Create Interactive Tour

Windows Analysis Report
qqt.exe

Overview

General Information

Sample Name:	qqt.exe
Analysis ID:	774755
MD5:	992289cd321a673f91d8b4912189ecf6
SHA1:	27e54853a094a9d1858072b6490c757553a2d16a
SHA256:	294968ed52a1aaa45c63ae810180dff853b852b055b103cde3c54f792d4cd5e2
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

qqt.exe (PID: 6044 cmdline: C:\Users\user\Desktop\qqt.exe MD5: 992289CD321A673F91D8B4912189ECF6)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
qqt.exe	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x2fd9:$s1: \xE1\xFD\xFD\xF9\xB3\xA6\xA6 0x3355:$s1: \xE1\xFD\xFD\xF9\xB3\xA6\xA6
qqt.exe	MALWARE_Win_SlackBot	Detects SlackBot	ditekSHen	0x2ec5:$x2: slackbot 0x31ba:$s1: cpu: %lumhz %s, uptime: %u+%.2u:%.2u, os: %s 0x322f:$s2: %s, running for %u+%.2u:%.2u 0x32ee:$s3: PONG :%s 0x3339:$s4: PRIVMSG %s :%s 0x337f:$s5: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) 0x2f30:$m1: saving %s to %s 0x2f52:$m2: visit number %u failed 0x2fa1:$m3: sending %s packets of %s bytes to %s with a delay of %s 0x300e:$m4: file executed 0x2f7e:$m5: packets sent 0x2efb:$m6: upgrading to %s 0x318b:$m7: rebooting... 0x3178:$c1: !@remove 0x3181:$c2: !@restart 0x3198:$c3: !@reboot 0x31a1:$c4: !@rndnick 0x31b3:$c5: !@exit 0x3218:$c6: !@sysinfo 0x314f:$c8: !@login 0x301c:$c9: !@run

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.qqt.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3a11:$s1: \xE1\xFD\xFD\xF9\xB3\xA6\xA6 0x3d8d:$s1: \xE1\xFD\xFD\xF9\xB3\xA6\xA6
0.2.qqt.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3a11:$s1: \xE1\xFD\xFD\xF9\xB3\xA6\xA6 0x3d8d:$s1: \xE1\xFD\xFD\xF9\xB3\xA6\xA6
0.0.qqt.exe.400000.0.unpack	MALWARE_Win_SlackBot	Detects SlackBot	ditekSHen	0x38fd:$x2: slackbot 0x3bf2:$s1: cpu: %lumhz %s, uptime: %u+%.2u:%.2u, os: %s 0x3c67:$s2: %s, running for %u+%.2u:%.2u 0x3d26:$s3: PONG :%s 0x3d71:$s4: PRIVMSG %s :%s 0x3db7:$s5: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) 0x3968:$m1: saving %s to %s 0x398a:$m2: visit number %u failed 0x39d9:$m3: sending %s packets of %s bytes to %s with a delay of %s 0x3a46:$m4: file executed 0x39b6:$m5: packets sent 0x3933:$m6: upgrading to %s 0x3bc3:$m7: rebooting... 0x3bb0:$c1: !@remove 0x3bb9:$c2: !@restart 0x3bd0:$c3: !@reboot 0x3bd9:$c4: !@rndnick 0x3beb:$c5: !@exit 0x3c50:$c6: !@sysinfo 0x3b87:$c8: !@login 0x3a54:$c9: !@run
0.2.qqt.exe.400000.0.unpack	MALWARE_Win_SlackBot	Detects SlackBot	ditekSHen	0x38fd:$x2: slackbot 0x3bf2:$s1: cpu: %lumhz %s, uptime: %u+%.2u:%.2u, os: %s 0x3c67:$s2: %s, running for %u+%.2u:%.2u 0x3d26:$s3: PONG :%s 0x3d71:$s4: PRIVMSG %s :%s 0x3db7:$s5: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) 0x3968:$m1: saving %s to %s 0x398a:$m2: visit number %u failed 0x39d9:$m3: sending %s packets of %s bytes to %s with a delay of %s 0x3a46:$m4: file executed 0x39b6:$m5: packets sent 0x3933:$m6: upgrading to %s 0x3bc3:$m7: rebooting... 0x3bb0:$c1: !@remove 0x3bb9:$c2: !@restart 0x3bd0:$c3: !@reboot 0x3bd9:$c4: !@rndnick 0x3beb:$c5: !@exit 0x3c50:$c6: !@sysinfo 0x3b87:$c8: !@login 0x3a54:$c9: !@run

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qqt.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: qqt.exe	ReversingLabs: Detection: 88%
Source: qqt.exe	Virustotal: Detection: 77%			Perma Link

Machine Learning detection for sample

Source: qqt.exe

Joe Sandbox ML: detected

Source: 0.0.qqt.exe.400000.0.unpack	Avira: Label: BDS/Slackbot.B
Source: 0.2.qqt.exe.400000.0.unpack	Avira: Label: BDS/Slackbot.B

Source: qqt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Referer: http://testirc.8866.org18000/ads.cgiUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)Host: www.mmbest.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Wed, 28 Dec 2022 09:44:37 GMTServer: ApacheContent-Length: 428Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 0a 72 65 71 75 65 73 74 20 64 75 65 20 74 6f 20 6d 61 69 6e 74 65 6e 61 6e 63 65 20 64 6f 77 6e 74 69 6d 65 20 6f 72 20 63 61 70 61 63 69 74 79 0a 70 72 6f 62 6c 65 6d 73 2e 20 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>503 Service Unavailable</title></head><body><h1>Service Unavailable</h1><p>The server is temporarily unable to service yourrequest due to maintenance downtime or capacityproblems. Please try again later.</p><p>Additionally, a 503 Service Unavailableerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://testirc.8866.org18000/ads.cgi
Source: qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://testirc.8866.orgX
Source: qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mmbest.com
Source: qqt.exe, 00000000.00000002.640986088.000000000071B000.00000004.00000020.00020000.00000000.sdmp, qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mmbest.com/
Source: qqt.exe, 00000000.00000002.640986088.000000000071B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mmbest.com/b

Source: unknown

DNS traffic detected: queries for: slack.isfs.org.hk

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_00403068 InternetOpenA,1001C489,InternetCanonicalizeUrlA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Referer: http://testirc.8866.org18000/ads.cgiUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)Host: www.mmbest.com

Source: qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: qqt.exe, type: SAMPLE	Matched rule: Detects SlackBot Author: ditekSHen
Source: 0.0.qqt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects SlackBot Author: ditekSHen
Source: 0.2.qqt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects SlackBot Author: ditekSHen

Source: qqt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: qqt.exe, type: SAMPLE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: qqt.exe, type: SAMPLE	Matched rule: MALWARE_Win_SlackBot author = ditekSHen, description = Detects SlackBot
Source: 0.0.qqt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.qqt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.0.qqt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SlackBot author = ditekSHen, description = Detects SlackBot
Source: 0.2.qqt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SlackBot author = ditekSHen, description = Detects SlackBot

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_004012FB GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

Source: C:\Users\user\Desktop\qqt.exe	Code function: 0_2_004016EA
Source: C:\Users\user\Desktop\qqt.exe	Code function: 0_2_004016EA

Source: C:\Users\user\Desktop\qqt.exe

Code function: String function: 00403614 appears 38 times

Source: qqt.exe	ReversingLabs: Detection: 88%
Source: qqt.exe	Virustotal: Detection: 77%

Source: C:\Users\user\Desktop\qqt.exe

File read: C:\Users\user\Desktop\qqt.exe

Jump to behavior

Source: qqt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qqt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\qqt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_004012FB GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

Source: classification engine

Classification label: mal68.winEXE@1/0@28/2

Source: C:\Users\user\Desktop\qqt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\qqt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\qqt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\qqt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\qqt.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\qqt.exe TID: 6024	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\Desktop\qqt.exe TID: 6040	Thread sleep time: -105000s >= -30000s
Source: C:\Users\user\Desktop\qqt.exe TID: 6020	Thread sleep time: -3600000s >= -30000s

Source: C:\Users\user\Desktop\qqt.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_004013DC rdtsc

Source: C:\Users\user\Desktop\qqt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\qqt.exe	API call chain: ExitProcess graph end node

Source: qqt.exe, 00000000.00000002.640986088.000000000071B000.00000004.00000020.00020000.00000000.sdmp, qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: qqt.exe, 00000000.00000002.640986088.000000000071B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_0040216C mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_004013DC rdtsc

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_00401386 cpuid

Source: C:\Users\user\Desktop\qqt.exe

Code function: 0_2_004016EA 1001C4C5,closesocket,1001F498,1001F498,1001C489,1001C489,1001E69C,1001F498,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001C489,1001C489,CreateThread,CloseHandle,1001E6C4,1001F498,1001E6C4,1001C489,1001E6C4,1001E6C4,1001E6C4,1001F498,1001C489,1001E65C,1001E6C4,1001E6C4,1001E5C5,1001E6C4,1001FA40,1001E5C5,1001E6C4,1001E6C4,1001E6C4,1001E6C4,GetVersionExA,1001E5C5,GetTickCount,1001E5C5,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001E6C4,CreateProcessA,1001E6C4,RegOpenKeyExA,RegDeleteValueA,RegCloseKey,1001E6C4,1001E6C4,1001C489,1001E6C4,1001E6C4,Sleep,1001E6C4,1001E6C4,1001E5C5,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001E6C4,1001C489,1001F498,1001F498,1001E6C4,1001E6C4,1001E6C4,1001E6C4,closesocket,RtlExitUserThread,1001E6C4,1001E6C4,1001E6C4,1001C489,1001C489,1001C489,1001C489,1001C489,CreateThread,CloseHandle,1001E6C4,1001C489,1001C489,1001C489,CreateThread,CloseHandle,1001E6C4,1001BBAA,1001BBAA,1001E5C5,1001E5C5,CreateThread,CloseHandle,1001E6C4,10012B86,1001BBAA,1001E6C4,1001C489,1001C489,1001C489,CreateThread,CloseHandle,1001E6C4,CreateProcessA,1001E6C4,1001C489,1001C489,CreateThread,CloseHandle,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qqt.exe	88%	ReversingLabs	Win32.Backdoor.SlackBot
qqt.exe	77%	Virustotal		Browse
qqt.exe	100%	Avira	BDS/Slackbot.B
qqt.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.qqt.exe.400000.0.unpack	100%	Avira	BDS/Slackbot.B		Download File
0.2.qqt.exe.400000.0.unpack	100%	Avira	BDS/Slackbot.B		Download File

Domains

Source	Detection	Scanner	Link
www.mmbest.com	0%	Virustotal	Browse
slack.isfs.org.hk	0%	Virustotal	Browse
testirc.88cc.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://testirc.8866.orgX	0%	Avira URL Cloud	safe
http://www.mmbest.com/b	0%	Avira URL Cloud	safe
http://www.mmbest.com	0%	Avira URL Cloud	safe
http://testirc.8866.org18000/ads.cgi	0%	Avira URL Cloud	safe
http://www.mmbest.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.mmbest.com	184.168.111.40	true	false	0%, Virustotal, Browse	unknown
slack.isfs.org.hk	unknown	unknown	false	0%, Virustotal, Browse	unknown
testirc.88cc.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.mmbest.com/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.mmbest.com	qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://testirc.8866.orgX	qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://testirc.8866.org18000/ads.cgi	qqt.exe, 00000000.00000002.640767059.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mmbest.com/b	qqt.exe, 00000000.00000002.640986088.000000000071B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.168.111.40	www.mmbest.com	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	774755
Start date and time:	2022-12-28 10:43:44 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	qqt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.winEXE@1/0@28/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.7% (good quality ratio 93.6%) Quality average: 62.2% Quality standard deviation: 28.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 8.238.190.126, 8.238.88.248, 8.238.88.254, 8.238.189.126, 67.26.73.254
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.287761822211928
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	qqt.exe
File size:	16521
MD5:	992289cd321a673f91d8b4912189ecf6
SHA1:	27e54853a094a9d1858072b6490c757553a2d16a
SHA256:	294968ed52a1aaa45c63ae810180dff853b852b055b103cde3c54f792d4cd5e2
SHA512:	a36cea6129bdec5d5492fdd3911d1bf293a6f85167b1ef0fd0ada7e10cc489857d9760d416ee554f325ad17ae639576849aa50e619aeddc625ba4cfba3b28514
SSDEEP:	384:av4MQf6NXzzh638w9Gs/4sY2DxLm5qDriGJhqhaYx/16TzY20hWe:avP26RzVXw95wsY21S5qDriGJhqhai6y
TLSH:	BD72C7073A5826BAE21540F112A55F739FFFD0B2B2BED61EC7D0485374A9A42EB1C10E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.:.................(...................@....@..........................p.............................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4011cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x3ADD6EC8 [Wed Apr 18 10:39:04 2001 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	7b7e8665f226bbab519d75c7e411307b

Entrypoint Preview

Instruction
mov eax, dword ptr fs:[00000000h]
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040501Ch
push 0040109Ah
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
push 00405028h
push 00405024h
push 00405020h
call 00007F13FCA9281Ch
push dword ptr [00405028h]
push dword ptr [00405024h]
push dword ptr [00405020h]
mov dword ptr [00405014h], esp
call 00007F13FCA9071Fh
add esp, 18h
xor ecx, ecx
mov dword ptr [ebp-04h], ecx
push eax
call 00007F13FCA92815h
leave
ret
add byte ptr [eax], al
mov dword ptr fs:[00000000h], eax
ret
add byte ptr [ebp-77h], dl
in eax, 51h
push ebx
push esi
push edi
call 00007F13FCA926B9h
push eax
call 00007F13FCA92857h
call 00007F13FCA9282Eh
mov ecx, 00000006h
cdq
idiv ecx
mov edi, edx
add edi, 03h
mov dword ptr [ebp-04h], edi
push edi
call 00007F13FCA927F4h
add esp, 08h
mov ebx, eax
xor esi, esi
jmp 00007F13FCA904D0h
push 00000010h
call 00007F13FCA927B4h
add esp, 04h
call 00007F13FCA92800h
mov ecx, 0000001Ah
cdq
idiv ecx
add edx, 61h
mov byte ptr [ebx+esi], dl
inc esi
cmp esi, dword ptr [ebp-04h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6000	0x8cc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2638	0x2638	False	0.4965249386753884	data	5.87745190991952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bss	0x4000	0x8c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x5000	0x7b0	0x7b0	False	0.45985772357723576	data	4.5802244272545956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6000	0x8cc	0x8cc	False	0.34147424511545293	data	4.092541381538277	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	ExitProcess, ExitThread, GetCurrentProcess, GetCurrentThread, GetFileSize, GetModuleHandleA, CloseHandle, GetPriorityClass, GetProcAddress, GetTempPathA, GetThreadPriority, GetTickCount, GetVersionExA, GetWindowsDirectoryA, CopyFileA, CreateFileA, ReadFile, RtlUnwind, RtlZeroMemory, SetFilePointer, SetPriorityClass, SetThreadPriority, Sleep, CreateProcessA, WriteFile, CreateThread
ADVAPI32.DLL	AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCloseKey, RegCreateKeyExA, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA
CRTDLL.DLL	__GetMainArgs, _sleep, atoi, exit, free, malloc, memcpy, raise, rand, signal, sprintf, srand, strcat, strchr, strcmp, strtok, time
USER32.DLL	ExitWindowsEx
WININET.DLL	InternetCanonicalizeUrlA, InternetCloseHandle, InternetOpenA, InternetOpenUrlA, InternetReadFile
wsock32.dll	WSACleanup, WSAStartup, closesocket, connect, gethostbyname, htons, inet_addr, recv, send, sendto, socket

Network Behavior

Network Port Distribution

Total Packets: 33
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2022 10:44:37.569188118 CET	49696	80	192.168.2.3	184.168.111.40
Dec 28, 2022 10:44:37.824807882 CET	80	49696	184.168.111.40	192.168.2.3
Dec 28, 2022 10:44:37.824932098 CET	49696	80	192.168.2.3	184.168.111.40
Dec 28, 2022 10:44:37.825572014 CET	49696	80	192.168.2.3	184.168.111.40
Dec 28, 2022 10:44:38.080954075 CET	80	49696	184.168.111.40	192.168.2.3
Dec 28, 2022 10:44:42.112258911 CET	80	49696	184.168.111.40	192.168.2.3
Dec 28, 2022 10:44:42.112301111 CET	80	49696	184.168.111.40	192.168.2.3
Dec 28, 2022 10:44:42.112400055 CET	49696	80	192.168.2.3	184.168.111.40
Dec 28, 2022 10:44:42.112540960 CET	49696	80	192.168.2.3	184.168.111.40
Dec 28, 2022 10:44:42.367985010 CET	80	49696	184.168.111.40	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2022 10:44:37.418152094 CET	62704	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:44:37.419379950 CET	58921	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:44:37.437489033 CET	53	62704	8.8.8.8	192.168.2.3
Dec 28, 2022 10:44:37.464479923 CET	53	58921	8.8.8.8	192.168.2.3
Dec 28, 2022 10:44:37.500787020 CET	49977	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:44:37.547466993 CET	53	49977	8.8.8.8	192.168.2.3
Dec 28, 2022 10:44:52.520175934 CET	57990	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:44:52.524137974 CET	52387	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:44:52.541759014 CET	53	52387	8.8.8.8	192.168.2.3
Dec 28, 2022 10:44:52.568533897 CET	53	57990	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:07.611567974 CET	56924	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:07.612471104 CET	60625	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:07.629235029 CET	53	56924	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:07.688540936 CET	53	60625	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:22.677541018 CET	49302	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:22.695127964 CET	53	49302	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:22.706145048 CET	53975	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:23.749110937 CET	53975	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:23.757155895 CET	53	53975	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:23.856141090 CET	53	53975	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:37.742923021 CET	51139	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:37.760622978 CET	53	51139	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:38.774471045 CET	52955	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:38.818486929 CET	53	52955	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:52.802243948 CET	60582	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:52.819704056 CET	53	60582	8.8.8.8	192.168.2.3
Dec 28, 2022 10:45:53.837867975 CET	57134	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:45:53.973509073 CET	53	57134	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:08.014050007 CET	62050	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:08.031747103 CET	53	62050	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:08.997812033 CET	56042	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:09.222395897 CET	53	56042	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:23.089586973 CET	59636	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:23.107839108 CET	53	59636	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:24.624712944 CET	55638	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:24.698832989 CET	53	55638	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:38.141551018 CET	57704	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:38.159111977 CET	53	57704	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:39.711909056 CET	65320	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:39.762845993 CET	53	65320	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:53.215997934 CET	60767	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:53.233850002 CET	53	60767	8.8.8.8	192.168.2.3
Dec 28, 2022 10:46:54.781390905 CET	65107	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:46:54.855417967 CET	53	65107	8.8.8.8	192.168.2.3
Dec 28, 2022 10:47:08.272275925 CET	53848	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:47:08.289781094 CET	53	53848	8.8.8.8	192.168.2.3
Dec 28, 2022 10:47:09.865703106 CET	57571	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:47:09.917429924 CET	53	57571	8.8.8.8	192.168.2.3
Dec 28, 2022 10:47:23.321495056 CET	58691	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:47:23.341784954 CET	53	58691	8.8.8.8	192.168.2.3
Dec 28, 2022 10:47:24.926841974 CET	53305	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:47:25.003083944 CET	53	53305	8.8.8.8	192.168.2.3
Dec 28, 2022 10:47:38.374828100 CET	59433	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:47:38.395253897 CET	53	59433	8.8.8.8	192.168.2.3
Dec 28, 2022 10:47:40.021456957 CET	60749	53	192.168.2.3	8.8.8.8
Dec 28, 2022 10:47:40.226613045 CET	53	60749	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 28, 2022 10:45:23.856251001 CET	192.168.2.3	8.8.8.8	d045	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2022 10:44:37.418152094 CET	192.168.2.3	8.8.8.8	0x7e5f	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:37.419379950 CET	192.168.2.3	8.8.8.8	0x57d7	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:37.500787020 CET	192.168.2.3	8.8.8.8	0x2bdf	Standard query (0)	www.mmbest.com	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:52.520175934 CET	192.168.2.3	8.8.8.8	0x1e9	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:52.524137974 CET	192.168.2.3	8.8.8.8	0x864b	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:07.611567974 CET	192.168.2.3	8.8.8.8	0x1af9	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:07.612471104 CET	192.168.2.3	8.8.8.8	0xab4	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:22.677541018 CET	192.168.2.3	8.8.8.8	0xb00f	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:22.706145048 CET	192.168.2.3	8.8.8.8	0x9a3e	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:23.749110937 CET	192.168.2.3	8.8.8.8	0x9a3e	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:37.742923021 CET	192.168.2.3	8.8.8.8	0x2cba	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:38.774471045 CET	192.168.2.3	8.8.8.8	0xe555	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:52.802243948 CET	192.168.2.3	8.8.8.8	0x4fff	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:53.837867975 CET	192.168.2.3	8.8.8.8	0x4263	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:08.014050007 CET	192.168.2.3	8.8.8.8	0x3582	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:08.997812033 CET	192.168.2.3	8.8.8.8	0x195c	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:23.089586973 CET	192.168.2.3	8.8.8.8	0xd814	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:24.624712944 CET	192.168.2.3	8.8.8.8	0xc013	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:38.141551018 CET	192.168.2.3	8.8.8.8	0x9e5f	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:39.711909056 CET	192.168.2.3	8.8.8.8	0x2b6f	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:53.215997934 CET	192.168.2.3	8.8.8.8	0x74ed	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:54.781390905 CET	192.168.2.3	8.8.8.8	0x81ed	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:08.272275925 CET	192.168.2.3	8.8.8.8	0x7336	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:09.865703106 CET	192.168.2.3	8.8.8.8	0x2700	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:23.321495056 CET	192.168.2.3	8.8.8.8	0xcbc9	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:24.926841974 CET	192.168.2.3	8.8.8.8	0x82b0	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:38.374828100 CET	192.168.2.3	8.8.8.8	0x8b43	Standard query (0)	slack.isfs.org.hk	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:40.021456957 CET	192.168.2.3	8.8.8.8	0xfe33	Standard query (0)	testirc.88cc.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2022 10:44:37.437489033 CET	8.8.8.8	192.168.2.3	0x7e5f	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:37.464479923 CET	8.8.8.8	192.168.2.3	0x57d7	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:37.547466993 CET	8.8.8.8	192.168.2.3	0x2bdf	No error (0)	www.mmbest.com		184.168.111.40	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:52.541759014 CET	8.8.8.8	192.168.2.3	0x864b	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:44:52.568533897 CET	8.8.8.8	192.168.2.3	0x1e9	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:07.629235029 CET	8.8.8.8	192.168.2.3	0x1af9	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:07.688540936 CET	8.8.8.8	192.168.2.3	0xab4	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:22.695127964 CET	8.8.8.8	192.168.2.3	0xb00f	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:23.757155895 CET	8.8.8.8	192.168.2.3	0x9a3e	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:23.856141090 CET	8.8.8.8	192.168.2.3	0x9a3e	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:37.760622978 CET	8.8.8.8	192.168.2.3	0x2cba	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:38.818486929 CET	8.8.8.8	192.168.2.3	0xe555	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:52.819704056 CET	8.8.8.8	192.168.2.3	0x4fff	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:45:53.973509073 CET	8.8.8.8	192.168.2.3	0x4263	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:08.031747103 CET	8.8.8.8	192.168.2.3	0x3582	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:09.222395897 CET	8.8.8.8	192.168.2.3	0x195c	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:23.107839108 CET	8.8.8.8	192.168.2.3	0xd814	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:24.698832989 CET	8.8.8.8	192.168.2.3	0xc013	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:38.159111977 CET	8.8.8.8	192.168.2.3	0x9e5f	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:39.762845993 CET	8.8.8.8	192.168.2.3	0x2b6f	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:53.233850002 CET	8.8.8.8	192.168.2.3	0x74ed	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:46:54.855417967 CET	8.8.8.8	192.168.2.3	0x81ed	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:08.289781094 CET	8.8.8.8	192.168.2.3	0x7336	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:09.917429924 CET	8.8.8.8	192.168.2.3	0x2700	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:23.341784954 CET	8.8.8.8	192.168.2.3	0xcbc9	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:25.003083944 CET	8.8.8.8	192.168.2.3	0x82b0	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:38.395253897 CET	8.8.8.8	192.168.2.3	0x8b43	Name error (3)	slack.isfs.org.hk	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2022 10:47:40.226613045 CET	8.8.8.8	192.168.2.3	0xfe33	Name error (3)	testirc.88cc.org	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

testirc.8866.org18000

www.mmbest.com

Target ID:	0
Start time:	10:44:37
Start date:	28/12/2022
Path:	C:\Users\user\Desktop\qqt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\qqt.exe
Imagebase:	0x400000
File size:	16521 bytes
MD5 hash:	992289CD321A673F91D8B4912189ECF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qqt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Statistics

System Behavior

Analysis Process: qqt.exePID: 6044, Parent PID: 3452

General

File Activities

File Created

Windows Analysis Report
qqt.exe