Windows Analysis Report
MQNT.exe

Overview

General Information

Sample name: MQNT.exe
Analysis ID: 1592723
MD5: 27f5aa99c8e512ca56c2a46fb0b7be6b
SHA1: 65a1336c182612c091ef925d52477639c7735d01
SHA256: 575d39610e80fff09fc08eb068983bd0524bd2ef9508607be2749620150ddc85
Tags: exemalwaretrojanuser-Joker
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected aPLib compressed binary
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://47.92.98.180:88/MQNT/MQNT.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\update.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: MQNT.exe Virustotal: Detection: 65% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\update.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: MQNT.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: MQNT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 103.235.46.96:443 -> 192.168.2.5:49704 version: TLS 1.2
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.5:49732 -> 162.159.36.2:53
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox View IP Address: 103.235.46.96 103.235.46.96
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 103.235.46.96:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: HEAD / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveAccept: text/html, application/xhtml+xml, */*Accept-Encoding: identityAccept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: www.baidu.com
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.baidu.com
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: MQNT.exe String found in binary or memory: http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c
Source: update.exe.0.dr String found in binary or memory: http://47.92.98.180:88/MQNT/GX_RZ.txt
Source: MQNT.exe String found in binary or memory: http://47.92.98.180:88/MQNT/MQNT.exe
Source: MQNT.exe, update.exe.0.dr String found in binary or memory: http://47.92.98.180:88/MQNT/data.txt
Source: MQNT.exe String found in binary or memory: http://ip-api.com/json/?lang=zh-CN
Source: MQNT.exe String found in binary or memory: http://q1.qlogo.cn/g?b=qq&nk=
Source: MQNT.exe String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp?json=true
Source: MQNT.exe String found in binary or memory: http://www.eyuyan.com
Source: MQNT.exe, update.exe.0.dr String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: MQNT.exe String found in binary or memory: http://www.eyuyan.comservice
Source: MQNT.exe String found in binary or memory: http://www.ibsensoftware.com/
Source: MQNT.exe String found in binary or memory: http://www.ip138.com
Source: MQNT.exe String found in binary or memory: http://www.ip138.comUser-Agent:
Source: MQNT.exe String found in binary or memory: https://api.ip.sb/ip
Source: MQNT.exe String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/h
Source: MQNT.exe String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:
Source: MQNT.exe String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=
Source: MQNT.exe String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=content-type:
Source: MQNT.exe String found in binary or memory: https://ip.cn/api/index?ip=&type=0
Source: MQNT.exe String found in binary or memory: https://ipinfo.io/json
Source: MQNT.exe String found in binary or memory: https://www.baidu.com
Source: MQNT.exe String found in binary or memory: https://www.baidu.comDate:KB3140245/
Source: MQNT.exe String found in binary or memory: https://www.uc.cn/ip
Source: MQNT.exe String found in binary or memory: https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 103.235.46.96:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\Desktop\update.exe, type: DROPPED Matched rule: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe Author: Florian Roth
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00411D24: CreateFileA,DeviceIoControl,CloseHandle, 0_2_00411D24
Detected potential crypto function
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00417922 0_2_00417922
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00462BA2 0_2_00462BA2
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\update.exe 0C274B149400E89EBC0F6335A9181005B4249CABEFA8EC8B47C1D56710B2D3EF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\MQNT.exe Code function: String function: 00401080 appears 59 times
Sample file is different than original file name gathered from version info
Source: MQNT.exe, 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs MQNT.exe
Source: MQNT.exe, 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs MQNT.exe
Source: MQNT.exe Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs MQNT.exe
Source: MQNT.exe Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs MQNT.exe
Uses 32bit PE files
Source: MQNT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: C:\Users\user\Desktop\update.exe, type: DROPPED Matched rule: CN_Honker_WordpressScanner date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, score = 0b3c5015ba3616cbc616fc9ba805fea73e98bc83, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal88.evad.winEXE@1/3@2/1
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00401B6D CreateToolhelp32Snapshot,Module32First, 0_2_00401B6D
Source: C:\Users\user\Desktop\MQNT.exe File created: C:\Users\user\Desktop\update.exe Jump to behavior
Source: MQNT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MQNT.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MQNT.exe Virustotal: Detection: 65%
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe File written: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: MQNT.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: MQNT.exe Static file information: File size 5524480 > 1048576
Source: MQNT.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e3800
Source: MQNT.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x32f400

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: MQNT.exe, type: SAMPLE
Source: Yara match File source: 0.0.MQNT.exe.71faeb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MQNT.exe.6e9d0f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MQNT.exe.71faeb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.MQNT.exe.6e9d0f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MQNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.MQNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2052285705.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MQNT.exe PID: 7032, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_005C28F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_005C28F0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_005B6920 push eax; ret 0_2_005B694E
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_005B8E18 push eax; ret 0_2_005B8E36
Drops PE files
Source: C:\Users\user\Desktop\MQNT.exe File created: C:\Users\user\Desktop\update.exe Jump to dropped file
Source: C:\Users\user\Desktop\MQNT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\MQNT.exe Dropped PE file which has not been started: C:\Users\user\Desktop\update.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MQNT.exe TID: 2972 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\MQNT.exe File opened: PhysicalDrive0 Jump to behavior
Source: MQNT.exe, 00000000.00000002.2117310347.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2071390426.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114799320.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2082746130.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114465348.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWBS1)
Source: MQNT.exe, 00000000.00000002.2117054668.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000002.2117310347.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2071390426.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114799320.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2082746130.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114465348.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_005C28F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_005C28F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00433142 mov ebx, dword ptr fs:[00000030h] 0_2_00433142
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00435217 mov ebx, dword ptr fs:[00000030h] 0_2_00435217
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00409A24 mov ebx, dword ptr fs:[00000030h] 0_2_00409A24
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00422225 mov ebx, dword ptr fs:[00000030h] 0_2_00422225
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00421E1E mov ebx, dword ptr fs:[00000030h] 0_2_00421E1E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_0046B2DC HeapAlloc,RtlFreeHeap,GetProcessHeap,HeapReAlloc, 0_2_0046B2DC
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_00411C79 cpuid 0_2_00411C79
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MQNT.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe Code function: 0_2_005BB17C GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA, 0_2_005BB17C
Source: C:\Users\user\Desktop\MQNT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592723 Sample: MQNT.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 88 12 www.wshifen.com 2->12 14 www.baidu.com 2->14 16 2 other IPs or domains 2->16 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus detection for URL or domain 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 5 other signatures 2->26 6 MQNT.exe 2 2->6         started        signatures3 process4 dnsIp5 18 www.wshifen.com 103.235.46.96, 443, 49704 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 6->18 10 C:\Users\user\Desktop\update.exe, PE32 6->10 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.235.46.96
 www.wshifen.com Hong Kong
55967 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd false

Contacted Domains

Name IP Active
www.wshifen.com 103.235.46.96 true
18.31.95.13.in-addr.arpa unknown unknown
www.baidu.com unknown unknown