443
45.241.215.15:993
140.82.49.12:443
182.191.92.203:995
187.207.131.50:61202
74.14.7.71:2222
172.114.160.81:995
2.50.4.57:443
24.178.196.158:2222
32.221.224.140:995
113.53.145.118:443
120.150.218.241:995
93.48.80.198:995
80.11.74.81:2222
38.70.253.226:2222
148.64.96.100:443
119.158.103.16:995
95.12.16.233:443
103.246.242.202:443
75.99.168.194:61201
75.99.168.194:443
5.54.49.78:995
39.49.44.239:995
179.145.13.69:32101
197.89.8.179:443
208.107.221.224:443
83.110.94.23:443
173.174.216.62:443
181.208.248.227:443
217.128.122.65:2222
39.44.46.206:995
186.90.153.162:2222
86.98.208.214:2222
47.23.89.60:993
31.215.69.115:443
76.70.9.169:2222
148.0.15.41:443
92.132.172.197:2222
39.44.66.76:995
140.82.63.183:995
140.82.63.183:443
144.202.3.39:995
149.28.238.199:443
45.63.1.12:443
144.202.2.175:443
45.76.167.26:443
45.76.167.26:995
149.28.238.199:995
144.202.3.39:443
45.63.1.12:995
144.202.2.175:995
39.52.94.22:995
117.248.109.38:21
217.165.109.187:993
31.215.185.244:2222
113.89.6.31:995
174.69.215.101:443
73.151.236.31:443
173.21.10.71:2222
76.25.142.196:443
39.33.216.128:995
67.165.206.193:993
189.223.134.157:443
190.252.242.69:443
82.41.63.217:443
187.208.122.239:443
47.157.227.70:443
102.182.232.3:995
69.14.172.24:443
200.148.9.225:32101
24.139.72.117:443
72.76.94.99:443
40.134.246.185:995
100.1.108.246:443
24.55.67.176:443
79.80.80.29:2222
179.158.105.44:443
45.46.53.140:2222
70.51.137.64:2222
41.84.236.153:995
197.92.130.121:443
81.129.112.49:2078
86.195.158.178:2222
109.12.111.14:443
82.152.39.39:443
187.16.64.194:2222
79.129.121.68:995
41.84.233.96:443
201.172.23.68:2222
196.203.37.215:80
103.107.113.82:443
90.120.65.153:2078
180.129.108.214:995
183.82.103.213:443
84.241.8.23:32103
31.215.185.244:1194
203.122.46.130:443
197.165.163.159:995
37.186.54.254:995
41.38.167.179:995
118.161.37.101:995
106.51.48.170:50001
37.208.158.83:6883
67.69.166.79:2222
85.246.82.244:443
72.252.157.172:995
72.252.157.172:990
191.250.188.54:443
81.215.196.174:443
63.143.92.99:995
187.251.132.144:22
186.106.219.136:443
68.204.7.158:443
103.116.178.85:995
177.157.156.136:443
194.36.28.62:443
46.107.48.202:443
187.172.240.32:443
200.109.56.159:2222
5.32.41.45:443
5.193.138.70:2222
111.125.245.118:995
173.22.32.101:443
94.36.195.102:2222
76.23.237.163:995
92.184.97.99:443
120.61.2.22:443
43.248.68.33:2222
96.37.113.36:993
122.118.146.205:995
189.146.87.77:443
131.0.196.234:443
197.162.117.38:995
191.99.191.28:443
109.228.220.196:443
102.65.12.78:443
103.73.101.14:995
Version1027.688
Campaign1652945863
BotnetAA
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x5a584
UninitializedDataSize: -
InitializedDataSize: 205824
CodeSize: 366080
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x000595B8
0x00059600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.51125
DATA
0x0005B000
0x00001928
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.42846
BSS
0x0005D000
0x00000E3D
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x0005E000
0x000021D2
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.04256
.reloc
0x00061000
0x00006C44
0x00006E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.62999
.rsrc
0x00068000
0x00027A00
0x00027A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
7.35268

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.85232
744
UNKNOWN
English - United States
RT_ICON
2
2.80231
308
UNKNOWN
UNKNOWN
RT_CURSOR
3
3.00046
308
UNKNOWN
UNKNOWN
RT_CURSOR
4
2.56318
308
UNKNOWN
UNKNOWN
RT_CURSOR
5
2.6949
308
UNKNOWN
UNKNOWN
RT_CURSOR
6
2.62527
308
UNKNOWN
UNKNOWN
RT_CURSOR
7
2.91604
308
UNKNOWN
UNKNOWN
RT_CURSOR
4078
3.12374
876
UNKNOWN
UNKNOWN
RT_STRING
4079
3.15437
944
UNKNOWN
UNKNOWN
RT_STRING
4080
3.28468
644
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
oleaut32.dll
user32.dll
version.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs #QBOT explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3940"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da.exe", #1C:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3868C:\Windows\explorer.exeC:\Windows\explorer.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Qbot
(PID) Process(3868) explorer.exe
Strings (179)ipconfig /all
ProfileImagePath
/t4
ERROR: GetModuleFileNameW() failed with error: %u
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
net share
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nltest /domain_trusts /all_trusts
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
net localgroup
powershell.exe
Self check
Self test OK.
102
qwinsta
%s "$%s = \"%s\"; & $%s"
jHxastDcds)oMc=jvh7wdUhxcsdt2
route print
.lnk
arp -a
error res='%s' err=%d len=%u
amstream.dll
schtasks.exe /Delete /F /TN %u
whoami /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
\System32\WindowsPowerShell\v1.0\powershell.exe
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
103
c:\ProgramData
at.exe %u:%u "%s" /I
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SELF_TEST_1
net view /all
Self check ok!
netstat -nao
ProgramData
\System32\WindowsPowerShel1\v1.0\powershel1.exe
cmd /c set
Self test FAILED!!!
regsvr32.exe -s
Microsoft
%s \"$%s = \\\"%s\\\\; & $%s\"
1234567890
%SystemRoot%\SysWOW64\msra.exe
.dll
abcdefghijklmnopqrstuvwxyz
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
%SystemRoot%\System32\mobsync.exe
advapi32.dll
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Win32_Product
System32
winsta0\default
C:\INTERNAL\__empty
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
urlmon.dll
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
.dat
open
setupapi.dll
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
%SystemRoot%\System32\xwizard.exe
LastBootUpTime
fmon.exe
SELECT * FROM AntiVirusProduct
aabcdeefghiijklmnoopqrstuuvwxyyz
shlwapi.dll
%SystemRoot%\SysWOW64\explorer.exe
.exe
ntdll.dll
user32.dll
select
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Win32_PhysicalMemory
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex...
vbs
wpcap.dll
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
%ProgramFiles%\Internet Explorer\iexplore.exe
Win32_PnPEntity
%SystemRoot%\explorer.exe
Win32_DiskDrive
crypt32.dll
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
wbj.go
%SystemRoot%\System32\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
AvastSvc.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\OneDriveSetup.exe
ALLUSERSPROFILE
FALSE
SAVAdminService.exe;SavService.exe
c:\hiberfil.sysss
wininet.dll
WQL
Win32_Bios
cmd.exe
ccSvcHst.exe
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
iphlpapi.dll
image/gif
Win32_Process
Content-Type: application/x-www-form-urlencoded
fshoster32.exe
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
MBAMService.exe;mbamgui.exe
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
image/pjpeg
\\.\pipe\
.cfg
NTUSER.DAT
SystemRoot
ROOT\CIMV2
Winsta0
shell32.dll
SpyNetReporting
Initializing database...
rundll32.exe
SubmitSamplesConsent
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
root\SecurityCenter2
ByteFence.exe
image/jpeg
Caption
%SystemRoot%\System32\OneDriveSetup.exe
mpr.dll
c:\\
MsMpEng.exe
from
Win32_ComputerSystem
SysWOW64
\sf2.dll
snxhk_border_mywnd
TRUE
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
*/*
%SystemRoot%\SysWOW64\explorer.exe
wmic process call create 'expand "%S" "%S"'
mcshield.exe
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Create
bdagent.exe;vsserv.exe;vsservppl.exe
avp.exe;kavtray.exe
CommandLine
https
%S.%06d
LocalLow
WRSA.exe
aswhooka.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
netapi32.dll
application/x-shockwave-flash
%s\system32\
SELECT * FROM Win32_Processor
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
ws2_32.dll
displayName
aswhookx.dll
cscript.exe
type=0x%04X
S:(ML;;NW;;;LW)
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
userenv.dll
SELECT * FROM Win32_OperatingSystem
Packages
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
WBJ_IGNORE
%SystemRoot%\explorer.exe
Software\Microsoft
kernel32.dll
Name
egui.exe;ekrn.exe
vkise.exe;isesrv.exe;cmdagent.exe
wtsapi32.dll
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
C2 (150)108.60.213.141:443
89.211.185.1:2222
91.177.173.10:995
121.7.223.59:2222
70.46.220.114:443
124.40.244.118:2222
37.34.253.233:443
172.115.177.204:2222
175.145.235.37:443
176.67.56.94:443
41.228.22.180:443
2.34.12.8:443
67.209.195.198:443
118.161.37.101:443
45.241.215.15:993
140.82.49.12:443
182.191.92.203:995
187.207.131.50:61202
74.14.7.71:2222
172.114.160.81:995
2.50.4.57:443
24.178.196.158:2222
32.221.224.140:995
113.53.145.118:443
120.150.218.241:995
93.48.80.198:995
80.11.74.81:2222
38.70.253.226:2222
148.64.96.100:443
119.158.103.16:995
95.12.16.233:443
103.246.242.202:443
75.99.168.194:61201
75.99.168.194:443
5.54.49.78:995
39.49.44.239:995
179.145.13.69:32101
197.89.8.179:443
208.107.221.224:443
83.110.94.23:443
173.174.216.62:443
181.208.248.227:443
217.128.122.65:2222
39.44.46.206:995
186.90.153.162:2222
86.98.208.214:2222
47.23.89.60:993
31.215.69.115:443
76.70.9.169:2222
148.0.15.41:443
92.132.172.197:2222
39.44.66.76:995
140.82.63.183:995
140.82.63.183:443
144.202.3.39:995
149.28.238.199:443
45.63.1.12:443
144.202.2.175:443
45.76.167.26:443
45.76.167.26:995
149.28.238.199:995
144.202.3.39:443
45.63.1.12:995
144.202.2.175:995
39.52.94.22:995
117.248.109.38:21
217.165.109.187:993
31.215.185.244:2222
113.89.6.31:995
174.69.215.101:443
73.151.236.31:443
173.21.10.71:2222
76.25.142.196:443
39.33.216.128:995
67.165.206.193:993
189.223.134.157:443
190.252.242.69:443
82.41.63.217:443
187.208.122.239:443
47.157.227.70:443
102.182.232.3:995
69.14.172.24:443
200.148.9.225:32101
24.139.72.117:443
72.76.94.99:443
40.134.246.185:995
100.1.108.246:443
24.55.67.176:443
79.80.80.29:2222
179.158.105.44:443
45.46.53.140:2222
70.51.137.64:2222
41.84.236.153:995
197.92.130.121:443
81.129.112.49:2078
86.195.158.178:2222
109.12.111.14:443
82.152.39.39:443
187.16.64.194:2222
79.129.121.68:995
41.84.233.96:443
201.172.23.68:2222
196.203.37.215:80
103.107.113.82:443
90.120.65.153:2078
180.129.108.214:995
183.82.103.213:443
84.241.8.23:32103
31.215.185.244:1194
203.122.46.130:443
197.165.163.159:995
37.186.54.254:995
41.38.167.179:995
118.161.37.101:995
106.51.48.170:50001
37.208.158.83:6883
67.69.166.79:2222
85.246.82.244:443
72.252.157.172:995
72.252.157.172:990
191.250.188.54:443
81.215.196.174:443
63.143.92.99:995
187.251.132.144:22
186.106.219.136:443
68.204.7.158:443
103.116.178.85:995
177.157.156.136:443
194.36.28.62:443
46.107.48.202:443
187.172.240.32:443
200.109.56.159:2222
5.32.41.45:443
5.193.138.70:2222
111.125.245.118:995
173.22.32.101:443
94.36.195.102:2222
76.23.237.163:995
92.184.97.99:443
120.61.2.22:443
43.248.68.33:2222
96.37.113.36:993
122.118.146.205:995
189.146.87.77:443
131.0.196.234:443
197.162.117.38:995
191.99.191.28:443
109.228.220.196:443
102.65.12.78:443
103.73.101.14:995
Version1027.688
Campaign1652945863
BotnetAA
Total events
68
Read events
59
Write events
9
Delete events
0

Modification events

(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:af2270fb
Value:
1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:ad635087
Value:
3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:15df37e2
Value:
B713E0E0E8A1F46224E8E96656AEB48CB16FB37C10DDF57BC9E2BA44012409C924B05210D64AFCB609BC5C
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:68d77868
Value:
FDAA9851894C4F9EDDE566C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:d06b1f0d
Value:
AD659A1C35157F491BFA6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:179e179e
Value:
18D68B559E54BB0A9C821576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:e5f4cf43
Value:
2BF73CCC9ED9C700D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424
(PID) Process:(3868) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD56573BD9AF68E2E8B224399AEC08954AA6912B0083D95911E70CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3868explorer.exeC:\Users\admin\AppData\Local\Temp\b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da.exeexecutable
MD5:2064AB980E4FADE3E6CCBA52E6F32843
SHA256:ECE51B5C22E75FB3DD3FB0CF9E2FC1207F2B8D6E696421375C9E65D39C874822
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b10812b2ee1a5776905dab0607ae87efca85602bd450f06f76ea12329b1e13da