File name: | Claim_Copy_3657_Sep_20.html |
Full analysis: | https://app.any.run/tasks/66332ae2-16f0-46ed-9876-74b98a0c5ff2 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 05, 2022, 07:14:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators |
MD5: | D7EA398ADA030C834B54E11387337F97 |
SHA1: | 1F52A598EB7DEB5E82F1D09F50311A387C3F4A00 |
SHA256: | C9E38DD0A37E5122F129463AD99188113715FAE3983DE9C10E2E1C139C3773FC |
SSDEEP: | 12288:zfs8YEtCns3tMEwYtgoCkcnj5Zk0bTcw1eLxvk35IWjXLWjH:DysduNnj9ww1ehk3yWj6 |
.html | | | HyperText Markup Language (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3160 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\Claim_Copy_3657_Sep_20.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1076 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3160 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3212 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3160 CREDAT:5256194 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3632 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3160 CREDAT:398593 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3712 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20 | C:\Windows\system32\rundll32.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
312 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20" | C:\Program Files\WinRAR\WinRAR.exe | — | rundll32.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3548 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb312.24969\Claim_Copy_3657.iso | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
1748 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\fathomed\hibernatesCrowd.js" | C:\Windows\System32\WScript.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1404 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\fathomed\bulkedBussing.cmd" regsv" | C:\Windows\system32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1988 | regsvr32 fathomed\colloquia.db | C:\Windows\system32\regsvr32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1076 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | binary | |
MD5:5A2D9C6C77BDC98784D0F6777854B7C6 | SHA256:0C1EF1811C78D981D47951EBE324DCC02E26A67DDB4ECA3ED95D70C86EDC3812 | |||
1076 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:284A9EAA3EC85C2FAD71A396CE5446D0 | SHA256:D9354725EF96DB414491DE3059B74E7AE0134730801E8FE1BF1565134180C0A3 | |||
3212 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Claim_Copy_3657_Sep_20[1] | compressed | |
MD5:9A5055816FFC1FAE19E65BD2056CB821 | SHA256:FE6C8ED26A1A209C19E31FAB9EF7E048FB01F1C846B19F0994AA1B158F1E15DB | |||
3160 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:40CF8195898EB49CE855DEC91C2A5C7E | SHA256:BEF7C8B980D34D56FADA475C6DB431E3D11152B71883F1099643BF71C9771CF1 | |||
3160 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:B8BDA0B382A7D056A4241B388338B778 | SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2 | |||
1076 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | der | |
MD5:DBE650BA1D1EB0B65CB29924AB369F1B | SHA256:2DF229C762B997F438A51379186347842250A82FC3C1234FAFB0781C9276E636 | |||
1076 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\d[1] | woff | |
MD5:A870EE6A735514C321010F19CE3644D7 | SHA256:79E3A4E2C2274ACD602155924DC8C0B7C3AFDCD40450B2DFEDA302AD8E140649 | |||
1076 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\d[1] | woff | |
MD5:C26C1B68EDD07AB0069CF2EFE0886C1F | SHA256:72073CA6C71BCC781491B054C4325A663834082457FD896CB6E1E9931BF6E013 | |||
3160 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
1076 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\d[1] | woff | |
MD5:DF0CD5EDE266E9EA694C3D28209FCE9F | SHA256:5ECD3C64E4C0D1A51D13E2762BECB9E7DA2ACD30D670058A6B16761BE3E017DB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1076 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D | US | der | 471 b | whitelisted |
3212 | iexplore.exe | GET | 200 | 8.253.204.121:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e7a8f0c77e21ded3 | US | compressed | 4.70 Kb | whitelisted |
1076 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3212 | iexplore.exe | GET | 200 | 8.253.207.120:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98d9de4f8328267 | US | compressed | 4.70 Kb | whitelisted |
3160 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
3212 | iexplore.exe | GET | 200 | 8.253.207.120:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?55796228f15e8c37 | US | compressed | 4.70 Kb | whitelisted |
1076 | iexplore.exe | GET | 200 | 2.16.186.25:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?795b60877d7c2511 | unknown | compressed | 4.70 Kb | whitelisted |
1076 | iexplore.exe | GET | 200 | 2.16.186.25:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3c19326d246a6dd5 | unknown | compressed | 4.70 Kb | whitelisted |
3212 | iexplore.exe | GET | 200 | 8.253.207.120:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ce65632dcc440800 | US | compressed | 4.70 Kb | whitelisted |
3212 | iexplore.exe | GET | 200 | 8.253.207.120:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b501590238a1d8b6 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3212 | iexplore.exe | 2.16.106.235:443 | use.typekit.net | Akamai International B.V. | DE | suspicious |
3212 | iexplore.exe | 8.253.207.120:80 | ctldl.windowsupdate.com | LEVEL3 | US | malicious |
1076 | iexplore.exe | 2.16.106.235:443 | use.typekit.net | Akamai International B.V. | DE | suspicious |
3212 | iexplore.exe | 8.253.204.121:80 | ctldl.windowsupdate.com | LEVEL3 | US | malicious |
1076 | iexplore.exe | 2.16.186.25:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | whitelisted |
1076 | iexplore.exe | 2.16.106.147:443 | use.typekit.net | Akamai International B.V. | DE | whitelisted |
3160 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1076 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
3160 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3212 | iexplore.exe | 2.16.106.147:443 | use.typekit.net | Akamai International B.V. | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
use.typekit.net |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |