Windows Analysis Report
diatomaceous.dat.dll

Overview

General Information

Sample Name: diatomaceous.dat.dll
Analysis ID: 719511
MD5: 2e7f90e0c595d88d28f9fd979ccfcf33
SHA1: 8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256: e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Tags: dll
Infos:

Detection

Qbot
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: diatomaceous.dat.dll ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll Virustotal: Detection: 77% Perma Link
Source: diatomaceous.dat.dll Metadefender: Detection: 44% Perma Link
Machine Learning detection for sample
Source: diatomaceous.dat.dll Joe Sandbox ML: detected
Source: 8.2.wermgr.exe.e00000.0.unpack Malware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA82E60 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,Concurrency::cancel_current_task,std::ios_base::_Ios_base_dtor, 0_2_6DA82E60
Uses 32bit PE files
Source: diatomaceous.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: diatomaceous.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA994B5 FindFirstFileExW, 0_2_6DA994B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073C123 FindFirstFileW,FindNextFileW, 3_2_0073C123
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00735D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject, 3_2_00735D1E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Uses 32bit PE files
Source: diatomaceous.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Yara signature match
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA904A0 0_2_6DA904A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA9CC86 0_2_6DA9CC86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA95CF6 0_2_6DA95CF6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA97909 0_2_6DA97909
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA948FC 0_2_6DA948FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8F07E 0_2_6DA8F07E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8B200 0_2_6DA8B200
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007435EE 3_2_007435EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007429E9 3_2_007429E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007482A0 3_2_007482A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074676F 3_2_0074676F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007463B0 3_2_007463B0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DA81730 appears 87 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DA89CA0 appears 41 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 3_2_0073D538
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 3_2_0073D9DE
PE file does not import any functions
Source: diatomaceous.dat.dll.7.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: diatomaceous.dat.dll Binary or memory string: OriginalFilenamegfngfhn sgedrl;fkweklnmgdfw8 vs diatomaceous.dat.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\diatomaceous.dat.dll F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
PE file overlay found
Source: diatomaceous.dat.dll.7.dr Static PE information: Data appended to the last section found
Source: diatomaceous.dat.dll ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll Virustotal: Detection: 77%
Source: diatomaceous.dat.dll Metadefender: Detection: 44%
Source: diatomaceous.dat.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Bwkwui Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@18/1@0/0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 3_2_0073E485
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification, 3_2_0073BAF6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{8BD38B93-62A1-471F-A5AB-B91B963BC96D}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{6A583BDA-7359-43D4-819F-474F9705BF6E}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{6A583BDA-7359-43D4-819F-474F9705BF6E}
Source: diatomaceous.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89B9F push ecx; ret 0_2_6DA89BB2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074B066 push ebx; ret 3_2_0074B067
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074ADB4 push cs; iretd 3_2_0074AE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074AEB6 push cs; iretd 3_2_0074AE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074CB95 push esi; iretd 3_2_0074CB9A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073EF38 LoadLibraryA,GetProcAddress, 3_2_0073EF38
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Drops PE files
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\Desktop\diatomaceous.dat.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5020 base: 1173C50 value: E9 42 26 E9 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4768 base: 1173C50 value: E9 42 26 C9 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4860 base: 1173C50 value: E9 42 26 C9 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEJ
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXEM
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEM
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXER
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXEL
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEK
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000007.00000003.601336347.0000000004E12000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.601238980.0000000004E12000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5068 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 476 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 64 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5188 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5220 Thread sleep time: -83000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5016 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 2100 Thread sleep count: 45 > 30 Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wermgr.exe Last function: Thread delayed
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073DDE7 GetSystemInfo, 3_2_0073DDE7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA994B5 FindFirstFileExW, 0_2_6DA994B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073C123 FindFirstFileW,FindNextFileW, 3_2_0073C123
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA89EC6
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073EF38 LoadLibraryA,GetProcAddress, 3_2_0073EF38
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA9A32E GetProcessHeap, 0_2_6DA9A32E
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA91610 mov ecx, dword ptr fs:[00000030h] 0_2_6DA91610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA99229 mov eax, dword ptr fs:[00000030h] 0_2_6DA99229
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA89EC6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8A11D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6DA8A11D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8D8C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA8D8C3

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1030000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: BF0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: BE0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1030000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: BF0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: BE0000 protect: page read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6DA9BFAE
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6DA9C73D
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA9C614
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA9C1A9
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6DA9C912
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA96812
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA9C843
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6DA9C3C1
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA9C336
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA96349
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA9C29B
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA9C250
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89CE5 cpuid 0_2_6DA89CE5
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89FEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6DA89FEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW, 3_2_0073DFC2
AV process strings found (often used to terminate AV products)
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719511 Sample: diatomaceous.dat.dll Startdate: 10/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 2 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\diatomaceous.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9
No contacted IP infos