Edit tour
Windows
Analysis Report
Calculation#8785(Sep16).html
Overview
General Information
Detection
Qbot
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Phishing site detected (based on favicon image match)
Yara detected Qbot
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Wscript starts Powershell (via cmd or directly)
Injects code into the Windows Explorer (explorer.exe)
Uses 7zip to decompress a password protected archive
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
- chrome.exe (PID: 6132 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --st art-maximi zed "about :blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - chrome.exe (PID: 5224 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1960 --fi eld-trial- handle=180 0,i,150475 0409816742 9117,11276 1902251241 85928,1310 72 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationTarg etPredicti on /prefet ch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - unarchiver.exe (PID: 6748 cmdline:
C:\Windows \SysWOW64\ unarchiver .exe" "C:\ Users\user \Downloads \Calculati on#8785(Se p16).zip MD5: 9DE2E060A2985A232D8B96F9EC847A19) - 7za.exe (PID: 7012 cmdline:
C:\Windows \System32\ 7za.exe" x -pabc444 -y -o"C:\U sers\user\ AppData\Lo cal\Temp\i dbrycd1.fi s" "C:\Use rs\user\Do wnloads\Ca lculation# 8785(Sep16 ).zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 6316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1316 cmdline:
cmd.exe" / c powershe ll.exe -ex bypass -c ommand Mou nt-DiskIma ge -ImageP ath "C:\Us ers\user\A ppData\Loc al\Temp\id brycd1.fis \Calculati on#8785.is o MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 3680 cmdline:
powershell .exe -ex b ypass -com mand Mount -DiskImage -ImagePat h "C:\User s\user\App Data\Local \Temp\idbr ycd1.fis\C alculation #8785.iso" MD5: DBA3E6449E97D4E3DF64527EF7012A10) - wscript.exe (PID: 5064 cmdline:
"C:\Window s\System32 \WScript.e xe" "E:\mo re\seeSay. js" MD5: 7075DD7B9BE8807FCA93ACD86F724884) - cmd.exe (PID: 4268 cmdline:
C:\Windows \system32\ cmd.exe /c ""E:\more \myTheir.b at" r egs v" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 7116 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - regsvr32.exe (PID: 6912 cmdline:
regsvr32 m ore/veryAs .db MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 712 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
- chrome.exe (PID: 5392 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" "C:\U sers\user\ Desktop\Ca lculation# 8785(Sep16 ).html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
- cleanup
{"Bot id": "obama204", "Campaign": "1663313119", "Version": "403.892", "C2 list": ["119.82.111.158:443", "134.35.10.207:443", "200.161.62.126:32101", "70.51.132.197:2222", "78.100.228.93:995", "78.100.225.34:2222", "45.51.148.111:993", "186.154.92.181:443", "66.181.164.43:443", "217.165.85.223:993", "70.49.33.200:2222", "193.3.19.37:443", "41.96.56.224:443", "99.232.140.205:2222", "88.231.221.198:995", "76.169.76.44:2222", "68.53.110.74:995", "196.64.237.138:443", "190.44.40.48:995", "72.88.245.71:443", "179.111.111.88:32101", "197.94.210.133:443", "81.131.161.131:2078", "87.243.113.104:995", "84.38.133.191:443", "14.184.97.67:443", "123.240.131.1:443", "194.166.207.160:995", "176.90.193.145:2222", "180.180.131.95:443", "191.84.204.214:995", "191.97.234.238:995", "41.111.15.78:995", "91.116.160.252:443", "2.182.101.3:990", "99.253.251.74:443", "154.181.203.230:995", "64.207.215.69:443", "85.114.110.108:443", "102.38.97.57:995", "109.158.159.179:993", "186.105.182.127:443", "71.10.27.196:2222", "71.10.27.196:2222", "41.69.118.117:995", "47.146.182.110:443", "197.204.143.46:443", "194.49.79.231:443", "88.242.228.16:53", "88.231.221.198:443", "175.110.231.67:443", "196.92.172.24:8443", "186.50.245.74:995", "100.1.5.250:995", "78.182.113.80:443", "41.96.171.218:443", "154.246.182.210:443", "81.214.220.237:443", "187.205.222.100:443", "95.136.41.50:443", "84.38.133.191:443", "190.158.58.236:443", "105.99.80.23:443", "105.197.192.21:995", "181.127.138.30:443", "167.60.82.242:995", "196.112.34.71:443", "88.251.38.53:443", "68.224.229.42:443", "37.37.206.87:995", "37.76.197.124:443", "188.157.6.170:443", "68.50.190.55:443", "181.111.20.201:443", "31.166.116.171:443", "84.238.253.171:443", "197.49.50.44:443", "169.159.95.135:2222", "45.160.124.211:995", "113.22.102.155:443", "211.248.176.4:443", "186.167.249.206:443", "85.98.206.165:995", "139.195.132.210:2222", "182.213.208.5:443", "201.177.163.176:443", "45.183.234.180:443", "98.180.234.228:443", "184.82.110.50:995", "179.24.245.193:995", "94.99.110.157:995", "181.56.125.32:443", "119.42.124.18:443", "181.231.229.133:443", "2.89.78.130:993", "70.81.121.237:2222", "181.81.116.144:443", "197.11.128.156:443", "41.142.132.190:443", "105.111.60.60:995", "154.238.151.197:995", "156.219.49.22:995", "179.223.89.154:995", "102.101.231.141:443", "220.116.250.45:443", "138.0.114.166:443", "62.114.193.186:995", "85.98.46.114:443", "184.99.123.118:443", "186.120.58.88:443", "46.186.216.41:32100", "156.213.107.29:995", "27.73.215.46:32102", "68.151.196.147:995", "68.129.232.158:443", "45.241.140.181:995", "212.156.51.194:443", "87.75.195.211:443", "1.10.253.207:443", "87.220.229.164:2222", "109.200.165.82:443", "41.105.197.244:443", "190.59.247.136:995", "219.69.103.199:443", "61.105.45.244:443", "105.105.104.0:443", "169.1.47.111:443", "210.195.18.76:2222", "118.175.247.124:995", "88.246.170.2:443", "149.140.193.233:443", "171.248.157.128:995", "118.68.220.199:443", "139.195.63.45:2222", "118.216.99.232:443", "181.80.133.202:443", "102.40.236.32:995", "46.116.229.16:443", "61.70.29.53:443", "179.108.32.195:443", "171.238.230.59:443", "81.56.22.251:995", "31.32.180.179:443", "186.64.87.202:443", "85.139.203.42:32101"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Windows_Trojan_Qbot_92c67a6d | unknown | unknown |
| |
Windows_Trojan_Qbot_3074a8d4 | unknown | unknown |
| |
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Windows_Trojan_Qbot_92c67a6d | unknown | unknown |
| |
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Windows_Trojan_Qbot_92c67a6d | unknown | unknown |
| |
Windows_Trojan_Qbot_3074a8d4 | unknown | unknown |
| |
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Windows_Trojan_Qbot_92c67a6d | unknown | unknown |
| |
Click to see the 13 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Malware Configuration Extractor: |