File name: | Claim_Copy_3657_Sep_20.html |
Full analysis: | https://app.any.run/tasks/352281e4-0623-49bc-b7c0-7eb010b29deb |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 05, 2022, 07:20:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators |
MD5: | D7EA398ADA030C834B54E11387337F97 |
SHA1: | 1F52A598EB7DEB5E82F1D09F50311A387C3F4A00 |
SHA256: | C9E38DD0A37E5122F129463AD99188113715FAE3983DE9C10E2E1C139C3773FC |
SSDEEP: | 12288:zfs8YEtCns3tMEwYtgoCkcnj5Zk0bTcw1eLxvk35IWjXLWjH:DysduNnj9ww1ehk3yWj6 |
.html | | | HyperText Markup Language (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
276 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\Claim_Copy_3657_Sep_20.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1116 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:276 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3164 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:276 CREDAT:333057 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3976 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20 | C:\Windows\system32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
404 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20" | C:\Program Files\WinRAR\WinRAR.exe | — | rundll32.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3412 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb404.10338\Claim_Copy_3657.iso | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
2904 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\fathomed\hibernatesCrowd.js" | C:\Windows\System32\WScript.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3872 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\fathomed\bulkedBussing.cmd" regsv" | C:\Windows\system32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
684 | regsvr32 fathomed\colloquia.db | C:\Windows\system32\regsvr32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1816 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Qbot(PID) Process(1816) explorer.exe Strings (188)Start screenshot at.exe %u:%u "%s" /I powershell.exe -encodedCommand amstream.dll Self check arp -a c:\ProgramData nltest /domain_trusts /all_trusts %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d Self test OK. SoNuce]ugdiB3c[doMuce2s81*uXmcvP \System32\WindowsPowerShell\v1.0\powershell.exe net view \System32\WindowsPowerShel1\v1.0\powershel1.exe error res='%s' err=%d len=%u net share qwinsta route print .lnk regsvr32.exe Self test FAILED!!! ProfileImagePath schtasks.exe /Delete /F /TN %u "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList netstat -nao /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s" nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s /t5 whoami /all Self check ok! ProgramData powershell.exe -encodedCommand %S 89210af9 3c91e639 %s "$%s = \"%s\"; & $%s" SOFTWARE\Microsoft\Windows\CurrentVersion\Run ERROR: GetModuleFileNameW() failed with error: %u ipconfig /all schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER %s \"$%s = \\\"%s\\\\; & $%s\" net localgroup powershell.exe cmd /c set Microsoft SELF_TEST_1 %SystemRoot%\explorer.exe %ProgramFiles(x86)%\Internet Explorer\iexplore.exe WBJ_IGNORE */* SELECT * FROM Win32_Processor root\SecurityCenter2 Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet \sf2.dll Win32_Bios .cfg wpcap.dll type=0x%04X c:\hiberfil.sysss aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz bcrypt.dll Win32_ComputerSystem %SystemRoot%\SysWOW64\explorer.exe FALSE %S.%06d Win32_Product abcdefghijklmnopqrstuvwxyz image/pjpeg egui.exe;ekrn.exe https Create %SystemRoot%\SysWOW64\msra.exe SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths SubmitSamplesConsent %ProgramFiles%\Internet Explorer\iexplore.exe from kernel32.dll %s\system32\ \\.\pipe\ userenv.dll ntdll.dll ccSvcHst.exe LocalLow NTUSER.DAT select avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe Software\Microsoft Win32_PhysicalMemory wtsapi32.dll ws2_32.dll shell32.dll Initializing database... winsta0\default S:(ML;;NW;;;LW) snxhk_border_mywnd %SystemRoot%\System32\msra.exe TRUE image/gif APPDATA vbs image/jpeg %SystemRoot%\SysWOW64\wermgr.exe dwengine.exe;dwarkdaemon.exe;dwwatcher.exe ALLUSERSPROFILE wininet.dll urlmon.dll Packages SELECT * FROM Win32_OperatingSystem Winsta0 %SystemRoot%\SysWOW64\explorer.exe reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s" SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet Caption ROOT\CIMV2 %SystemRoot%\System32\OneDriveSetup.exe c:\\ aswhooka.dll aabcdeefghiijklmnoopqrstuuvwxyyz Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul) mpr.dll %SystemRoot%\SysWOW64\xwizard.exe Name coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0 LastBootUpTime %SystemRoot%\System32\wermgr.exe avp.exe;kavtray.exe Win32_Process 1234567890 %SystemRoot%\System32\mobsync.exe rundll32.exe fshoster32.exe SystemRoot advapi32.dll SpyNetReporting t=%s time=[%02d:%02d:%02d-%02d/%02d/%d] SAVAdminService.exe;SavService.exe Win32_DiskDrive cmd.exe %SystemRoot%\SysWOW64\mobsync.exe .dat open %SystemRoot%\System32\xwizard.exe {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X} Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next user32.dll bdagent.exe;vsserv.exe;vsservppl.exe SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths MsMpEng.exe Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName .dll setupapi.dll WRSA.exe System32 application/x-shockwave-flash netapi32.dll SysWOW64 frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex... WScript.Sleep %u
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")... vkise.exe;isesrv.exe;cmdagent.exe MBAMService.exe;mbamgui.exe iphlpapi.dll SOFTWARE\Microsoft\Windows Defender\SpyNet CommandLine wbj.go shlwapi.dll Win32_PnPEntity cscript.exe LOCALAPPDATA C:\INTERNAL\__empty SELECT * FROM AntiVirusProduct aswhookx.dll %SystemRoot%\explorer.exe mcshield.exe .exe pstorec.dll %SystemRoot%\SysWOW64\OneDriveSetup.exe wmic process call create 'expand "%S" "%S"' fmon.exe Content-Type: application/x-www-form-urlencoded displayName AvastSvc.exe ByteFence.exe SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet WQL crypt32.dll C2 (150)119.82.111.158:443 66.181.164.43:443 181.118.183.123:443 88.245.168.200:2222 70.49.33.200:2222 193.3.19.37:443 99.232.140.205:2222 110.4.255.247:443 134.35.9.144:443 89.211.217.38:995 64.207.215.69:443 83.110.219.59:993 197.94.84.128:443 177.255.14.99:995 41.103.226.172:443 109.155.5.164:993 190.44.40.48:995 187.205.222.100:443 41.107.78.223:995 191.97.234.238:995 76.169.76.44:2222 70.51.132.197:2222 189.19.189.222:32101 72.88.245.71:443 173.218.180.91:443 197.204.243.167:443 68.53.110.74:995 160.176.204.241:443 41.69.103.179:995 68.224.229.42:443 100.1.5.250:995 194.166.205.204:995 88.232.207.24:443 14.183.63.12:443 89.211.223.138:2222 85.98.206.165:995 191.254.74.89:32101 72.66.96.129:995 176.42.245.2:995 31.54.39.153:2078 186.154.92.181:443 88.231.221.198:995 102.38.97.229:995 45.51.148.111:993 87.243.113.104:995 84.38.133.191:443 123.240.131.1:443 180.180.131.95:443 191.84.204.214:995 91.116.160.252:443 151.234.63.48:990 99.253.251.74:443 154.181.203.230:995 85.114.110.108:443 186.105.182.127:443 71.10.27.196:2222 71.10.27.196:2222 47.146.182.110:443 194.49.79.231:443 88.242.228.16:53 88.231.221.198:443 141.164.254.35:443 196.92.172.24:8443 186.50.245.74:995 78.182.113.80:443 41.96.171.218:443 154.246.182.210:443 81.214.220.237:443 95.136.41.50:443 84.38.133.191:443 190.158.58.236:443 105.99.80.23:443 102.184.151.194:995 181.127.138.30:443 167.60.82.242:995 196.112.34.71:443 88.251.38.53:443 37.37.206.87:995 37.76.197.124:443 188.157.6.170:443 68.50.190.55:443 181.111.20.201:443 31.166.116.171:443 84.238.253.171:443 197.49.50.44:443 160.152.135.188:2222 45.160.124.211:995 113.22.102.155:443 211.248.176.4:443 186.167.249.206:443 139.195.132.210:2222 182.213.208.5:443 201.177.163.176:443 45.183.234.180:443 98.180.234.228:443 184.82.110.50:995 179.24.245.193:995 94.99.110.157:995 181.56.125.32:443 119.42.124.18:443 181.231.229.133:443 2.89.78.130:993 70.81.121.237:2222 181.81.116.144:443 197.11.128.156:443 41.142.132.190:443 105.111.60.60:995 154.238.151.197:995 156.219.49.22:995 179.223.89.154:995 102.101.231.141:443 220.116.250.45:443 138.0.114.166:443 62.114.193.186:995 85.98.46.114:443 184.99.123.118:443 186.120.58.88:443 46.186.216.41:32100 156.213.107.29:995 27.73.215.46:32102 68.151.196.147:995 68.129.232.158:443 45.241.140.181:995 212.156.51.194:443 87.75.195.211:443 1.10.253.207:443 87.220.229.164:2222 109.200.165.82:443 41.105.197.244:443 190.59.247.136:995 219.69.103.199:443 61.105.45.244:443 105.105.104.0:443 169.1.47.111:443 210.195.18.76:2222 118.174.200.169:995 88.246.170.2:443 171.248.157.128:995 118.68.220.199:443 139.195.63.45:2222 118.216.99.232:443 181.80.133.202:443 102.40.236.32:995 46.116.229.16:443 61.70.29.53:443 179.108.32.195:443 171.238.230.59:443 81.56.22.251:995 31.32.180.179:443 85.139.203.42:32101 Version1027.894 Campaign1663660089 Botnetobama206 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1116 | iexplore.exe | C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20.gytlj9w.partial | compressed | |
MD5:120477A9D77B76C6A36A9BD7E78D17AB | SHA256:AD7ADB06B4561396BB7CC53390B1E47B89D2E124E346390EF92BC3C7B3AFCCCE | |||
1116 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Claim_Copy_3657_Sep_20[1] | compressed | |
MD5:9A5055816FFC1FAE19E65BD2056CB821 | SHA256:FE6C8ED26A1A209C19E31FAB9EF7E048FB01F1C846B19F0994AA1B158F1E15DB | |||
1116 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | binary | |
MD5:8DB26351CFF62B2F53267B61B37DC8B7 | SHA256:05F91462D76C6BE25642E290CC0A1D27C210FD1EE30A7B5D2EA5C14E9DACEAA9 | |||
276 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:8E8D823B548C35ECA97993697E35AD5D | SHA256:9E7D933723C3F157FDEA9F6E92609E6D0F99BD3A1FFA861C549131DE28CF79EB | |||
1116 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | der | |
MD5:DBE650BA1D1EB0B65CB29924AB369F1B | SHA256:2DF229C762B997F438A51379186347842250A82FC3C1234FAFB0781C9276E636 | |||
1116 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:C2EEBBEFF66B98DB6AE0CF6289CEDE63 | SHA256:7AEFE587BD3449FE062FF26E6AD63920F4DD380C47B165EFDC815E17FF29A53A | |||
1116 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\d[2] | woff | |
MD5:DF0CD5EDE266E9EA694C3D28209FCE9F | SHA256:5ECD3C64E4C0D1A51D13E2762BECB9E7DA2ACD30D670058A6B16761BE3E017DB | |||
276 | iexplore.exe | C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20 | compressed | |
MD5:120477A9D77B76C6A36A9BD7E78D17AB | SHA256:AD7ADB06B4561396BB7CC53390B1E47B89D2E124E346390EF92BC3C7B3AFCCCE | |||
276 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
1116 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\d[3] | woff | |
MD5:83E5380B9DC2077B664E383CF6FCF47E | SHA256:741A4BC7D04FC8385F9A1DB0CCC586A224F14233B08D764D37EA165163A247A0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
276 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1116 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D | US | der | 471 b | whitelisted |
276 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1116 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?831122cd13fc2ce2 | US | compressed | 4.70 Kb | whitelisted |
1116 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b9ada3503f7f829e | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1116 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
276 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
1116 | iexplore.exe | 184.24.77.156:443 | use.typekit.net | Akamai International B.V. | DE | suspicious |
1116 | iexplore.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | suspicious |
276 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
276 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
use.typekit.net |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |