qvod_296zzu.exe

ZUNSHANG INFO TECH CO. LTD.

The application qvod_296zzu.exe by ZUNSHANG INFO TECH CO. has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from dt.tu8s.com and multiple other hosts. While running, it connects to the Internet address IZ23O5WOAZBZ on port 80 using the HTTP protocol.
Publisher:
Monxeng Box  (signed by ZUNSHANG INFO TECH CO. LTD.)

Product:
Monxeng Box

Version:
2.0.0.3

MD5:
808c9f35d3c2888aff633c8cb7c650f4

SHA-1:
cd50f6304930108fc23de56a0ae7e7da704af096

SHA-256:
af724627ca75ab0738c24b6ff66837d4d316194e3305fd8b64960648a92d7ea5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 11:36:58 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TopTools (M)
16.9.15.10

File size:
4.1 MB (4,345,496 bytes)

Product version:
2.0.0.3

Copyright:
Monxeng Box

Original file name:
Monxeng Box

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
WoSign CA Limited

Valid from:
3/10/2016 3:08:55 PM

Valid to:
3/10/2017 3:08:55 PM

Subject:
CN=ZUNSHANG INFO TECH CO. LTD., O=ZUNSHANG INFO TECH CO. LTD., L=Changzhou, S=Jiangsu, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
4F1846359241387E3EFE5A631480EEFE

File PE Metadata
Compilation timestamp:
9/13/2016 4:03:47 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:IiXj1iaAVJGITcTS1S7eOvqZyDCv+5s4ucbYTir/7mcbosgXMQ+gyn5bh4OhLSwp:d1iaADZ39mJbYncbvV34yLSwndJ5

Entry address:
0xA1B13

Entry point:
E8, 4D, 1A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, FE, E0, 77, 6F, 53, 57, A1, 1C, 41, 53, 00, 85, C0, 75, 1D, E8, F1, 89, 00, 00, 6A, 1E, E8, 47, 8A, 00, 00, 68, FF, 00, 00, 00, E8, 90, 07, 00, 00, A1, 1C, 41, 53, 00, 59, 59, 85, F6, 74, 04, 8B, CE, EB, 03, 33, C9, 41, 51, 6A, 00, 50, FF, 15, C0, 72, 4E, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5B, 39, 05, 30, 43, 53, 00, 74, 0D, 56, E8, 27, 63, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 6A, 3A, 00, 00, 89, 18, E8, 63, 3A, 00, 00, 89, 18, 8B...
 
[+]

Entropy:
7.4339

Code size:
919.5 KB (941,568 bytes)

The file qvod_296zzu.exe has been seen being distributed by the following 12 URLs.

http://dt.tu8s.com/.../iVMS-4200(V1.03.00.03)_395t5f.exe

http://dt.tu8s.com/.../Gemvision.Matrix.8.0.x64_367e3v.exe

http://www.baidu.com/cb.php?c=IgF_pyfqnHRdP1R1nWR0IZ0qnfK9ujYznW6YP1nk0Aw-5HcYPWfdrjR0TAq15HcvnHRknH00T1YYmHKBPWDdrHb1nWR3rAcL0AwY5HDYP1fsn1m3PHR0IgF_5y9YIZ0lQzq1Tz4WXgI_Pi4WUvYEpM68TA9s5v-b5HDkPHc0ThfqPsKBUHYk0ZKz5H00Iy-b5Hn3P1fYnWb0Uv-b5HDsnjmYrHb0mv-b5Hcsn16zP6KEIv3qn0KsXHYznjm0mLFW5HRdnj0z

http://ss.cywl5.com/jx.php?id=1162

http://dt.tu8s.com/.../???????????????????_417w1f.exe

http://dt.tu8s.com/.../??????V2.2_400g3d.exe

http://dt.tu8s.com/.../GHOST XP???.rar_365g2c.exe

http://dt.tu8s.com/.../??IPAD???(iPadian)???_207z1t.exe

http://dt.tu8s.com/.../?????????_367e3v.exe

http://dt.tu8s.com/.../????????????_417w1f.exe

http://dt.tu8s.com/.../??????????????????_417w1f.exe

http://dt.tu8s.com/.../???NETSHOW_367e3v.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to IZ23O5WOAZBZ  (114.55.143.106:80)

Remove qvod_296zzu.exe - Powered by Reason Core Security