Edit tour
Windows
Analysis Report
Cancellation_418406_Dec23.pdf
Overview
General Information
Detection
Qbot Downloader
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found potential malicious PDF (bad image similarity)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Qbot Downloader
Clickable URLs found in PDF pointing to potentially malicious files
Creates a DirectInput object (often for capturing keystrokes)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Classification
- System is w10x64
- AcroRd32.exe (PID: 2156 cmdline:
C:\Program Files (x8 6)\Adobe\A crobat Rea der DC\Rea der\AcroRd 32.exe" "C :\Users\us er\Desktop \Cancellat ion_418406 _Dec23.pdf MD5: B969CF0C7B2C443A99034881E8C8740A) - RdrCEF.exe (PID: 5448 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --bac kgroundcol or=1651404 3 MD5: 9AEBA3BACD721484391D15478A4080C7) - chrome.exe (PID: 7152 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://a gapeminist riesintern ational.ch urch/blog/ Cancellati on_367461_ Dec23.zip MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - chrome.exe (PID: 2364 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1948 --fi eld-trial- handle=181 2,i,544507 4810738567 73,1515631 6211615148 029,131072 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionTarget Prediction /prefetch :8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - unarchiver.exe (PID: 6076 cmdline:
C:\Windows \SysWOW64\ unarchiver .exe" "C:\ Users\user \Downloads \Cancellat ion_367461 _Dec23.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2) - 7za.exe (PID: 5296 cmdline:
C:\Windows \System32\ 7za.exe" x -pinfecte d -y -o"C: \Users\use r\AppData\ Local\Temp \fgt4alc0. uhe" "C:\U sers\user\ Downloads\ Cancellati on_367461_ Dec23.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 5312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
{"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_QbotDownloader | Yara detected Qbot Downloader | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Malware Configuration Extractor: |
Source: | Directory created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Spreading |
---|
Source: | File source: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: |