Play interactive tour
Edit tourAnalysis Report fff572167e03d2446c.dll
Overview
General Information
| Sample Name: | fff572167e03d2446c.dll |
| Analysis ID: | 399730 |
| MD5: | 2e475c357cce84559352b7e0a6bcf631 |
| SHA1: | 8a03f2a1a97a38d318195b3e2a65ec3bba25e1ce |
| SHA256: | fff572167e03d2446c8abd0b5ddfe8657692ff07967bdd380881469df7df1484 |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Qbot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Schedule REGSVR windows binary
Yara detected Qbot
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found evasive API chain (date check)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Qbot |
|---|
{"C2 list": ["203.106.195.67:443", "58.152.9.133:443", "67.61.157.208:443", "211.24.72.253:443", "82.10.43.130:2222", "200.75.136.78:443", "120.159.238.185:2222", "196.151.252.84:443", "105.198.236.101:443", "197.161.154.132:443", "79.172.26.240:443", "41.233.153.21:993", "103.102.100.78:2222", "82.223.205.216:443", "90.23.117.67:2222", "81.214.126.173:2222", "95.56.177.11:995", "217.128.117.218:2222", "185.163.221.77:2222", "120.151.95.167:443", "87.218.53.206:2222", "94.49.188.240:443", "2.90.33.130:443", "70.124.29.226:443", "81.150.181.168:2222", "109.154.193.21:2222", "120.150.218.241:995", "96.40.175.33:443", "5.2.188.253:443", "86.125.209.126:443", "89.137.211.239:443", "189.252.72.41:995", "109.209.94.165:2222", "79.115.171.106:2222", "61.1.205.150:443", "68.46.142.48:995", "69.11.247.242:443", "123.136.59.45:443", "87.27.110.90:2222", "39.61.33.253:995", "217.133.54.140:32100", "181.129.155.10:443", "27.223.92.142:995", "175.137.119.141:443", "197.51.82.115:995", "197.45.110.165:995", "174.62.13.151:443", "71.10.43.79:443", "75.136.26.147:443", "156.205.103.107:995", "189.150.40.192:2222", "116.240.78.45:995", "80.110.42.35:443", "85.132.36.111:2222", "144.202.38.185:443", "41.97.178.190:443", "68.224.121.148:993", "78.101.145.96:61201", "47.146.34.236:443", "149.28.98.196:443", "45.77.193.83:443", "31.5.168.31:443", "82.76.47.211:443", "149.28.98.196:995", "144.202.38.185:2222", "24.95.61.62:443", "149.28.98.196:2222", "45.63.107.192:2222", "149.28.99.97:2222", "149.28.99.97:443", "45.63.107.192:995", "72.29.181.78:2222", "144.202.38.185:995", "37.21.231.245:995", "41.227.82.102:443", "182.161.6.57:3389", "94.49.90.92:995", "178.222.114.132:995", "98.121.187.78:443", "108.23.22.28:0", "41.39.134.183:443", "109.205.204.229:2222", "120.150.34.178:443", "95.77.223.148:443", "176.45.233.94:995", "50.244.112.10:995", "173.173.1.164:443", "108.30.125.94:443", "78.187.125.116:2222", "79.113.119.125:443", "86.121.43.200:443", "85.52.72.32:2222", "31.5.21.66:995", "189.231.3.63:443", "105.103.33.188:443", "218.227.162.13:443", "95.76.27.6:443", "91.104.44.226:995", "81.97.154.100:443", "47.44.217.98:443", "217.133.54.140:32100", "37.209.255.10:443", "161.142.217.62:443", "85.204.189.105:443", "68.15.109.125:443", "37.211.86.156:443", "156.220.32.217:995", "90.101.117.122:2222", "96.225.88.23:443", "2.50.56.81:443", "47.21.192.182:2222", "93.146.133.102:2222", "96.21.251.127:2222", "184.98.97.227:995", "58.179.21.147:995", "72.36.59.46:2222", "189.157.3.12:443", "219.76.148.249:443", "198.2.35.226:2222", "86.98.59.208:443", "47.22.148.6:443", "197.86.204.38:443", "120.150.60.189:995", "45.118.65.34:443", "110.142.205.182:443", "37.210.133.63:995", "94.98.242.243:443", "45.32.162.253:443", "83.110.150.100:443", "140.82.27.132:443", "45.32.165.134:443", "39.36.30.92:995", "94.176.40.234:443", "73.244.83.199:443", "2.88.67.161:995", "86.98.34.84:995", "65.131.47.74:995", "181.208.249.141:443", "200.110.188.218:443", "151.33.226.156:443", "73.51.245.231:995", "37.210.131.246:443", "71.220.164.199:443", "172.87.157.235:443", "47.24.47.218:443", "195.97.101.40:443", "184.21.136.237:995", "118.70.55.146:443", "103.76.160.110:443", "2.89.183.206:443"], "Bot id": "abc106", "Campaign": "1606896670"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security |
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot | Yara detected Qbot | Joe Security | ||
| Click to see the 3 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Schedule REGSVR windows binary | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus / Scanner detection for submitted sample | Show sources | ||
| Source: | Avira: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||