Windows Analysis Report
qd_x86.exe

Overview

General Information

Sample name:	qd_x86.exe
Analysis ID:	1427912
MD5:	31b1a881401e0ba0cad4c56f1e32c48e
SHA1:	19e491a4c69de056c77d05ba671870818d4f7f80
SHA256:	7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Check for Windows Defender sandbox

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: qd_x86.exe	ReversingLabs: Detection: 35%
Source: qd_x86.exe	Virustotal: Detection: 42%			Perma Link

Machine Learning detection for sample

Source: qd_x86.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: qd_x86.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: qd_x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00568074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00568074
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00567C8A FindFirstFileExW,		0_2_00567C8A

Detected potential crypto function

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005821A0	0_2_005821A0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00554243	0_2_00554243
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005723EF	0_2_005723EF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0056C42E	0_2_0056C42E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005844C0	0_2_005844C0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005545A2	0_2_005545A2
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00580800	0_2_00580800
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00554910	0_2_00554910
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0053ABC1	0_2_0053ABC1
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00554C6F	0_2_00554C6F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0058EC3F	0_2_0058EC3F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0057AD5D	0_2_0057AD5D
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00554FCD	0_2_00554FCD
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00539068	0_2_00539068
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0057D200	0_2_0057D200
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005352FF	0_2_005352FF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00571370	0_2_00571370
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0055533A	0_2_0055533A
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00555698	0_2_00555698
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0055386E	0_2_0055386E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005718A0	0_2_005718A0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0058F9AF	0_2_0058F9AF
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00555A8C	0_2_00555A8C
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00553BB0	0_2_00553BB0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0057DC08	0_2_0057DC08
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00571CF0	0_2_00571CF0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00535EEE	0_2_00535EEE
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00555E8F	0_2_00555E8F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_0056FE89	0_2_0056FE89
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00553F01	0_2_00553F01

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00536E70 appears 63 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00531140 appears 54 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00561F12 appears 35 times
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: String function: 00562DA3 appears 56 times

Uses 32bit PE files

Source: qd_x86.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: C:\Users\user\Desktop\qd_x86.exe

Command line argument: ~LX

0_2_00584BD0

Source: qd_x86.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qd_x86.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qd_x86.exe	ReversingLabs: Detection: 35%
Source: qd_x86.exe	Virustotal: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\qd_x86.exe "C:\Users\user\Desktop\qd_x86.exe"
Source: C:\Users\user\Desktop\qd_x86.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qd_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: qd_x86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qd_x86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qd_x86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qd_x86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qd_x86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qd_x86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qd_x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: qd_x86.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe

Source: qd_x86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qd_x86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qd_x86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qd_x86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qd_x86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00533E91 LoadLibraryA,GetProcAddress,

0_2_00533E91

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00584D3B push ecx; ret		0_2_00584D4E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00536EC0 push ecx; ret		0_2_00536ED3

Malware Analysis System Evasion

Check for Windows Defender sandbox

Source: C:\Users\user\Desktop\qd_x86.exe

File Queried: C:\INTERNAL\__empty

Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\qd_x86.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00568074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00568074
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00567C8A FindFirstFileExW,		0_2_00567C8A

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00534540 GetSystemInfo,

0_2_00534540

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_005622A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005622A5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00533E91 LoadLibraryA,GetProcAddress,

0_2_00533E91

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_0056D5EA GetProcessHeap,

0_2_0056D5EA

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005622A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005622A5
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00536C0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00536C0A
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_00536DA0 SetUnhandledExceptionFilter,	0_2_00536DA0
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: 0_2_005372F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005372F7

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00537109 cpuid

0_2_00537109

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	0_2_00562779
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	0_2_005628E6
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	0_2_00562918
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0056C9C1
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	0_2_0056CC6D
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	0_2_0056CCD6
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: EnumSystemLocalesW,	0_2_0056CD71
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0056CDFC
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	0_2_0056D04F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0056D178
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	0_2_0056325F
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetLocaleInfoW,	0_2_0056D27E
Source: C:\Users\user\Desktop\qd_x86.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0056D354

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\qd_x86.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_005313B0 CreateNamedPipeA,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,DisconnectNamedPipe,

0_2_005313B0

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00536ADF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00536ADF

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00531AD0 GetFileAttributesW,GetModuleHandleA,GetUserNameW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,Sleep,lstrlenA,

0_2_00531AD0

Source: C:\Users\user\Desktop\qd_x86.exe

Code function: 0_2_00534767 GetCurrentProcessId,GetLastError,KiUserCallbackDispatcher,GetVersionExA,GetWindowsDirectoryW,

0_2_00534767

Source: C:\Users\user\Desktop\qd_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1427912
Product:	CloudBasic
Start time:	10:36:10
Start date:	18.04.2024
Sample:	qd_x86.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	31b1a881401e0ba0cad4c56f1e32c48e
SHA1:	19e491a4c69de056c77d05ba671870818d4f7f80
SHA256:	7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
qd_x86.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report qd_x86.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
qd_x86.exe