Overview

overview

8

Static

static

3

qbittorren...up.exe

windows11-21h2-x64

8

$PLUGINSDI...LL.dll

windows11-21h2-x64

3

$PLUGINSDI...LL.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDIR/UAC.dll

windows11-21h2-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

$PLUGINSDI...lW.dll

windows11-21h2-x64

3

qbittorrent.exe

windows11-21h2-x64

1

uninst.exe

windows11-21h2-x64

7

$PLUGINSDI...LL.dll

windows11-21h2-x64

3

$PLUGINSDI...LL.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDIR/UAC.dll

windows11-21h2-x64

3

$PLUGINSDI...lW.dll

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    qbittorrent_5.0.1_x64_setup.exe

  • Size

    37.4MB

  • Sample

    241115-fka78aymfv

  • MD5

    fd6ea4e1d7b3adb820908ec26b729ea7

  • SHA1

    485b31d0f8394efdaa860c0d4a54227033f40579

  • SHA256

    5513812584a5ba7810b812db7ceec2d0e9cb214cef95a2580e29927cf4fe9921

  • SHA512

    e587c67bd4da787226187918206acfdb9ef4192e884b41e0680cf96458799eeeabde97376dbdfdd89c7de12839a062bd8f8da50b9e6a49c33018461783535c66

  • SSDEEP

    786432:7fFBmZOcw9i54tPYrFrQAEODhrbt+Fn1/Zo2NCILF5Iud3gIwmbN:79BH1e+sFspIteZtQILFDdQIwm5

Score
8/10
defense_evasiondiscoveryexecutionpersistencespywarestealer

Malware Config

Targets

    • Target

      qbittorrent_5.0.1_x64_setup.exe

    • Size

      37.4MB

    • MD5

      fd6ea4e1d7b3adb820908ec26b729ea7

    • SHA1

      485b31d0f8394efdaa860c0d4a54227033f40579

    • SHA256

      5513812584a5ba7810b812db7ceec2d0e9cb214cef95a2580e29927cf4fe9921

    • SHA512

      e587c67bd4da787226187918206acfdb9ef4192e884b41e0680cf96458799eeeabde97376dbdfdd89c7de12839a062bd8f8da50b9e6a49c33018461783535c66

    • SSDEEP

      786432:7fFBmZOcw9i54tPYrFrQAEODhrbt+Fn1/Zo2NCILF5Iud3gIwmbN:79BH1e+sFspIteZtQILFDdQIwm5

    Score
    8/10
    defense_evasiondiscoveryexecutionpersistencespywarestealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1

    • Target

      $PLUGINSDIR/FindProcDLL.dll

    • Size

      3KB

    • MD5

      b4faf654de4284a89eaf7d073e4e1e63

    • SHA1

      8efcfd1ca648e942cbffd27af429784b7fcf514b

    • SHA256

      c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

    • SHA512

      eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

    Score
    3/10
    discovery
    behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      50016010fb0d8db2bc4cd258ceb43be5

    • SHA1

      44ba95ee12e69da72478cf358c93533a9c7a01dc

    • SHA256

      32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

    • SHA512

      ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

    • SSDEEP

      48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL

    Score
    3/10
    discovery
    behavioral3

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    3/10
    discovery
    behavioral4

    • Target

      $PLUGINSDIR/UAC.dll

    • Size

      14KB

    • MD5

      adb29e6b186daa765dc750128649b63d

    • SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

    • SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    • SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    • SSDEEP

      192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

    Score
    3/10
    discovery
    behavioral5

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      1d8f01a83ddd259bc339902c1d33c8f1

    • SHA1

      9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

    • SHA256

      4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

    • SHA512

      28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

    • SSDEEP

      96:o4Ev02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YsNqkzfFc:o4EvCu5e81785qHFcU0PuAw0uyGIFc

    Score
    3/10
    discovery
    behavioral6

    • Target

      $PLUGINSDIR/nsisFirewallW.dll

    • Size

      8KB

    • MD5

      f5bf81a102de52a4add21b8a367e54e0

    • SHA1

      cf1e76ffe4a3ecd4dad453112afd33624f16751c

    • SHA256

      53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

    • SHA512

      6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

    • SSDEEP

      96:8SMPv+eLDUDp+weLv2lstU+0IgNB2Aa20kdArfOwJKbFrMiRsuHdRYL:wnxLDUwp6sgN2RDrzJMMmsuYL

    Score
    3/10
    discovery
    behavioral7

    • Target

      qbittorrent.exe

    • Size

      34.9MB

    • MD5

      bebf18e9f646943cfe8067ab60b3ad9e

    • SHA1

      d9dd3bb1190e70bcb338ffd713fd0c906b29d2c1

    • SHA256

      c8169df564f2b6bc12b0e0c1d8f628f5e7daafac5b94c5d92211ed631b68a551

    • SHA512

      531e0d546b02b1946010ca4b4ba8a26f34648efc315f75ba48d7ac534a7656c6c05d2c1a23e5a0ca80ffdc78ec133f4ba6601bb3ab6ce8392a88a8ec93093acb

    • SSDEEP

      393216:klvHNg/cBByBwR93k0p9O/m/j/ALv7cS+s6gwGex4pvUyrOnRKFdu9CwJsv6tQU6:e7tUS/ALv7cxPx4p8yrMQU6

    Score
    1/10
    behavioral8

    • Target

      uninst.exe

    • Size

      138KB

    • MD5

      7ef2fd299b7bffdd88a53223cb6ac426

    • SHA1

      ea63fc81cc8a9ea3031f5eca4e9ec4c8be25f46e

    • SHA256

      ba1ec2684ceee82f817b250417985a9ef33dd679f5e97a18e0f8f3fda8a055b1

    • SHA512

      47da0192a634ae7ea7553ad2e158c505b7cdb0c13ec956424f8777522609544bf059ac7b6919c877a2c67e7576e8237071d0962cfa59b321eb0ff7d53245e6f6

    • SSDEEP

      3072:dnPdzuK8Jdw4TMJw3uXceAgF88Q0ejM6ocOSlH/Hs9:dnPdudwDzmgO8iPOSJM9

    Score
    7/10
    discovery

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral9

    • Target

      $PLUGINSDIR/FindProcDLL.dll

    • Size

      3KB

    • MD5

      b4faf654de4284a89eaf7d073e4e1e63

    • SHA1

      8efcfd1ca648e942cbffd27af429784b7fcf514b

    • SHA256

      c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

    • SHA512

      eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

    Score
    3/10
    discovery
    behavioral10

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      50016010fb0d8db2bc4cd258ceb43be5

    • SHA1

      44ba95ee12e69da72478cf358c93533a9c7a01dc

    • SHA256

      32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

    • SHA512

      ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

    • SSDEEP

      48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL

    Score
    3/10
    discovery
    behavioral11

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    3/10
    discovery
    behavioral12

    • Target

      $PLUGINSDIR/UAC.dll

    • Size

      14KB

    • MD5

      adb29e6b186daa765dc750128649b63d

    • SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

    • SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    • SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    • SSDEEP

      192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

    Score
    3/10
    discovery
    behavioral13

    • Target

      $PLUGINSDIR/nsisFirewallW.dll

    • Size

      8KB

    • MD5

      f5bf81a102de52a4add21b8a367e54e0

    • SHA1

      cf1e76ffe4a3ecd4dad453112afd33624f16751c

    • SHA256

      53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

    • SHA512

      6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

    • SSDEEP

      96:8SMPv+eLDUDp+weLv2lstU+0IgNB2Aa20kdArfOwJKbFrMiRsuHdRYL:wnxLDUwp6sgN2RDrzJMMmsuYL

    Score
    3/10
    discovery
    behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indirect Command Execution

1
T1202

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks