Loading ...

Play interactive tourEdit tour

Analysis Report qmbvlcq.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228991
Start date:11.05.2020
Start time:10:27:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 12s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:qmbvlcq.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@15/60@20/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 84.8% (good quality ratio 84.8%)
  • Quality average: 88.3%
  • Quality standard deviation: 20.2%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 51.104.136.2, 172.227.108.117, 23.210.248.85, 152.199.19.161, 93.184.221.240
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, settingsfd-geo.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, cs9.wpc.v0cdn.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Winlogon Helper DLLProcess Injection2Masquerading11Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesSoftware Packing21Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection2Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSecurity Software Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery2Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: guiapocos.xyzVirustotal: Detection: 10%Perma Link
Source: https://guiapocos.xyz/index.htmVirustotal: Detection: 6%Perma Link
Source: https://guiapocos.xyzVirustotal: Detection: 7%Perma Link
Source: https://guiapocos.xyz?Virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: qmbvlcq.exeVirustotal: Detection: 61%Perma Link
Source: qmbvlcq.exeReversingLabs: Detection: 93%
Machine Learning detection for sampleShow sources
Source: qmbvlcq.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.qmbvlcq.exe.510000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.qmbvlcq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\qmbvlcq.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\qmbvlcq.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\qmbvlcq.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\qmbvlcq.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: guiapocos.xyz replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: guiapocos.xyz replaycode: Name error (3)
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x966db6f4,0x01d627b9</date><accdate>0x966db6f4,0x01d627b9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x966db6f4,0x01d627b9</date><accdate>0x966db6f4,0x01d627b9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x96752a25,0x01d627b9</date><accdate>0x96752a25,0x01d627b9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x96752a25,0x01d627b9</date><accdate>0x96752a25,0x01d627b9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x967a14f4,0x01d627b9</date><accdate>0x967a14f4,0x01d627b9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x967a14f4,0x01d627b9</date><accdate>0x967a14f4,0x01d627b9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: guiapocos.xyz
Urls found in memory or binary dataShow sources
Source: qmbvlcq.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: qmbvlcq.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: qmbvlcq.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: imagestore.dat.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
Source: qmbvlcq.exe, 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmpString found in binary or memory: https://guiapocos.xyz
Source: ~DF46063DDF043CD48A.TMP.13.drString found in binary or memory: https://guiapocos.xyz/index.htm
Source: {DBF72F52-93AC-11EA-AADD-C25F135D3C65}.dat.9.drString found in binary or memory: https://guiapocos.xyz/index.htmRoot
Source: {DBF72F52-93AC-11EA-AADD-C25F135D3C65}.dat.9.drString found in binary or memory: https://guiapocos.xyz/index.htmindex.htm
Source: qmbvlcq.exe, 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmpString found in binary or memory: https://guiapocos.xyz?
Source: qmbvlcq.exeString found in binary or memory: https://sectigo.com/CPS0C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776218547.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772666803.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777172066.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775210575.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774792750.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777342131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776536993.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773458716.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777101435.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771811072.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772103500.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776816723.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773957186.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777021883.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774974537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.937180783.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775434726.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772947131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776681035.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777378240.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772377710.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776370278.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777241580.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774353453.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775875999.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776932257.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776045117.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777400448.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773725537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773194219.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777299815.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774581301.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775678200.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qmbvlcq.exe PID: 5076, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776218547.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772666803.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777172066.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775210575.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774792750.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777342131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776536993.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773458716.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777101435.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771811072.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772103500.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776816723.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773957186.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777021883.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774974537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.937180783.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775434726.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772947131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776681035.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777378240.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772377710.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776370278.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777241580.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774353453.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775875999.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776932257.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776045117.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777400448.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773725537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773194219.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777299815.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774581301.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775678200.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qmbvlcq.exe PID: 5076, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401EE1 NtQueryVirtualMemory,0_2_00401EE1
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401CC00_2_00401CC0
Sample file is different than original file name gathered from version infoShow sources
Source: qmbvlcq.exe, 00000000.00000002.1192722819.0000000002150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs qmbvlcq.exe
Source: qmbvlcq.exe, 00000000.00000002.1192251955.0000000000660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs qmbvlcq.exe
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@15/60@20/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC154B7987A45D9B1.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: qmbvlcq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\qmbvlcq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: qmbvlcq.exeVirustotal: Detection: 61%
Source: qmbvlcq.exeReversingLabs: Detection: 93%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\qmbvlcq.exe 'C:\Users\user\Desktop\qmbvlcq.exe'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17416 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2520 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4220 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5320 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17416 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2520 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4220 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5320 CREDAT:17410 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\qmbvlcq.exeUnpacked PE file: 0.2.qmbvlcq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\qmbvlcq.exeUnpacked PE file: 0.2.qmbvlcq.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,GetUserNameA,0_2_00401A1C
PE file contains an invalid checksumShow sources
Source: qmbvlcq.exeStatic PE information: real checksum: 0xba936 should be: 0xbaa71
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401CAF push ecx; ret 0_2_00401CBF

