Windows Analysis Report
diatomaceous.dat.dll

Overview

General Information

Sample Name: diatomaceous.dat.dll
Analysis ID: 719511
MD5: 2e7f90e0c595d88d28f9fd979ccfcf33
SHA1: 8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256: e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Tags: dll
Infos:

Detection

Qbot
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: diatomaceous.dat.dll ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll Virustotal: Detection: 77% Perma Link
Source: diatomaceous.dat.dll Metadefender: Detection: 44% Perma Link
Machine Learning detection for sample
Source: diatomaceous.dat.dll Joe Sandbox ML: detected
Source: 5.3.rundll32.exe.3000000.1.raw.unpack Malware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA52E60 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,Concurrency::cancel_current_task,std::ios_base::_Ios_base_dtor, 0_2_6DA52E60
Uses 32bit PE files
Source: diatomaceous.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: diatomaceous.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA694B5 FindFirstFileExW, 0_2_6DA694B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCC123 FindFirstFileW,FindNextFileW, 3_2_02BCC123
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BC5D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject, 3_2_02BC5D1E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Uses 32bit PE files
Source: diatomaceous.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Yara signature match
Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA604A0 0_2_6DA604A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA6CC86 0_2_6DA6CC86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA65CF6 0_2_6DA65CF6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA67909 0_2_6DA67909
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA648FC 0_2_6DA648FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA5F07E 0_2_6DA5F07E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA5B200 0_2_6DA5B200
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD82A0 3_2_02BD82A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD63B0 3_2_02BD63B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD676F 3_2_02BD676F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD35EE 3_2_02BD35EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD29E9 3_2_02BD29E9
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DA59CA0 appears 41 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DA51730 appears 87 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCD9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 3_2_02BCD9DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCD538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 3_2_02BCD538
PE file does not import any functions
Source: diatomaceous.dat.dll.9.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: diatomaceous.dat.dll Binary or memory string: OriginalFilenamegfngfhn sgedrl;fkweklnmgdfw8 vs diatomaceous.dat.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE file overlay found
Source: diatomaceous.dat.dll.9.dr Static PE information: Data appended to the last section found
Source: diatomaceous.dat.dll ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll Virustotal: Detection: 77%
Source: diatomaceous.dat.dll Metadefender: Detection: 44%
Source: diatomaceous.dat.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Luinbgihotw Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@18/1@0/0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCE485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 3_2_02BCE485
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCBAF6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 3_2_02BCBAF6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{802E0F5C-0297-4271-85B1-68FB37BCCA2D}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{802E0F5C-0297-4271-85B1-68FB37BCCA2D}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{1D22E6D0-571D-4DE7-AE01-CA297D9881B4}
Source: diatomaceous.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.330273672.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.330297730.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.330600299.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.330624876.000000006DA74000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.330081767.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317581182.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317520093.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.317597615.00000000031DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.331023524.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.331444985.0000000004401000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.330918332.00000000049C1000.00000004.00000800.00020000.00000000.sdmp
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA59B9F push ecx; ret 0_2_6DA59BB2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDAEB6 push cs; iretd 3_2_02BDAE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDCB95 push esi; iretd 3_2_02BDCB9A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDB066 push ebx; ret 3_2_02BDB067
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDADB4 push cs; iretd 3_2_02BDAE8A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCEF38 LoadLibraryA,GetProcAddress, 3_2_02BCEF38
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Drops PE files
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\Desktop\diatomaceous.dat.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 4648 base: 2C3C50 value: E9 42 26 26 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4744 base: 2C3C50 value: E9 42 26 2C 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3668 base: 2C3C50 value: E9 42 26 90 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXES"
Source: wermgr.exe, 00000009.00000003.332824884.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334728000.0000000004C16000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334566045.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.344140995.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE7"
Source: wermgr.exe, 00000009.00000003.332824884.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334728000.0000000004C16000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334566045.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.344140995.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE;"
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332824884.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334728000.0000000004C16000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.334566045.0000000004C0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE2"
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: wermgr.exe, 00000009.00000003.334497253.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.343820989.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.332696186.0000000004A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5812 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1072 Thread sleep count: 110 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 4616 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 64 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5892 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5908 Thread sleep time: -134000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCDDE7 GetSystemInfo, 3_2_02BCDDE7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA694B5 FindFirstFileExW, 0_2_6DA694B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCC123 FindFirstFileW,FindNextFileW, 3_2_02BCC123
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA59EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA59EC6
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCEF38 LoadLibraryA,GetProcAddress, 3_2_02BCEF38
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA6A32E GetProcessHeap, 0_2_6DA6A32E
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA61610 mov ecx, dword ptr fs:[00000030h] 0_2_6DA61610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA69229 mov eax, dword ptr fs:[00000030h] 0_2_6DA69229
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA59EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA59EC6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA5A11D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6DA5A11D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA5D8C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA5D8C3

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2550000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C3C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 25B0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C3C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2BF0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C3C50 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2550000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 25B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2BF0000 protect: page read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6DA6BFAE
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6DA6C73D
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA6C614
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA6C1A9
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6DA6C912
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA66812
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA6C843
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6DA6C3C1
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA6C336
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA66349
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA6C29B
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA6C250
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA59CE5 cpuid 0_2_6DA59CE5
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA59FEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6DA59FEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BCDFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW, 3_2_02BCDFC2
AV process strings found (often used to terminate AV products)
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000003.00000003.322977551.000000000483F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.323275511.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.323560680.0000000004C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: 4.2.rundll32.exe.4af0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.2b70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3000000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4960000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.4960000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.2b70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.329030667.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323262277.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.322963828.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.329921401.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.322721841.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.331498854.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.330442684.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.329591797.0000000002BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.330333126.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.332320278.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.329252836.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719511 Sample: diatomaceous.dat.dll Startdate: 10/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        17 2 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\diatomaceous.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9
No contacted IP infos