popup

Report - QQHelper_1540.exe

ASPack UPX PE File PE32 MZP Format URL Format DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.30 18:13 Machine s1_win7_x6403
Filename QQHelper_1540.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
4.0
ZERO API file : clean
VT API (file) 13 detected (AIDetectMalware, malicious, moderate confidence, Attribute, HighConfidence, Wacapew, HackTool, R119402, ZelphiF, 1P0ba4GDPTaR, BScope, Click, grayware, confidence, 100%)
md5 5a39d66e2b925f7b7f9f39de2f9c5fa0
sha256 4f91f9c5d3baf612a1920ae8b2c49a1ee9850d018e308f8e65184a9046138658
ssdeep 49152:5F8IrbBBFJLO55rXuLN+KQDVqNbRSbn+MgaLMNEb:8AN39OjEQDcVRU3Lpb
imphash 5e2da45c5591cbc827ecaf03198ed17d
impfuzzy 12:mDzjA9A+pZ1nd6w1kTf1E4dGwXukTv13T7E4Cn:mDnWA+pZ1sw1YEqnZTp7Qn
  Network IP location

Signature (10cnts)

Level Description
warning Generates some ICMP traffic
watch File has been identified by 13 AntiVirus engines on VirusTotal as malicious
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (9cnts)

Level Name Description Collection
watch ASPack_Zero ASPack packed file binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info url_file_format Microsoft Windows Internet Shortcut File Format binaries (download)

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://images.qqfarmer.com.cn/504486-20170712112840415-1890262410.gif
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.103 clean
http://down.qqfarmer.com.cn/ssleay32_0626_e503921a6061251302cb45772cb75f42.xml?r=0.329597188392654
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.115 clean
http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
http://images.qqfarmer.com.cn/504486-20162218235650745-1529273276.gif
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.103 clean
http://ad.qqfarmer.com.cn/xml/encrypt.js?r=0.952554038958624
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
http://images.qqfarmer.com.cn/504486-20161218235650745-1529273276.gif
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.103 clean
http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
http://down.qqfarmer.com.cn/libeay32_0626_5f86d65a1686e6bb031048d04bb3fe04.xml?r=0.313291363418102
whois
CN Chinanet 58.218.215.167 clean
http://images.qqfarmer.com.cn/hongbao_nav.gif
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.103 clean
down.qqfarmer.com.cn
whois
CN AS Number for CHINANET jiangsu province backbone 180.101.203.232 malware
bakad.qqfarmer.com.cn
whois
CN CHINA UNICOM China169 Backbone 116.255.160.63 mailcious
ad.qqfarmer.com.cn
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean
images.qqfarmer.com.cn
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.103 clean
116.255.160.63
whois
CN CHINA UNICOM China169 Backbone 116.255.160.63 malware
58.218.215.167
whois
CN Chinanet 58.218.215.167 clean
61.160.192.103
whois
CN AS Number for CHINANET jiangsu province backbone 61.160.192.103 clean
8.210.224.3
whois
SG Alibaba (US) Technology Co., Ltd. 8.210.224.3 clean

Suricata ids

ET POLICY PE EXE or DLL Windows file download HTTP

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x963f5c GetProcAddress
 0x963f60 GetModuleHandleA
 0x963f64 LoadLibraryA
user32.dll
 0x964230 GetKeyboardType
advapi32.dll
 0x964238 RegQueryValueExA
oleaut32.dll
 0x964240 SysFreeString
advapi32.dll
 0x964248 RegQueryValueExA
version.dll
 0x964250 VerQueryValueA
gdi32.dll
 0x964258 UnrealizeObject
user32.dll
 0x964260 CreateWindowExA
shell32.dll
 0x964268 Shell_NotifyIconA
oleaut32.dll
 0x964270 SafeArrayPtrOfIndex
ole32.dll
 0x964278 CreateStreamOnHGlobal
oleaut32.dll
 0x964280 GetErrorInfo
comctl32.dll
 0x964288 _TrackMouseEvent
winspool.drv
 0x964290 OpenPrinterA
wininet.dll
 0x964298 HttpSendRequestExA
shell32.dll
 0x9642a0 SHGetSpecialFolderLocation
wsock32.dll
 0x9642a8 WSACleanup
wininet.dll
 0x9642b0 InternetCrackUrlA
kernel32
 0x9642b8 GetCPInfoExA
winmm.dll
 0x9642c0 timeGetTime

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure