File name: | koran.dat |
Full analysis: | https://app.any.run/tasks/a551b495-09e2-4f27-a84a-30c6e41e141a |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 05, 2022, 07:32:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5: | 30F49310CDDD30D2EE78F3CE0AC99CF3 |
SHA1: | CEDD2DA90C0CD9DA987B9A2CF429F7374BAB3B27 |
SHA256: | E59E68973EE13A5A7525E73E48D6837AB85C9C3B129FB8DF9B9519C6B3EBA472 |
SSDEEP: | 12288:Ccvej2fMdo5i5ptlTvLqBJEji0TF38ME:r2j1do5WFEJ4B38M |
.exe | | | Win32 Executable Delphi generic (57.2) |
---|---|---|
.exe | | | Win32 Executable (generic) (18.2) |
.exe | | | Win16/32 Executable Delphi generic (8.3) |
.exe | | | Generic Win/DOS Executable (8) |
.exe | | | DOS Executable Generic (8) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 1992-Jun-19 22:22:17 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 6 |
TimeDateStamp: | 1992-Jun-19 22:22:17 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 4096 | 327872 | 328192 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.52285 |
DATA | 335872 | 4424 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.09743 |
BSS | 344064 | 3057 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 348160 | 8050 | 8192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.87206 |
.reloc | 356352 | 23280 | 23552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.66913 |
.rsrc | 380928 | 291840 | 291840 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 4.81995 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.05015 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
2 | 2.80231 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
8 | 1.41873 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
9 | 2.6633 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4081 | 3.11739 | 252 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
advapi32.dll (#2) |
comctl32.dll |
gdi32.dll |
kernel32.dll |
kernel32.dll (#2) |
kernel32.dll (#3) |
kernel32.dll (#4) |
oleaut32.dll |
oleaut32.dll (#2) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\Desktop\koran.dat.exe", #1 | C:\Windows\System32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
636 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
856 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\system32\svchost.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1784 | C:\Windows\System32\wermgr.exe | C:\Windows\System32\wermgr.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704) |
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686 | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | af2270fb |
Value: 1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | ad635087 |
Value: 3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2 | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 15df37e2 |
Value: B713E0E0E8A1F76124E8E96656AEB48CB16FB37C10DDF57BC9E2BA44012409C924B05210D64AFCB609BC5C | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 68d77868 |
Value: FDAA9851894C51B662E466C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | d06b1f0d |
Value: AD659A1C351525C4A1FB6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 179e179e |
Value: 18D68B559E54E18726831576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | e5f4cf43 |
Value: 2BF73CCC9ED92309D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424 | |||
(PID) Process: | (1784) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD56573BD9A968E2E8B224399AEC08954AA6922C0980DF5D1AE30CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560 | |||
(PID) Process: | (636) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
1784 | wermgr.exe | C:\Users\admin\Desktop\koran.dat.exe | executable | |
MD5:E0B48ABA6216E196045DE38E5D289EAA | SHA256:F7BAB5357A18110E6C927A607B69B7B74C3D6F0840B4E64E1A9362B57C190C50 |