File name: | Calculation-1765765960-10162020.zip |
Full analysis: | https://app.any.run/tasks/483c715e-b7c6-47c2-b344-fc88b0ccedb9 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 20, 2020, 01:23:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3D3D268DBE7B6D8B0620811EFC075104 |
SHA1: | 69C216CED93E751170AAC6A8EA86BEA7C4A69A4F |
SHA256: | F2EC217BBA28F980DD5D57C40352D8059A7CC2314F0ECF8BBC7613147446454D |
SSDEEP: | 384:0xrfZ+Of1uMbV8E6clGkckn7QzmxcI0GUdCwrBZSG7C+XvSx+aNefImPH:joxbO7k7QzmxtoCmBT7CCVa0rPH |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:10:19 16:21:23 |
ZipCRC: | 0x1db2afa0 |
ZipCompressedSize: | 21429 |
ZipUncompressedSize: | 26689 |
ZipFileName: | Calculation-1765765960-10162020.xlsb |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2488 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-1765765960-10162020.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3896 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1136 | "C:\Hromo\Nivadalo\nosto.exe" | C:\Hromo\Nivadalo\nosto.exe | EXCEL.EXE | |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
2432 | C:\Hromo\Nivadalo\nosto.exe /C | C:\Hromo\Nivadalo\nosto.exe | — | nosto.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3968 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | nosto.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3376 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe" | C:\Windows\System32\cmd.exe | nosto.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
544 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1084 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /C | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | ytfovlym.exe |
User: admin Company: QIHU 360 SOFTWARE CO. LIMITED Integrity Level: MEDIUM Description: 360 SystemRegistryClean Exit code: 0 Version: 1, 0, 0, 1003 | ||||
3236 | C:\Windows\explorer.exe | C:\Windows\explorer.exe | — | ytfovlym.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7C59.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3236 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:435D22E0FD5B56C3B188402A307A177F | SHA256:C2DE6188B5C00195AE92690701933F7CC83854B7BD9569EAC8CE69C295CC5422 | |||
3896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].png | executable | |
MD5:A038CF89323C73093D2ED0AB95D92B2E | SHA256:8A5C5BD94A59655F2922BD5840CB0C8A5FB1563E838F0CC6CEB5D4D7CE061C55 | |||
1136 | nosto.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:A038CF89323C73093D2ED0AB95D92B2E | SHA256:8A5C5BD94A59655F2922BD5840CB0C8A5FB1563E838F0CC6CEB5D4D7CE061C55 | |||
3896 | EXCEL.EXE | C:\Hromo\Nivadalo\nosto.exe | executable | |
MD5:A038CF89323C73093D2ED0AB95D92B2E | SHA256:8A5C5BD94A59655F2922BD5840CB0C8A5FB1563E838F0CC6CEB5D4D7CE061C55 | |||
1136 | nosto.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.dat | binary | |
MD5:D4EAFD23DDF863BA5ACFA7C5A81F769C | SHA256:C69DDFCACF5C76E1DE725C0C658E091B50669F43E712F2AD16329F0D4041B6F1 | |||
2488 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2488.34872\Calculation-1765765960-10162020.xlsb | document | |
MD5:8276207114BCE5EDC45560BE3E822A2C | SHA256:FA482CD00CDB66B6F91A83FBA60130C78734B4133B0E181C71CC4B91B4D08C62 | |||
3376 | cmd.exe | C:\Hromo\Nivadalo\nosto.exe | executable | |
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC | SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3896 | EXCEL.EXE | GET | 200 | 183.181.83.123:80 | http://home-delivery-cleaning.net/ecbmuibsl/3415201.png | JP | executable | 1.02 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3896 | EXCEL.EXE | 183.181.83.123:80 | home-delivery-cleaning.net | SAKURA Internet Inc. | JP | malicious |
Domain | IP | Reputation |
---|---|---|
home-delivery-cleaning.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3896 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3896 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3896 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
3896 | EXCEL.EXE | A Network Trojan was detected | AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious |
3896 | EXCEL.EXE | Misc activity | ET INFO EXE - Served Attached HTTP |
3896 | EXCEL.EXE | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |