File name: | fuss.dat |
Full analysis: | https://app.any.run/tasks/94141966-d534-4565-877f-c3292e418927 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 05, 2022, 00:09:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (console) Intel 80386, for MS Windows |
MD5: | A5332F86382D9FA4201FB1D5A7E8C1DA |
SHA1: | 67D73AD233568B6C781506409F50834AF0FD0B72 |
SHA256: | EA28BE72DC6FDA30D9E33A1A805D3DD95B88904804CB806DC39B5129E1BBD3A2 |
SSDEEP: | 6144:jdmEnTCVD1BEgOW61fq1LfhVyq2/zSAvaZ+X+b1SjKbj1c6DjWCXUsAOS/cb5:BuBEgOJSVXRQX+bqarr35 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 2022-Oct-03 13:50:12 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 272 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 7 |
TimeDateStamp: | 2022-Oct-03 13:50:12 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 196637 | 197120 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61697 |
CODE | 204800 | 500 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.data | 208896 | 205769 | 205824 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.78843 |
.idata | 417792 | 2564 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.79381 |
.hata | 421888 | 6319 | 6656 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.42339 |
.rsrc | 430080 | 480 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.72473 |
.reloc | 434176 | 10500 | 10752 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.58359 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
2 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
ADVAPI32.dll |
KERNEL32.dll |
SHLWAPI.dll |
Title | Ordinal | Address |
---|---|---|
DllRegisterServer | 1 | 62320 |
DllUnregisterServer | 2 | 63920 |
coelho | 3 | 34288 |
oviposition | 4 | 51232 |
unstatistic | 5 | 28784 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\fuss.dat.exe", DllRegisterServer | C:\Windows\System32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
684 | C:\Windows\System32\wermgr.exe | C:\Windows\System32\wermgr.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704) |
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686 | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | af2270fb |
Value: 1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | ad635087 |
Value: 3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2 | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 15df37e2 |
Value: B713E0E0E8A1F76124E8E96656AEB48CB16FB37C10DDF57BC9E2BA44012409C924B05210D64AFCB609BC5C | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 68d77868 |
Value: FDAA9851894C13B662E466C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | d06b1f0d |
Value: AD659A1C35159E3DA0FB6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 179e179e |
Value: 18D68B559E545A7E27831576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | e5f4cf43 |
Value: 2BF73CCC9ED9770DD708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424 | |||
(PID) Process: | (684) wermgr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt |
Operation: | write | Name: | 9abda0b5 |
Value: 78FD56573BD9A968E2E8B224399AEC08954AA6922C0987D2591EE40CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560 |
PID | Process | Filename | Type | |
---|---|---|---|---|
684 | wermgr.exe | C:\Users\admin\AppData\Local\Temp\fuss.dat.exe | executable | |
MD5:AE8F9D670E4CE6D278C3F4EFD71A8C6F | SHA256:A87A045D77BACD9CA7959E3D847A849C0235256F24CA038FC2C1312338284FBF |