Overview
overview
7Static
static
3qbittorren...up.exe
windows7-x64
7qbittorren...up.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...lW.dll
windows7-x64
3$PLUGINSDI...lW.dll
windows10-2004-x64
3qbittorrent.exe
windows7-x64
1qbittorrent.exe
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...lW.dll
windows7-x64
3$PLUGINSDI...lW.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
qbittorrent_4.6.4_x64_setup.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
qbittorrent_4.6.4_x64_setup.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsisFirewallW.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisFirewallW.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
qbittorrent.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
qbittorrent.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
uninst.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
uninst.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240319-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsisFirewallW.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsisFirewallW.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
qbittorrent.exe
-
Size
30.8MB
-
MD5
b9dfd00c5fbb9cfaa2c4e1b3f9e218bf
-
SHA1
4dad2d51c73dffdd2cfc4d17146ac0253d74e3bf
-
SHA256
1fac780feaa2e263dbd0ee2103d1815d97b4d6a676f5b83e9320120dc15ee6bb
-
SHA512
baec0664acfb41b96939f6462df5b9390f6cec16e71960f77ead222ad2bdf7f5f8bc4cb1937413472d4abe1ff6053eb8e89a9a6291c7b979138272dac780ab6c
-
SSDEEP
393216:Q943f9XQuqc+GJi2piZ09Br9UhfrZfndOj/HS4UfrBq9BKFdu9CwJsv6t/kubD:QuZfyrZgqrAZbD
Malware Config
Signatures
-
Modifies registry class 17 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\ = "URL:Magnet link" qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open\command\ qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open\command qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.torrent\Content Type = "application/x-bittorrent" qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\ qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\Content Type = "application/x-magnet" qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\qbittorrent.exe\",1" qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\ qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.torrent\ qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.torrent\ = "qBittorrent" qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\DefaultIcon\ qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell qbittorrent.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\qbittorrent.exe\" \"%1\"" qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\URL Protocol qbittorrent.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\ = "open" qbittorrent.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3096 qbittorrent.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3096 qbittorrent.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe 3096 qbittorrent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\qbittorrent.exe"C:\Users\Admin\AppData\Local\Temp\qbittorrent.exe"1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3096
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD55b76b0eef9af8a2300673e0553f609f9
SHA10b56d40c0630a74abec5398e01c6cd83263feddc
SHA256d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817
SHA512cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d