analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-429853930-10162020.zip

Full analysis: https://app.any.run/tasks/50abd3d4-de88-4aff-92ae-77510f6c38e0
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:23:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1032B66E61B9DEC680F6BC40A82FC9C6

SHA1:

DF82525963C2E087B0B33523362B5869602A6972

SHA256:

C7F9E84F21F171642F89DAD8EE778E9E0094AC24253AB81BBEF2120F4AFC7FE4

SSDEEP:

384:8gGk+KFME6e7jjoZUUqxQ7p4teW38AB0rXw2bPvVK3ZHxzWt7RKI/B2rqieO:7VFMM7wZUUwqWMMyXvbQ3ZRz+0IQqXO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 1960)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1960)

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 2096)
      • nosto.exe (PID: 3928)
      • ytfovlym.exe (PID: 3396)
      • ytfovlym.exe (PID: 1864)

    • QBOT was detected

      • nosto.exe (PID: 3928)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3932)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1932)

    • Application launched itself

      • nosto.exe (PID: 3928)
      • ytfovlym.exe (PID: 3396)

    • Creates files in the user directory

      • nosto.exe (PID: 3928)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 3928)
      • cmd.exe (PID: 3932)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 3928)

    • Starts itself from another location

      • nosto.exe (PID: 3928)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1960)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 1960)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1960)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 3932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:19 16:24:17
ZipCRC: 0x84f024ac
ZipCompressedSize: 21418
ZipUncompressedSize: 26682
ZipFileName: Calculation-429853930-10162020.xlsb
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-429853930-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1960"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3928"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2096C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3396C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3932"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3768ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1864C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
4032C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 149
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1960EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6C5E.tmp.cvr
MD5:
SHA256:
1932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1932.36724\Calculation-429853930-10162020.xlsbdocument
MD5:4526D0A8AEE7B4D6990F643DC9E7F625
SHA256:0CC4CAB43C096CEEB9C41BDFF10785BBF116412F189F770EED447873C849AC32
3928nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:973F8E4F5A174A08DC417F5F2227B2F3
SHA256:181F87744986183FB2A848E061DFB62701A3003ECB5082E74C6098E5CD50DC26
1960EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:B027D73A974E452E451F57DBF6B44FCC
SHA256:402087D05FB03BA151D74D3773A29EE4468DBAAD026372C71607BD767E427171
1960EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:B027D73A974E452E451F57DBF6B44FCC
SHA256:402087D05FB03BA151D74D3773A29EE4468DBAAD026372C71607BD767E427171
3928nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:B027D73A974E452E451F57DBF6B44FCC
SHA256:402087D05FB03BA151D74D3773A29EE4468DBAAD026372C71607BD767E427171
1960EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\C5KEP792.txttext
MD5:E9E553E349E81FE6C77E74AFA23D668F
SHA256:72024F739C081437742EDBB33B4E1AC387E58EE83A49B7459AEFE22BD044A259
4032explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:AEACE7B4254C35A54AE276A61F22FF02
SHA256:BA81000D6DD0BFA730B392423298CCC2499E8C321E40A35E0FD35F3982FB369D
3932cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1960
EXCEL.EXE
GET
200
104.27.183.167:80
http://cinefreak.info/dzvkbppmkym/3415201.png
US
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1960
EXCEL.EXE
104.27.183.167:80
cinefreak.info
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
cinefreak.info
  • 104.27.183.167
  • 172.67.182.215
  • 104.27.182.167
malicious

Threats

PID
Process
Class
Message
1960
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1960
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1960
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
1960
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
1960
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
1960
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-429853930-10162020.zip