Play interactive tourEdit tour
Analysis Report papers (71).xls
Overview
General Information
Detection
Hidden Macro 4.0 Qbot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule REGSVR windows binary
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Qbot |
---|
{"C2 list": ["78.63.226.32:443", "197.51.82.72:443", "193.248.221.184:2222", "95.77.223.148:443", "71.199.192.62:443", "77.211.30.202:995", "80.227.5.69:443", "77.27.204.204:995", "81.97.154.100:443", "173.184.119.153:995", "38.92.225.121:443", "81.150.181.168:2222", "90.65.236.181:2222", "83.110.103.152:443", "73.153.211.227:443", "188.25.63.105:443", "89.137.211.239:995", "202.188.138.162:443", "98.173.34.212:995", "87.202.87.210:2222", "195.12.154.8:443", "47.217.24.69:6881", "182.48.193.200:443", "108.160.123.244:443", "96.57.188.174:2222", "45.118.216.157:443", "84.72.35.226:443", "172.115.177.204:2222", "86.236.77.68:2222", "82.127.125.209:990", "176.181.247.197:443", "97.69.160.4:2222", "90.101.117.122:2222", "189.223.201.91:443", "140.82.49.12:443", "2.7.69.217:2222", "83.110.12.140:2222", "85.132.36.111:2222", "197.45.110.165:995", "149.28.99.97:995", "45.63.107.192:2222", "149.28.98.196:2222", "149.28.99.97:2222", "144.202.38.185:443", "149.28.99.97:443", "45.63.107.192:443", "45.63.107.192:995", "144.202.38.185:2222", "149.28.101.90:995", "149.28.101.90:2222", "149.28.101.90:8443", "45.32.211.207:8443", "149.28.98.196:995", "149.28.98.196:443", "45.32.211.207:995", "149.28.101.90:443", "207.246.77.75:443", "45.77.115.208:8443", "207.246.77.75:995", "207.246.77.75:2222", "45.32.211.207:2222", "45.32.211.207:443", "45.77.115.208:995", "144.202.38.185:995", "45.77.115.208:2222", "207.246.116.237:8443", "207.246.116.237:2222", "207.246.77.75:8443", "207.246.116.237:995", "207.246.116.237:443", "45.77.117.108:443", "45.77.117.108:995", "45.77.117.108:8443", "45.77.117.108:2222", "45.77.115.208:443", "89.3.198.238:443", "2.232.253.79:995", "73.25.124.140:2222", "136.232.34.70:443", "157.131.108.180:443", "217.133.54.140:32100", "195.43.173.70:443", "86.98.93.124:2078", "176.205.222.30:2078", "105.96.8.96:443", "50.29.166.232:995", "27.223.92.142:995", "119.153.62.76:3389", "47.187.115.228:443", "67.6.12.4:443", "65.27.228.247:443", "23.240.70.80:995", "216.201.162.158:443", "139.216.137.189:995", "64.121.114.87:443", "79.129.121.81:995", "172.87.157.235:3389", "75.118.1.141:443", "75.136.26.147:443", "96.250.60.138:443", "50.244.112.106:443", "115.133.243.6:443", "47.196.192.184:443", "45.46.53.140:2222", "105.198.236.101:443", "144.139.166.18:443", "196.151.252.84:443", "71.197.126.250:443", "196.221.207.137:995", "71.117.132.169:443", "74.68.144.202:443", "76.25.142.196:443", "98.240.24.57:443", "144.139.47.206:443", "86.245.46.27:2222", "173.21.10.71:2222", "78.97.207.104:443", "86.220.60.133:2222", "69.245.102.225:443", "94.53.92.42:443", "71.74.12.34:443", "84.247.55.190:8443", "173.25.45.66:443", "46.153.55.149:995", "78.22.58.205:3389", "105.198.236.99:443", "24.152.219.253:995", "82.76.47.211:443", "189.223.234.23:995", "96.37.113.36:993", "47.187.74.181:443", "50.25.89.74:443", "174.104.31.209:443", "199.19.117.131:443", "201.143.235.13:443", "189.146.183.105:443", "181.48.190.78:443", "189.223.97.175:443", "47.22.148.6:443", "173.70.165.101:995", "74.222.204.82:995", "75.67.192.125:443", "32.210.98.6:443", "106.51.52.111:443", "59.90.246.200:443", "70.49.88.199:2222", "186.28.51.27:443", "98.252.118.134:443", "209.210.187.52:995", "189.210.115.207:443"], "Bot id": "tr", "Campaign": "1613385567"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
| |
JoeSecurity_HiddenMacro | Yara detected hidden Macro 4.0 in Excel | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Schedule REGSVR windows binary | Show sources |
Source: | Author: Joe Security: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |