Overview

overview

10

Static

static

1

qBittorren...af.exe

windows7-x64

4

qBittorren...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2023 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qBittorrentPortable_4.5.2.paf.exe

  • Size

    15.0MB

  • MD5

    83b1ccdde2d2ea442c2f93bbdb5104eb

  • SHA1

    cf2e6b6dd24224b41d74cca4b6c4b738ea9c0f38

  • SHA256

    bce9addd9304f81c854e60e9d40dad0c50d21527c1fe3fb1e9f973147ab1011a

  • SHA512

    67e89951b2582c1375c3dc5db5fdf4b9d4c736596dc28e75faee3f67cb0361b9e9dea649652794a09feb31340ecc4479a4bfe54ce00aa881c98b1cd7fedbe779

  • SSDEEP

    393216:5UXiAFPR1KptgvG9AwUAUrKlWFvv7J5Bpg2a:5Uz1xvG9AwJlm7Hja

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qBittorrentPortable_4.5.2.paf.exe
    "C:\Users\Admin\AppData\Local\Temp\qBittorrentPortable_4.5.2.paf.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\qBittorrentPortable\qBittorrentPortable.exe
      "C:\qBittorrentPortable\qBittorrentPortable.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\qBittorrentPortable\App\qBittorrent\qbittorrent.exe
        "C:\qBittorrentPortable\App\qBittorrent\qbittorrent.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3148
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 456 -p 2068 -ip 2068
    1⤵
      PID:3296
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2068 -s 2260
      1⤵
      • Program crash
      PID:3912

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      28KB

      MD5

      f7ec5633c6ef4f0d5c6c8e16e34e9d0d

      SHA1

      1a6792e44c492b5e23573a7a1aa15d1465d71d57

      SHA256

      4b9f0f5319c579f82d635d3ec8082205a4ec659b1deb2669f2a299988edd7956

      SHA512

      7a04c8529e8e7b63fe126b87ebf97fc18ebc6503718ba7ca85bc7b2e09cc6a1d43707f63c290fa052a091df0c5486b1b3ceb10fd4dc0fbecf3fcbaf91ce78f8d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      28KB

      MD5

      55b3bb5c56cefa156e36d35f3c4f1b88

      SHA1

      52988dc4cf1fbac3e924eb37b8634ebb1f10e29c

      SHA256

      637ccd1d7bcc09cd85b40395ce18599229a1f624ca3ddfb174d40c6391c510ad

      SHA512

      f34440d4bc484b9b53b5f02148c81dcd3fbf5e01fa5f80bbbea4eb8f52c2ea8134087af1e7e0473c453624dd60228c6e927c74522e220ce1e81162dfe5d64c1f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      68b287f4067ba013e34a1339afdb1ea8

      SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

      SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

      SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\System.dll
      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\System.dll
      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\System.dll
      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\modern-wizard.bmp
      Filesize

      603KB

      MD5

      4df53efcaa2c52f39618b2aad77bb552

      SHA1

      542de62a8a48a3ff57cf7845737803078062e95b

      SHA256

      ee13539f3d66cc0592942ea1a4c35d8fd9af67b1a7f272d0d791931e6e9ce4eb

      SHA512

      565a6ba0c9afc916cf62dac617c671f695cd86bd36358e9897f1f0e1a23a59d3019a12349029e05bf91abfb7b213ef02fc5c568a2bfcde0e3896e98cbcfa623a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      6c3f8c94d0727894d706940a8a980543

      SHA1

      0d1bcad901be377f38d579aafc0c41c0ef8dcefd

      SHA256

      56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

      SHA512

      2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsq9810.tmp\w7tbp.dll
      Filesize

      2KB

      MD5

      9a3031cc4cef0dba236a28eecdf0afb5

      SHA1

      708a76aa56f77f1b0ebc62b023163c2e0426f3ac

      SHA256

      53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00

      SHA512

      8fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\System.dll
      Filesize

      11KB

      MD5

      bf712f32249029466fa86756f5546950

      SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

      SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

      SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\launcher.ini
      Filesize

      1KB

      MD5

      909e7972e824b3dedfbb0d70605f287a

      SHA1

      a4e3bb1c3d884aa94890ea2b66b4a1f7af0ce5e1

      SHA256

      99e0b9b8b60621d46774302f54725c350cda178b611aaf4d6292b8fbd409fdb9

      SHA512

      72c39a8c6668b32727d3c1ece460e4f2d07e90c121ec7c6f65c7387da72bc51c49d16e2f6fc9e8022ae2139770677ceebc40d842a30db4628883ee1c17bdf965

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\newadvsplash.dll
      Filesize

      8KB

      MD5

      55a723e125afbc9b3a41d46f41749068

      SHA1

      01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

      SHA256

      0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

      SHA512

      559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\newtextreplace.dll
      Filesize

      11KB

      MD5

      b5358341df2cb171876a5f201e31a834

      SHA1

      df34750ea5504274be5ff8ddd306b49e302d04f9

      SHA256

      156b9b583399faf13c4d46b89339fb0f7f38dc847ac2d7872178d8e3998b9734

      SHA512

      821dc42e24fa2d44a1d4d16b26c3da2688dac0fa44a266e38da2aff706c91440d83a87abc74131930e6c38a44a0c5e627db2d045375fde147e0edd3276f4b014

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\registry.dll
      Filesize

      29KB

      MD5

      2880bf3bbbc8dcaeb4367df8a30f01a8

      SHA1

      cb5c65eae4ae923514a67c95ada2d33b0c3f2118

      SHA256

      acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

      SHA512

      ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\registry.dll
      Filesize

      29KB

      MD5

      2880bf3bbbc8dcaeb4367df8a30f01a8

      SHA1

      cb5c65eae4ae923514a67c95ada2d33b0c3f2118

      SHA256

      acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

      SHA512

      ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy351C.tmp\registry.dll
      Filesize

      29KB

      MD5

      2880bf3bbbc8dcaeb4367df8a30f01a8

      SHA1

      cb5c65eae4ae923514a67c95ada2d33b0c3f2118

      SHA256

      acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

      SHA512

      ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json
      Filesize

      4B

      MD5

      5b76b0eef9af8a2300673e0553f609f9

      SHA1

      0b56d40c0630a74abec5398e01c6cd83263feddc

      SHA256

      d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

      SHA512

      cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

      Download Submit
    • C:\qBittorrentPortable\App\AppInfo\Launcher\qBittorrentPortable.ini
      Filesize

      1KB

      MD5

      909e7972e824b3dedfbb0d70605f287a

      SHA1

      a4e3bb1c3d884aa94890ea2b66b4a1f7af0ce5e1

      SHA256

      99e0b9b8b60621d46774302f54725c350cda178b611aaf4d6292b8fbd409fdb9

      SHA512

      72c39a8c6668b32727d3c1ece460e4f2d07e90c121ec7c6f65c7387da72bc51c49d16e2f6fc9e8022ae2139770677ceebc40d842a30db4628883ee1c17bdf965

      Download Submit
    • C:\qBittorrentPortable\App\AppInfo\Launcher\splash.jpg
      Filesize

      36KB

      MD5

      67aa4bc9506d0b6aba3cccd63a8fbb5e

      SHA1

      32610c9e6a0e7872fc416b8c94f627d2845ef1ca

      SHA256

      d7d4b57f95420a9bdb0cb27c4439655b3a6261b96eb75a4df4af09c0723488f5

      SHA512

      711696a057b04e369482489bef840ef2eb128c82b67cb57c52389305d6a19b8c7b47b5fc8149717600d5a3df69be3f63b256127933aefd9bafdb566214d27b58

      Download Submit
    • C:\qBittorrentPortable\App\AppInfo\appinfo.ini
      Filesize

      699B

      MD5

      fbdb6c09155a57ffb36ea84485be57e2

      SHA1

      b1c7c75b696fe6aff1d8274420fc77601b01f6f4

      SHA256

      f7461100b71c0bbc31fd909d3efa745ad7bd34f6f67bb1e976bea50a8e4664b5

      SHA512

      7047b6220c411348a6563b3231862d63e34021dce893da56a8d3b0282ed6f5dd9a507e8f9ab3b5b7410b9e707171f65156d5f6a0e92ce631dc868b82014eda30

      Download Submit
    • C:\qBittorrentPortable\App\DefaultData\settings\AppData_qBittorrent\qBittorrent.ini
      Filesize

      3KB

      MD5

      500e968fc94f7844374a56ff1ffa8d7a

      SHA1

      3b555cca2f520a7dcedc736232a5e092c6fccd58

      SHA256

      29796bf4663c490842c52005ff10bbbcd40543ad8ffbb18b99014db3e7ced0ee

      SHA512

      b7c886dcf0ee13db4fd8c65b2c59f5934c18bb54eb32a32f9cb5d4abde83ed9da0855bf2ed3351be0a0062c3180e7f0c569f17ff9289bcb5dcfb4e9fdffdd68c

      Download Submit
    • C:\qBittorrentPortable\App\qBittorrent\qbittorrent.exe
      Filesize

      28.3MB

      MD5

      cb03a80bc17d2d81fd34aab4341e89eb

      SHA1

      baf0f8686769ae47ed411e8432028057974a1611

      SHA256

      8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a

      SHA512

      f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe

      Download Submit
    • C:\qBittorrentPortable\App\qBittorrent\qbittorrent.exe
      Filesize

      28.3MB

      MD5

      cb03a80bc17d2d81fd34aab4341e89eb

      SHA1

      baf0f8686769ae47ed411e8432028057974a1611

      SHA256

      8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a

      SHA512

      f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe

      Download Submit
    • C:\qBittorrentPortable\App\qBittorrent\qt.conf
      Filesize

      84B

      MD5

      af7f56a63958401da8bea1f5e419b2af

      SHA1

      f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

      SHA256

      fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

      SHA512

      02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

      Download Submit
    • C:\qBittorrentPortable\Data\settings\AppData_qBittorrent\qBittorrent.ini
      Filesize

      3KB

      MD5

      500e968fc94f7844374a56ff1ffa8d7a

      SHA1

      3b555cca2f520a7dcedc736232a5e092c6fccd58

      SHA256

      29796bf4663c490842c52005ff10bbbcd40543ad8ffbb18b99014db3e7ced0ee

      SHA512

      b7c886dcf0ee13db4fd8c65b2c59f5934c18bb54eb32a32f9cb5d4abde83ed9da0855bf2ed3351be0a0062c3180e7f0c569f17ff9289bcb5dcfb4e9fdffdd68c

      Download Submit
    • C:\qBittorrentPortable\qBittorrentPortable.exe
      Filesize

      247KB

      MD5

      df13b287b40791c224dd38c7145a8810

      SHA1

      139b6abdc3439601774793d27cb5255750d24004

      SHA256

      ab196ad139e0a05284abe7cc2c2d511f58387ba6b4bf53561ccb593d0cc860d6

      SHA512

      0a74fd616c49ba3d639b729ddcacb48ab70e55e5139e0eccb5947368abf4cfd02cfc9675f9f73cd149eb116703deb85568c6d4de08017d6c8d519dd1568b7777

      Download Submit
    • C:\qBittorrentPortable\qBittorrentPortable.exe
      Filesize

      247KB

      MD5

      df13b287b40791c224dd38c7145a8810

      SHA1

      139b6abdc3439601774793d27cb5255750d24004

      SHA256

      ab196ad139e0a05284abe7cc2c2d511f58387ba6b4bf53561ccb593d0cc860d6

      SHA512

      0a74fd616c49ba3d639b729ddcacb48ab70e55e5139e0eccb5947368abf4cfd02cfc9675f9f73cd149eb116703deb85568c6d4de08017d6c8d519dd1568b7777

      Download Submit
    • memory/3148-350-0x00000197583E0000-0x00000197583F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3148-367-0x00000197583E0000-0x00000197583F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3308-286-0x0000000005F90000-0x0000000005FF3000-memory.dmp
      Filesize

      396KB

      Download