Edit tour
Windows
Analysis Report
December Reconciliation QuanKang.exe
Overview
General Information
| Sample name: | December Reconciliation QuanKang.exe |
| Analysis ID: | 1586624 |
| MD5: | 1d174566e9a087feb5af92b38cdf79f7 |
| SHA1: | d9c16c0a57775df505c068d1ef08643c3ead1f8e |
| SHA256: | 942f74f317d2cb851b95cee0a7060044cd98f01251fa4eeb693235c80d9ff9e2 |
| Tags: | exeuser-TeamDreier |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
December Reconciliation QuanKang.exe (PID: 4364 cmdline: "C:\Users\ user\Deskt op\Decembe r Reconcil iation Qua nKang.exe" MD5: 1D174566E9A087FEB5AF92B38CDF79F7) 
cmd.exe (PID: 1548 cmdline: "C:\Window s\System32 \cmd.exe" /c ipconfi g /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
ipconfig.exe (PID: 6856 cmdline: ipconfig / release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) 
powershell.exe (PID: 884 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGUAbgB nAGkAbgBlA GUAcgBcAEQ AZQBzAGsAd ABvAHAAXAB EAGUAYwBlA G0AYgBlAHI AIABSAGUAY wBvAG4AYwB pAGwAaQBhA HQAaQBvAG4 AIABRAHUAY QBuAEsAYQB uAGcALgBlA HgAZQA7ACA AQQBkAGQAL QBNAHAAUAB yAGUAZgBlA HIAZQBuAGM AZQAgAC0AR QB4AGMAbAB 1AHMAaQBvA G4AUAByAG8 AYwBlAHMAc wAgAEMAOgB cAFUAcwBlA HIAcwBcAGU AbgBnAGkAb gBlAGUAcgB cAEQAZQBzA GsAdABvAHA AXABEAGUAY wBlAG0AYgB lAHIAIABSA GUAYwBvAG4 AYwBpAGwAa QBhAHQAaQB vAG4AIABRA HUAYQBuAEs AYQBuAGcAL gBlAHgAZQA 7AEEAZABkA C0ATQBwAFA AcgBlAGYAZ QByAGUAbgB jAGUAIAAtA EUAeABjAGw AdQBzAGkAb wBuAFAAYQB 0AGgAIABDA DoAXABVAHM AZQByAHMAX ABlAG4AZwB pAG4AZQBlA HIAXABBAHA AcABEAGEAd ABhAFwAUgB vAGEAbQBpA G4AZwBcAGk AbgB2AG8Aa QBjAGUALgB lAHgAZQA7A CAAQQBkAGQ ALQBNAHAAU AByAGUAZgB lAHIAZQBuA GMAZQAgAC0 ARQB4AGMAb AB1AHMAaQB vAG4AUAByA G8AYwBlAHM AcwAgAEMAO gBcAFUAcwB lAHIAcwBcA GUAbgBnAGk AbgBlAGUAc gBcAEEAcAB wAEQAYQB0A GEAXABSAG8 AYQBtAGkAb gBnAFwAaQB uAHYAbwBpA GMAZQAuAGU AeABlAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 3540 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - InstallUtil.exe (PID: 5644 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57) - cmd.exe (PID: 2420 cmdline:
"C:\Window s\System32 \cmd.exe" /c ipconfi g /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 5588 cmdline:
ipconfig / renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
wscript.exe (PID: 1416 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \invoice.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - invoice.exe (PID: 4088 cmdline:
"C:\Users\ user\AppDa ta\Roaming \invoice.e xe" MD5: 1D174566E9A087FEB5AF92B38CDF79F7) - cmd.exe (PID: 2144 cmdline:
"C:\Window s\System32 \cmd.exe" /c ipconfi g /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 2276 cmdline:
ipconfig / release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - InstallUtil.exe (PID: 5588 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57) - cmd.exe (PID: 7024 cmdline:
"C:\Window s\System32 \cmd.exe" /c ipconfi g /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 6224 cmdline:
ipconfig / renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||