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon.png
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776218547.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772666803.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777172066.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775210575.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774792750.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777342131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776536993.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773458716.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777101435.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771811072.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772103500.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776816723.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773957186.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777021883.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774974537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.937180783.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775434726.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772947131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776681035.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777378240.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772377710.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776370278.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777241580.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774353453.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775875999.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776932257.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776045117.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777400448.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773725537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773194219.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777299815.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774581301.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775678200.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qmbvlcq.exe PID: 5076, type: MEMORY

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exe TID: 5988Thread sleep time: -150000s >= -30000sJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeAPI call chain: ExitProcess graph end nodegraph_0-479

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,GetUserNameA,0_2_00401A1C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401076 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_00401076
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: qmbvlcq.exe, 00000000.00000002.1192569710.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: qmbvlcq.exe, 00000000.00000002.1192569710.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: qmbvlcq.exe, 00000000.00000002.1192569710.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: qmbvlcq.exe, 00000000.00000002.1192569710.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401668 GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,0_2_00401668
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\qmbvlcq.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,GetUserNameA,0_2_00401A1C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\Desktop\qmbvlcq.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776218547.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772666803.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777172066.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775210575.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774792750.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777342131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776536993.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773458716.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777101435.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771811072.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772103500.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776816723.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773957186.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777021883.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774974537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.937180783.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775434726.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772947131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776681035.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777378240.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772377710.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776370278.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777241580.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774353453.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775875999.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776932257.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776045117.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777400448.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773725537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773194219.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777299815.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774581301.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775678200.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qmbvlcq.exe PID: 5076, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776218547.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772666803.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777172066.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775210575.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774792750.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777342131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776536993.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773458716.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777101435.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771811072.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772103500.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776816723.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773957186.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777021883.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774974537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.937180783.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775434726.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772947131.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776681035.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777378240.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772377710.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776370278.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777241580.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774353453.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775875999.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776932257.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.776045117.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777400448.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773725537.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.773194219.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.777299815.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.774581301.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.775678200.00000000033D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qmbvlcq.exe PID: 5076, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 228991 Sample: qmbvlcq.exe Startdate: 11/05/2020 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 2 other signatures 2->45 6 qmbvlcq.exe 2->6         started        10 iexplore.exe 2 87 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 37 guiapocos.xyz 6->37 47 Detected unpacking (changes PE section rights) 6->47 49 Detected unpacking (overwrites its own PE header) 6->49 51 Writes or reads registry keys via WMI 6->51 53 2 other signatures 6->53 16 iexplore.exe 30 10->16         started        19 iexplore.exe 29 10->19         started        21 iexplore.exe 29 12->21         started        23 iexplore.exe 29 14->23         started        25 iexplore.exe 30 14->25         started        signatures5 process6 dnsIp7 27 guiapocos.xyz 16->27 29 guiapocos.xyz 19->29 31 guiapocos.xyz 21->31 33 guiapocos.xyz 23->33 35 guiapocos.xyz 25->35

Simulations

Behavior and APIs

TimeTypeDescription
10:28:12API Interceptor6x Sleep call for process: qmbvlcq.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
qmbvlcq.exe61%VirustotalBrowse
qmbvlcq.exe94%ReversingLabsWin32.Trojan.Gozi
qmbvlcq.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.qmbvlcq.exe.510000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
0.2.qmbvlcq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
guiapocos.xyz10%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://guiapocos.xyz/index.htm6%VirustotalBrowse
https://guiapocos.xyz/index.htm0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://guiapocos.xyz8%VirustotalBrowse
https://guiapocos.xyz0%Avira URL Cloudsafe
https://sectigo.com/CPS0C0%VirustotalBrowse
https://sectigo.com/CPS0C0%URL Reputationsafe
https://guiapocos.xyz?8%VirustotalBrowse
https://guiapocos.xyz?0%Avira URL Cloudsafe
https://guiapocos.xyz/index.htmindex.htm0%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s1%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
https://guiapocos.xyz/index.htmRoot0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1193270543.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.776218547.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.772666803.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.777172066.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.775210575.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000000.00000003.774792750.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000000.00000003.777342131.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000000.00000003.776536993.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  00000000.00000003.773458716.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                    00000000.00000003.777101435.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                      00000000.00000003.771811072.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                        00000000.00000003.772103500.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                          00000000.00000003.776816723.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                            00000000.00000003.773957186.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                              00000000.00000003.777021883.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                00000000.00000003.774974537.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                  00000000.00000003.937180783.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                    00000000.00000003.775434726.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                      00000000.00000003.772947131.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                        00000000.00000003.776681035.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                          00000000.00000003.777378240.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                            00000000.00000003.772377710.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                              00000000.00000003.776370278.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                00000000.00000003.777241580.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                  00000000.00000003.774353453.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                    00000000.00000003.775875999.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                      00000000.00000003.776932257.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                        00000000.00000003.776045117.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                          00000000.00000003.777400448.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                            00000000.00000003.773725537.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                              00000000.00000003.773194219.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                00000000.00000003.777299815.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                  00000000.00000003.774581301.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                    00000000.00000003.775678200.00000000033D0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                      Process Memory Space: qmbvlcq.exe PID: 5076JoeSecurity_UrsnifYara detected UrsnifJoe Security

                                                                        Unpacked PEs

                                                                        No yara matches

                                                                        Sigma Overview

                                                                        No Sigma rule has matched

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASN

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Screenshots

                                                                        Thumbnails

                                                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.