URL:

http://bhatner.com/wp-content/uploads/2020/01/ahead/9312.zip

Full analysis: https://app.any.run/tasks/13853cd1-4b0f-45e8-bc49-56fafc5043fe
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: January 24, 2020, 12:23:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
qbot
trojan
Indicators:
MD5:

9C3584BC27F28C32B1530F04C5960BF7

SHA1:

790DDF9F05FB64ADB643741F8BA4F9592CB4287D

SHA256:

C483C9D30F122C6675B6D61656C27D51F6A3966DC547FF4F64D38E440278030C

SSDEEP:

3:N1KchZ2OlAQyX1Un:CchQOlAZy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ColorPick.exe (PID: 2668)
      • ytfovlym.exe (PID: 2864)
      • ColorPick.exe (PID: 3196)
      • ytfovlym.exe (PID: 3828)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3148)
    • Downloads executable files with a strange extension

      • WScript.exe (PID: 3148)
    • QBOT was detected

      • ColorPick.exe (PID: 2668)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 1860)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3148)
      • ColorPick.exe (PID: 2668)
      • cmd.exe (PID: 1860)
    • Creates files in the user directory

      • ColorPick.exe (PID: 2668)
    • Application launched itself

      • ColorPick.exe (PID: 2668)
      • ytfovlym.exe (PID: 2864)
    • Starts itself from another location

      • ColorPick.exe (PID: 2668)
    • Starts CMD.EXE for commands execution

      • ColorPick.exe (PID: 2668)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2808)
      • iexplore.exe (PID: 628)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 628)
    • Changes internet zones settings

      • iexplore.exe (PID: 628)
    • Manual execution by user

      • WScript.exe (PID: 3148)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2808)
    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 1860)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 628)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 628)
    • Changes settings of System certificates

      • iexplore.exe (PID: 628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe #QBOT colorpick.exe colorpick.exe ytfovlym.exe cmd.exe ping.exe no specs ytfovlym.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Program Files\Internet Explorer\iexplore.exe" "http://bhatner.com/wp-content/uploads/2020/01/ahead/9312.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2808"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:628 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1116"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\9312.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3148"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\JVC_1478.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2668C:\Users\admin\AppData\Local\Temp\ColorPick.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exe
WScript.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
3196C:\Users\admin\AppData\Local\Temp\ColorPick.exe /CC:\Users\admin\AppData\Local\Temp\ColorPick.exe
ColorPick.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
2864C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe
ColorPick.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
1860"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\ColorPick.exe"C:\Windows\System32\cmd.exe
ColorPick.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3916ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3828C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe
ytfovlym.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
Total events
8 393
Read events
1 620
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
13
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
628iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA61BDF8BDEB1F836.TMP
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\Downloads\9312.zip.qcw5v5x.partial
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFAD69F389D6D35BD9.TMP
MD5:
SHA256:
628iexplore.exeC:\Users\admin\Downloads\9312.zip.qcw5v5x.partial:Zone.Identifier
MD5:
SHA256:
1116WinRAR.exeC:\Users\admin\Desktop\JVC_1478.vbs
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF984BB82E8A848656.TMP
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{66DED661-3EA4-11EA-972D-5254004A04AF}.dat
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab6FD4.tmp
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar6FD5.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
11
DNS requests
8
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2808
iexplore.exe
GET
200
103.91.92.1:80
http://bhatner.com/wp-content/uploads/2020/01/ahead/9312.zip
IN
compressed
2.23 Mb
whitelisted
628
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
shared
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
shared
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
shared
3148
WScript.exe
GET
200
5.61.27.159:80
http://alphaenergyeng.com/wp-content/uploads/2020/01/ahead/444444.png
US
executable
464 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
iexplore.exe
103.91.92.1:80
bhatner.com
Click4net Internet Services P Ltd
IN
unknown
628
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
628
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
628
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3148
WScript.exe
5.61.27.159:80
alphaenergyeng.com
Nrp Network LLC
US
malicious

DNS requests

Domain
IP
Reputation
bhatner.com
  • 103.91.92.1
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
shared
alphaenergyeng.com
  • 5.61.27.159
suspicious

Threats

PID
Process
Class
Message
3148
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3148
WScript.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
3148
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3148
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
Process
Message
ColorPick.exe
ZBZQBZ
ColorPick.exe
ZBZQBZ
ytfovlym.exe
ZBZQBZ
ytfovlym.exe
ZBZQBZ