Edit tour
Windows
Analysis Report
C.png
Overview
General Information
| Sample Name: | C.png (renamed file extension from png to dll) |
| Analysis ID: | 651257 |
| MD5: | 8b81e6a7702f58b93fdc2b57ab401ffb |
| SHA1: | 2990b8adc8891564c404190bedab55df5027da32 |
| SHA256: | 500f85201bcfc0ae49204bd31ed4f055cac1b0b7f8e74339907f5c14b8e711a8 |
| Tags: | dll |
| Infos: |   |
 | |
Detection
CryptOne, Qbot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Qbot
Yara detected CryptOne packer
Sigma detected: Schedule system process
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Allocates memory in foreign processes
Creates files in the system32 config directory
Injects code into the Windows Explorer (explorer.exe)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
PE file overlay found
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll32.exe (PID: 2412 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\C.d ll" MD5: 7DEB5DB86C0AC789123DEC286286B938) 
cmd.exe (PID: 1212 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\C.d ll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) 
rundll32.exe (PID: 5620 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\C.dl l",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - explorer.exe (PID: 1888 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) 
WerFault.exe (PID: 3032 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 620 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) 
explorer.exe (PID: 812 cmdline: C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - schtasks.exe (PID: 6468 cmdline:
"C:\Window s\system32 \schtasks. exe" /Crea te /RU "NT AUTHORITY \SYSTEM" / Z /ST 17:5 7 /tn qsrs hyj /ET 18 :08 /tr "p owershell. exe -encod edCommand cgBlAGcAcw B2AHIAMwAy AC4AZQB4AG UAIAAiAEMA OgBcAFUAcw BlAHIAcwBc AGoAbwBuAG UAcwBcAEQA ZQBzAGsAdA BvAHAAXABD AC4AZABsAG wAIgA=" /S C ONCE MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
powershell.exe (PID: 6532 cmdline: powershell .exe -enco dedCommand cgBlAGcAc wB2AHIAMwA yAC4AZQB4A GUAIAAiAEM AOgBcAFUAc wBlAHIAcwB cAGoAbwBuA GUAcwBcAEQ AZQBzAGsAd ABvAHAAXAB DAC4AZABsA GwAIgA= MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - regsvr32.exe (PID: 6664 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\D esktop\C.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 6676 cmdline:
C:\Users\ user\Deskt op\C.dll MD5: 426E7499F6A7346F0410DEAD0805586B) - explorer.exe (PID: 6812 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) - conhost.exe (PID: 7032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- powershell.exe (PID: 3732 cmdline:
powershell .exe -enco dedCommand cgBlAGcAc wB2AHIAMwA yAC4AZQB4A GUAIAAiAEM AOgBcAFUAc wBlAHIAcwB cAGoAbwBuA GUAcwBcAEQ AZQBzAGsAd ABvAHAAXAB DAC4AZABsA GwAIgA= MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - regsvr32.exe (PID: 6404 cmdline:
"C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\D esktop\C.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 6408 cmdline:
C:\Users\ user\Deskt op\C.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
- cleanup
{"Bot id": "AA", "Campaign": "1655971687", "Version": "403.780", "C2 list": ["38.70.253.226:2222", "47.23.89.60:993", "120.150.218.241:995", "117.248.109.38:21", "37.34.253.233:443", "86.132.14.70:2078", "111.125.245.116:995", "217.165.85.191:993", "176.45.232.204:995", "5.32.41.45:443", "93.48.80.198:995", "100.38.242.113:995", "94.59.252.166:2222", "74.14.5.179:2222", "71.13.93.154:2222", "193.253.44.249:2222", "108.60.213.141:443", "45.241.231.78:993", "217.128.122.65:2222", "40.134.246.185:995", "1.161.124.241:443", "70.46.220.114:443", "24.43.99.75:443", "32.221.224.140:995", "80.11.74.81:2222", "31.215.184.140:2222", "39.49.85.29:995", "67.209.195.198:443", "186.90.153.162:2222", "148.64.96.100:443", "67.165.206.193:993", "210.246.4.69:995", "208.107.221.224:443", "89.101.97.139:443", "88.234.116.71:443", "121.7.223.45:2222", "104.34.212.7:32103", "69.14.172.24:443", "41.228.22.180:443", "197.87.182.60:443", "24.178.196.158:2222", "1.161.124.241:995", "189.78.107.163:32101", "39.52.74.55:995", "2.34.12.8:443", "182.191.92.203:995", "173.21.10.71:2222", "39.41.2.45:995", "90.114.10.16:2222", "184.97.29.26:443", "76.25.142.196:443", "47.156.129.52:443", "24.55.67.176:443", "190.252.242.69:443", "70.51.132.161:2222", "72.252.157.93:995", "90.120.209.197:2078", "72.252.157.93:993", "72.252.157.93:990", "177.45.64.254:32101", "24.139.72.117:443", "187.250.202.2:443", "94.36.193.176:2222", "109.12.111.14:443", "89.86.33.217:443", "179.158.105.44:443", "63.143.92.99:995", "45.46.53.140:2222", "31.215.67.68:2222", "188.136.218.225:61202", "187.208.115.219:443", "31.215.184.140:1194", "39.57.60.246:995", "24.122.142.181:443", "84.241.8.23:32103", "191.250.120.152:443", "202.134.152.2:2222", "91.177.173.10:995", "148.0.43.48:443", "172.115.177.204:2222", "81.193.30.90:443", "68.204.15.28:443", "197.94.94.206:443", "87.109.229.215:995", "102.182.232.3:995", "196.203.37.215:80", "81.250.191.49:2222", "83.110.94.105:443", "201.176.6.24:995", "173.174.216.62:443", "31.215.70.37:443", "175.145.235.37:443", "174.69.215.101:443", "187.172.164.12:443", "201.172.23.68:2222", "41.84.249.56:995", "191.34.121.84:443", "113.53.152.11:443", "86.195.158.178:2222", "109.228.220.196:443", "82.41.63.217:443", "82.152.39.39:443", "106.51.48.188:50001", "103.246.242.202:443", "41.38.167.179:995", "98.50.191.202:443", "185.56.243.146:443", "191.112.28.64:443", "39.44.30.209:995", "47.157.227.70:443", "187.251.132.144:22", "31.35.28.29:443", "148.252.133.168:443", "42.103.132.91:2222", "180.129.108.214:995", "138.186.28.253:443", "89.137.52.44:443", "120.61.2.218:443", "122.118.129.227:995", "124.109.35.171:995", "75.99.168.194:61201", "103.91.182.114:2222", "37.210.156.247:2222", "58.105.167.36:50000", "187.207.131.50:61202", "76.70.9.169:2222", "187.211.80.39:443", "176.67.56.94:443", "103.116.178.85:995", "143.0.219.6:995", "79.80.80.29:2222"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Crypt | Yara detected CryptOne packer | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| Click to see the 19 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
| Click to see the 33 entries | ||||
Persistence and Installation Behavior |   |
|---|
| Source: | Author: Joe Security: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||