Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C.png

Overview

General Information

Sample Name:C.png (renamed file extension from png to dll)
Analysis ID:651257
MD5:8b81e6a7702f58b93fdc2b57ab401ffb
SHA1:2990b8adc8891564c404190bedab55df5027da32
SHA256:500f85201bcfc0ae49204bd31ed4f055cac1b0b7f8e74339907f5c14b8e711a8
Tags:dll
Infos:

Detection

CryptOne, Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Yara detected CryptOne packer
Sigma detected: Schedule system process
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Allocates memory in foreign processes
Creates files in the system32 config directory
Injects code into the Windows Explorer (explorer.exe)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
PE file overlay found
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 2412 cmdline: loaddll32.exe "C:\Users\user\Desktop\C.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1212 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\C.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5620 cmdline: rundll32.exe "C:\Users\user\Desktop\C.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • explorer.exe (PID: 1888 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • WerFault.exe (PID: 3032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • explorer.exe (PID: 812 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • schtasks.exe (PID: 6468 cmdline: "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:57 /tn qsrshyj /ET 18:08 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA=" /SC ONCE MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6532 cmdline: powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 6664 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 6676 cmdline: C:\Users\user\Desktop\C.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
        • explorer.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 3732 cmdline: powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEQAZQBzAGsAdABvAHAAXABDAC4AZABsAGwAIgA= MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 6404 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\Desktop\C.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 6408 cmdline: C:\Users\user\Desktop\C.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup
{"Bot id": "AA", "Campaign": "1655971687", "Version": "403.780", "C2 list": ["38.70.253.226:2222", "47.23.89.60:993", "120.150.218.241:995", "117.248.109.38:21", "37.34.253.233:443", "86.132.14.70:2078", "111.125.245.116:995", "217.165.85.191:993", "176.45.232.204:995", "5.32.41.45:443", "93.48.80.198:995", "100.38.242.113:995", "94.59.252.166:2222", "74.14.5.179:2222", "71.13.93.154:2222", "193.253.44.249:2222", "108.60.213.141:443", "45.241.231.78:993", "217.128.122.65:2222", "40.134.246.185:995", "1.161.124.241:443", "70.46.220.114:443", "24.43.99.75:443", "32.221.224.140:995", "80.11.74.81:2222", "31.215.184.140:2222", "39.49.85.29:995", "67.209.195.198:443", "186.90.153.162:2222", "148.64.96.100:443", "67.165.206.193:993", "210.246.4.69:995", "208.107.221.224:443", "89.101.97.139:443", "88.234.116.71:443", "121.7.223.45:2222", "104.34.212.7:32103", "69.14.172.24:443", "41.228.22.180:443", "197.87.182.60:443", "24.178.196.158:2222", "1.161.124.241:995", "189.78.107.163:32101", "39.52.74.55:995", "2.34.12.8:443", "182.191.92.203:995", "173.21.10.71:2222", "39.41.2.45:995", "90.114.10.16:2222", "184.97.29.26:443", "76.25.142.196:443", "47.156.129.52:443", "24.55.67.176:443", "190.252.242.69:443", "70.51.132.161:2222", "72.252.157.93:995", "90.120.209.197:2078", "72.252.157.93:993", "72.252.157.93:990", "177.45.64.254:32101", "24.139.72.117:443", "187.250.202.2:443", "94.36.193.176:2222", "109.12.111.14:443", "89.86.33.217:443", "179.158.105.44:443", "63.143.92.99:995", "45.46.53.140:2222", "31.215.67.68:2222", "188.136.218.225:61202", "187.208.115.219:443", "31.215.184.140:1194", "39.57.60.246:995", "24.122.142.181:443", "84.241.8.23:32103", "191.250.120.152:443", "202.134.152.2:2222", "91.177.173.10:995", "148.0.43.48:443", "172.115.177.204:2222", "81.193.30.90:443", "68.204.15.28:443", "197.94.94.206:443", "87.109.229.215:995", "102.182.232.3:995", "196.203.37.215:80", "81.250.191.49:2222", "83.110.94.105:443", "201.176.6.24:995", "173.174.216.62:443", "31.215.70.37:443", "175.145.235.37:443", "174.69.215.101:443", "187.172.164.12:443", "201.172.23.68:2222", "41.84.249.56:995", "191.34.121.84:443", "113.53.152.11:443", "86.195.158.178:2222", "109.228.220.196:443", "82.41.63.217:443", "82.152.39.39:443", "106.51.48.188:50001", "103.246.242.202:443", "41.38.167.179:995", "98.50.191.202:443", "185.56.243.146:443", "191.112.28.64:443", "39.44.30.209:995", "47.157.227.70:443", "187.251.132.144:22", "31.35.28.29:443", "148.252.133.168:443", "42.103.132.91:2222", "180.129.108.214:995", "138.186.28.253:443", "89.137.52.44:443", "120.61.2.218:443", "122.118.129.227:995", "124.109.35.171:995", "75.99.168.194:61201", "103.91.182.114:2222", "37.210.156.247:2222", "58.105.167.36:50000", "187.207.131.50:61202", "76.70.9.169:2222", "187.211.80.39:443", "176.67.56.94:443", "103.116.178.85:995", "143.0.219.6:995", "79.80.80.29:2222"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.323381928.00000000010A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000018.00000002.393963522.0000000003B10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000019.00000002.765579370.0000000002FB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
        00000002.00000000.281557672.0000000001070000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
          00000002.00000000.281557672.0000000001070000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
            Click to see the 19 entries
            SourceRuleDescriptionAuthorStrings
            4.2.explorer.exe.3230000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
              2.0.rundll32.exe.10a0000.6.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                24.2.regsvr32.exe.3af0000.2.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  2.2.rundll32.exe.10c0000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    0.2.loaddll32.exe.2750184.1.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security