analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

koran.dat

Full analysis: https://app.any.run/tasks/a551b495-09e2-4f27-a84a-30c6e41e141a
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: October 05, 2022, 07:32:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

30F49310CDDD30D2EE78F3CE0AC99CF3

SHA1:

CEDD2DA90C0CD9DA987B9A2CF429F7374BAB3B27

SHA256:

E59E68973EE13A5A7525E73E48D6837AB85C9C3B129FB8DF9B9519C6B3EBA472

SSDEEP:

12288:Ccvej2fMdo5i5ptlTvLqBJEji0TF38ME:r2j1do5WFEJ4B38M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 856)
      • Explorer.EXE (PID: 636)
    • QBOT detected by memory dumps

      • wermgr.exe (PID: 1784)
  • SUSPICIOUS

    • Drops a file with too old compile date

      • wermgr.exe (PID: 1784)
  • INFO

    • Loads main object executable

      • rundll32.exe (PID: 2944)
    • Creates files in the user directory

      • Explorer.EXE (PID: 636)
      • wermgr.exe (PID: 1784)
    • Drops the executable file immediately after the start

      • wermgr.exe (PID: 1784)
    • Executable content was dropped or overwritten

      • wermgr.exe (PID: 1784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 6
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
327872
328192
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.52285
DATA
335872
4424
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.09743
BSS
344064
3057
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
348160
8050
8192
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.87206
.reloc
356352
23280
23552
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.66913
.rsrc
380928
291840
291840
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.81995

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.05015
308
UNKNOWN
UNKNOWN
RT_CURSOR
2
2.80231
308
UNKNOWN
UNKNOWN
RT_CURSOR
3
3.00046
308
UNKNOWN
UNKNOWN
RT_CURSOR
4
2.56318
308
UNKNOWN
UNKNOWN
RT_CURSOR
5
2.6949
308
UNKNOWN
UNKNOWN
RT_CURSOR
6
2.62527
308
UNKNOWN
UNKNOWN
RT_CURSOR
7
2.91604
308
UNKNOWN
UNKNOWN
RT_CURSOR
8
1.41873
308
UNKNOWN
UNKNOWN
RT_CURSOR
9
2.6633
308
UNKNOWN
UNKNOWN
RT_CURSOR
4081
3.11739
252
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
gdi32.dll
kernel32.dll
kernel32.dll (#2)
kernel32.dll (#3)
kernel32.dll (#4)
oleaut32.dll
oleaut32.dll (#2)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs explorer.exe no specs svchost.exe no specs #QBOT wermgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Windows\System32\rundll32.exe" "C:\Users\admin\Desktop\koran.dat.exe", #1C:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
636C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
856C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1784C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704)
Total events
1 828
Read events
1 816
Write events
12
Delete events
0

Modification events

(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:af2270fb
Value:
1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:ad635087
Value:
3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:15df37e2
Value:
B713E0E0E8A1F76124E8E96656AEB48CB16FB37C10DDF57BC9E2BA44012409C924B05210D64AFCB609BC5C
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:68d77868
Value:
FDAA9851894C51B662E466C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:d06b1f0d
Value:
AD659A1C351525C4A1FB6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:179e179e
Value:
18D68B559E54E18726831576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:e5f4cf43
Value:
2BF73CCC9ED92309D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424
(PID) Process:(1784) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD56573BD9A968E2E8B224399AEC08954AA6922C0980DF5D1AE30CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560
(PID) Process:(636) Explorer.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1784wermgr.exeC:\Users\admin\Desktop\koran.dat.exeexecutable
MD5:E0B48ABA6216E196045DE38E5D289EAA
SHA256:F7BAB5357A18110E6C927A607B69B7B74C3D6F0840B4E64E1A9362B57C190C50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info