Play interactive tour
Edit tourWindows Analysis Report plan-1053707320.xlsb
Overview
General Information
| Sample Name: | plan-1053707320.xlsb |
| Analysis ID: | 440113 |
| MD5: | 4854b4dcfa441032f2f54bf2834e894f |
| SHA1: | fa24422834d0f6ce6d3e35a8b0f15a906cdf9823 |
| SHA256: | 68741c1f5df351dc186805c2c30a79653fd52ce21e2fb2aa34ff0687120343cf |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Hidden Macro 4.0 Qbot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Qbot |
|---|
{"C2 list": ["204.97.97.215:21858", "70.154.48.62:44327", "70.31.11.245:7267", "213.191.161.231:29643", "153.239.78.184:38503", "78.214.129.166:38539", "254.124.232.207:39310", "109.164.21.24:64901", "141.215.250.177:22875", "227.244.119.210:52552", "174.179.129.208:15267", "111.112.232.190:48521", "255.28.73.185:49979", "141.103.36.51:3939", "116.110.10.187:25167", "85.180.25.176:32726", "79.254.143.27:14876", "235.218.248.190:29975", "161.4.87.73:5800", "224.200.240.56:14635", "9.155.72.32:55392", "216.67.224.194:53640", "141.121.237.255:1461", "121.42.239.196:13549", "179.179.31.112:63026", "218.134.37.166:33358", "239.135.100.181:9787", "239.242.36.114:27696", "60.26.149.129:8707", "114.86.119.195:36123", "154.85.103.18:33933", "141.204.72.150:28929", "229.176.154.40:1991", "206.193.4.142:60112", "113.150.134.145:14637", "182.192.0.153:3039", "37.235.119.158:25257", "118.217.148.55:40918", "157.238.131.159:17525", "120.231.33.231:39242", "113.196.247.102:57216", "39.96.161.153:21974", "37.95.209.127:37781", "88.221.119.43:55621", "49.191.149.88:15536", "25.203.154.171:56937", "160.244.29.108:63666", "227.245.195.188:38491", "11.191.229.149:48178", "29.223.190.224:4552", "144.140.245.179:62583", "199.3.125.195:31574", "37.158.174.86:39635", "19.119.17.26:61415", "18.218.204.94:25156", "17.147.2.193:34433", "232.165.224.232:64576", "255.113.254.238:35466", "244.159.158.34:29113", "6.247.120.152:5539", "20.23.44.234:12808", "68.58.107.122:40009", "177.71.146.158:14858", "218.154.172.108:36509", "59.198.167.253:53302", "45.116.255.72:7036", "11.48.233.235:37824", "181.50.13.209:4123", "8.141.223.46:63405", "196.248.106.49:5168", "123.119.149.61:15034", "158.237.184.100:6941", "47.102.246.133:28795", "245.30.65.166:57241", "96.17.6.131:61427", "158.127.33.70:13273", "171.113.240.107:55225", "29.188.217.91:11621", "233.26.116.125:35782", "103.200.182.78:41414", "212.166.144.41:13766", "225.167.47.169:10108", "218.233.238.210:11757", "61.149.157.113:33452", "224.147.98.25:43134", "215.16.240.69:58681", "69.158.146.64:33703", "43.93.98.34:24929", "94.211.166.245:8677", "237.58.8.158:44902", "22.105.125.67:37017", "228.204.65.194:22014", "240.58.16.219:55052", "160.25.48.169:7011", "48.255.58.190:27057", "12.207.95.189:15569", "100.104.109.104:51319", "154.195.229.221:35588", "98.133.117.21:26241", "124.177.25.94:55126", "59.211.38.81:7832", "197.103.23.2:43598", "123.210.126.131:49328", "192.204.246.62:53778", "220.178.117.122:65405", "32.177.158.150:9600", "186.12.160.146:13500", "217.11.103.56:65312", "183.137.66.59:24965", "73.73.123.212:54786", "84.4.148.67:50685", "173.176.181.154:13839", "216.1.166.66:2080", "144.122.242.245:52290", "115.127.247.89:14716", "25.5.112.94:8779", "40.151.136.48:36008", "78.114.25.179:8887", "185.149.69.37:4676", "66.204.28.22:17430", "50.138.243.152:7941", "195.170.56.121:46373", "189.236.221.185:38192", "39.35.83.72:15610", "213.64.255.229:34462", "27.98.20.110:25605", "250.34.90.10:20014", "55.164.192.159:18516", "89.170.84.87:31034", "195.228.141.229:32482", "67.144.76.43:2062", "217.168.11.163:26766", "212.238.116.17:9843", "109.26.22.183:43143", "58.142.103.104:44200", "200.39.220.35:59648", "115.127.244.231:37553", "150.184.143.159:42919", "14.29.250.1:10356", "86.168.140.17:49045", "62.128.177.85:27511", "219.13.32.40:17684", "60.225.8.42:6650", "113.94.94.176:17136", "243.196.184.116:25994", "168.243.164.189:60510", "217.56.43.145:25488"]}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| QakBot | QakBot Payload | kevoreilly |
| |
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| QakBot | QakBot Payload | kevoreilly |
| |
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| QakBot | QakBot Payload | kevoreilly |
| |
| Click to see the 1 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| QakBot | QakBot Payload | kevoreilly |
| |
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| QakBot | QakBot Payload | kevoreilly |
| |
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| QakBot | QakBot Payload | kevoreilly |
| |
| Click to see the 13 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources | ||
| Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: | ||
Persistence and Installation Behavior: | |
|---|
| Sigma detected: Schedule system process | Show sources | ||
| Source: | Author: Joe Security: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||