Play interactive tour
Edit tourWindows Analysis Report 173536952-10042021.xls
Overview
General Information
| Sample Name: | 173536952-10042021.xls |
| Analysis ID: | 496489 |
| MD5: | 0bca9d9a4e10b794ac05375ebc19de86 |
| SHA1: | 43983f7c8b45057ec1d732586648f9ac515048f4 |
| SHA256: | 4cd16d4f199b5f619a377b3c260f8423a9e814cc680edad1505e4038fc38ddcc |
| Tags: | Gozixls |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Hidden Macro 4.0 Qbot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected Qbot
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Qbot |
|---|
{"Bot id": "obama108", "Campaign": "1633342139", "Version": "402.363", "C2 list": ["206.47.134.234:2222", "73.230.205.91:443", "190.198.206.189:2222", "103.246.130.2:20", "103.246.130.122:20", "81.250.153.227:2222", "167.248.100.227:443", "37.210.152.224:995", "96.57.188.174:2078", "2.99.100.134:2222", "217.17.56.163:2222", "217.17.56.163:2078", "41.228.22.180:443", "136.232.34.70:443", "68.186.192.69:443", "167.248.111.245:443", "81.241.252.59:2078", "94.200.181.154:443", "96.46.103.226:443", "187.116.124.82:995", "73.130.180.25:443", "73.52.50.32:443", "120.151.47.189:443", "47.22.148.6:443", "124.123.42.115:2222", "208.89.170.179:443", "86.8.177.143:443", "73.77.87.137:443", "73.25.124.140:2222", "181.118.183.94:443", "109.12.111.14:443", "89.101.97.139:443", "216.201.162.158:443", "105.198.236.99:443", "188.210.210.122:0", "174.54.58.170:443", "24.152.219.253:995", "103.142.10.177:443", "75.75.179.226:443", "185.250.148.74:443", "122.11.220.212:2222", "120.150.218.241:995", "103.148.120.144:443", "140.82.49.12:443", "40.131.140.155:995", "103.157.122.198:995", "76.25.142.196:443", "45.46.53.140:2222", "173.21.10.71:2222", "75.89.195.186:995", "67.165.206.193:993", "71.74.12.34:443", "24.119.214.7:443", "75.66.88.33:443", "73.151.236.31:443", "159.2.51.200:2222", "78.191.36.142:995", "75.188.35.168:443", "95.77.223.148:443", "110.174.64.179:995", "47.40.196.233:2222", "201.93.111.2:995", "187.56.71.109:995", "187.101.25.96:32100", "174.54.193.186:443", "76.84.230.103:443", "174.59.35.191:443", "173.63.245.129:443", "24.139.72.117:443", "72.252.201.69:443", "68.117.229.117:443", "167.248.117.81:443", "75.163.81.130:995", "76.84.32.159:443", "147.92.51.49:443", "167.248.99.149:443", "68.204.7.158:443", "76.84.226.17:443", "68.13.157.69:443", "167.248.126.223:443", "69.30.186.190:443", "72.196.22.184:443", "167.248.23.224:443", "98.22.92.139:995", "209.50.20.255:443", "97.98.130.50:443", "196.117.37.214:995", "77.57.204.78:443", "191.191.38.8:443", "176.251.215.116:443", "96.46.103.109:2222", "188.210.210.122:443", "37.117.191.19:2222", "90.197.155.33:443", "197.90.137.161:61201", "70.37.217.196:443", "24.32.174.175:443", "76.84.225.21:443", "188.210.210.122:443", "78.145.153.73:995", "69.30.190.105:995", "167.248.81.60:443", "69.80.113.148:443", "217.17.56.163:443", "39.52.236.68:995", "71.190.231.182:443", "62.23.194.38:443", "62.23.194.41:995", "173.25.166.81:443", "199.27.127.129:443", "24.229.150.54:995", "189.210.115.207:443", "174.59.226.6:443", "73.130.237.36:443", "69.253.197.100:443", "174.59.242.9:443", "177.130.82.197:2222", "67.214.30.12:995", "24.55.112.61:443", "174.59.120.69:443", "47.181.84.61:443", "73.130.239.166:443", "217.165.163.21:995", "93.8.66.216:443", "73.52.114.202:443", "186.18.205.199:995", "38.10.202.214:443", "78.191.44.76:443", "96.83.180.29:443", "124.123.42.115:2078", "105.159.144.186:995", "27.223.92.142:995", "109.190.253.11:2222", "217.17.56.163:465", "38.10.201.211:443", "92.148.59.207:2222", "92.157.171.41:2222", "217.17.56.163:443", "217.17.56.163:443", "186.87.135.68:995", "80.6.192.58:443", "47.40.196.233:2222", "187.156.138.172:443", "82.77.137.101:995", "173.234.155.233:443", "5.238.148.193:61202", "182.176.112.182:443", "96.37.113.36:993", "162.244.227.34:443", "92.59.35.196:2222"]}Yara Overview |
|---|
Initial Sample |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_HiddenMacro | Yara detected hidden Macro 4.0 in Excel | Joe Security |
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| Click to see the 3 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| Click to see the 6 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources | ||
| Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: | ||
| Sigma detected: Regsvr32 Command Line Without DLL | Show sources | ||
| Source: | Author: Florian Roth: | ||
Persistence and Installation Behavior: | |
|---|
| Sigma detected: Schedule system process | Show sources | ||
| Source: | Author: Joe Security: | ||
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||