popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

QQHelper_1540.exe

ASPack UPX PE32 URL Format MZP Format PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 30, 2024, 6:07 p.m. Aug. 30, 2024, 6:11 p.m.
Size 1.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5a39d66e2b925f7b7f9f39de2f9c5fa0
SHA256 4f91f9c5d3baf612a1920ae8b2c49a1ee9850d018e308f8e65184a9046138658
CRC32 6F631063
ssdeep 49152:5F8IrbBBFJLO55rXuLN+KQDVqNbRSbn+MgaLMNEb:8AN39OjEQDcVRU3Lpb
Yara
  • PE_Header_Zero - PE File Signature
  • ASPack_Zero - ASPack packed file
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format

Suricata Alerts

Flow SID Signature Category
TCP 58.218.215.167:80 -> 192.168.56.103:49170 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 58.218.215.167:80 -> 192.168.56.103:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
section .help
section .adata
packer ASPack v2.12 -> Alexey Solodovnikov
resource name BIN
suspicious_features POST method with no referer header suspicious_request POST http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299
suspicious_features POST method with no referer header suspicious_request POST http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817
suspicious_features POST method with no referer header suspicious_request POST http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691
suspicious_features POST method with no referer header suspicious_request POST http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984
suspicious_features POST method with no referer header suspicious_request POST http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661
request POST http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299
request POST http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817
request POST http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691
request POST http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984
request POST http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661
request GET http://down.qqfarmer.com.cn/libeay32_0626_5f86d65a1686e6bb031048d04bb3fe04.xml?r=0.313291363418102
request GET http://images.qqfarmer.com.cn/504486-20170712112840415-1890262410.gif
request GET http://images.qqfarmer.com.cn/504486-20162218235650745-1529273276.gif
request GET http://images.qqfarmer.com.cn/hongbao_nav.gif
request GET http://images.qqfarmer.com.cn/504486-20161218235650745-1529273276.gif
request GET http://down.qqfarmer.com.cn/ssleay32_0626_e503921a6061251302cb45772cb75f42.xml?r=0.329597188392654
request GET http://ad.qqfarmer.com.cn/xml/encrypt.js?r=0.952554038958624
request POST http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299
request POST http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817
request POST http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691
request POST http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984
request POST http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661
name BIN language LANG_CHINESE filetype DOS executable (COM, 0x8C-variant) sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003f24e8 size 0x00000083
name BIN language LANG_CHINESE filetype DOS executable (COM, 0x8C-variant) sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003f24e8 size 0x00000083
name BIN language LANG_CHINESE filetype DOS executable (COM, 0x8C-variant) sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003f24e8 size 0x00000083
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00564a54 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00564a54 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00564a54 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00564a54 size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00564a14 size 0x0000003e
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0056471c size 0x000002f8
name RT_MANIFEST language LANG_CHINESE filetype XML 1.0 document, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0056442c size 0x000002f0
section {u'size_of_data': u'0x00117c00', u'virtual_address': u'0x00001000', u'entropy': 7.999794693402083, u'name': u'CODE', u'virtual_size': u'0x00370000'} entropy 7.9997946934 description A section with a high entropy has been found
section {u'size_of_data': u'0x00006600', u'virtual_address': u'0x00371000', u'entropy': 7.990947559617213, u'name': u'DATA', u'virtual_size': u'0x00013000'} entropy 7.99094755962 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001400', u'virtual_address': u'0x0038a000', u'entropy': 7.718748824639476, u'name': u'.idata', u'virtual_size': u'0x00004000'} entropy 7.71874882464 description A section with a high entropy has been found
section {u'size_of_data': u'0x0009f200', u'virtual_address': u'0x003c3000', u'entropy': 7.982380591543004, u'name': u'.rsrc', u'virtual_size': u'0x001a0000'} entropy 7.98238059154 description A section with a high entropy has been found
entropy 0.949494949495 description Overall entropy of this PE file is high
Bkav W32.AIDetectMalware
Elastic malicious (moderate confidence)
Symantec ML.Attribute.HighConfidence
APEX Malicious
McAfeeD ti!4F91F9C5D3BA
Microsoft Program:Win32/Wacapew.C!ml
AhnLab-V3 Unwanted/Win32.HackTool.R119402
BitDefenderTheta Gen:NN.ZelphiF.36812.1P0ba4GDPTaR
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Click
Malwarebytes Generic.Malware.AI.DDS
Paloalto generic.ml
CrowdStrike win/grayware_confidence_100% (D)