QvodTerminal.exe

QvodTerminal

Shenzhen QVOD Technology Co.,Ltd

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘QvodTerminal’. The file has been seen being downloaded from docs.google.com and multiple other hosts.
Publisher:
Shenzhen QVOD Technology Co.,Ltd  (signed and verified)

Product:
QvodTerminal

Version:
5, 3, 82, 220

MD5:
0d9b85fb604c1d3590e4c902f21f8168

SHA-1:
0f573a392e3f4c083d2f8541ae1900b9dfea1cd3

SHA-256:
c20330365fb2c4b022eae80352483ba8708aa119269a30a73cd6bae4685895d5

Scanner detections:
4 / 68

Status:
Clean  (4 probable false positive detections)

Explanation:
These detections are probably false positives (erroneous), the file is probably malware free.

Analysis date:
11/5/2024 2:44:37 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
HW32.Laneul
1.3.0.4246

Dr.Web
probably DLOADER.Trojan
9.0.1.05190

SUPERAntiSpyware
Adware.Qvod
10468

Trend Micro House Call
TROJ_GEN.F47V1228
7.2.203

File size:
1.2 MB (1,240,496 bytes)

Product version:
5, 3, 82, 220

Copyright:
Copyright (C) 2010 - 2014 Shenzhen QVOD Technology Co.,Ltd. All rights reserved.

Original file name:
QvodTerminal.exe

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/28/2013 8:00:00 AM

Valid to:
7/29/2015 7:59:59 AM

Subject:
CN="Shenzhen QVOD Technology Co.,Ltd", OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Shenzhen QVOD Technology Co.,Ltd", L=shenzhen, S=guangdong, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5062CBF9284543F8BECAA682EB4E2871

File PE Metadata
Compilation timestamp:
7/11/2014 6:23:14 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:58fCdNx6ffowxuUDoQFIo8h/H2sjSS6CkXEgzUElAi:eKR6PBoQFIoWWs+S4gIAi

Entry address:
0xC7816

Entry point:
E8, 61, DB, 00, 00, E9, 16, FE, FF, FF, 6A, 0C, 68, 20, AE, 50, 00, E8, A0, 6A, 00, 00, 33, C0, 33, F6, 39, 75, 08, 0F, 95, C0, 3B, C6, 75, 1D, E8, 71, 35, 00, 00, C7, 00, 16, 00, 00, 00, 56, 56, 56, 56, 56, E8, 1C, B9, FF, FF, 83, C4, 14, 83, C8, FF, EB, 5F, E8, E6, 59, 00, 00, 6A, 20, 5B, 03, C3, 50, 6A, 01, E8, EC, 5A, 00, 00, 59, 59, 89, 75, FC, E8, CF, 59, 00, 00, 03, C3, 50, E8, 95, DB, 00, 00, 59, 8B, F8, 8D, 45, 0C, 50, 56, FF, 75, 08, E8, B7, 59, 00, 00, 03, C3, 50, E8, A3, 8A, 00, 00, 89, 45, E4...
 
[+]

Entropy:
6.5736

Code size:
949.5 KB (972,288 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
QvodTerminal

Command:
"C:\qvodplayer\qvodterminal.exe" -autorun


The file QvodTerminal.exe has been seen being distributed by the following 19 URLs.

https://docs.google.com/uc?id=0B6Mqa_gqwBXNeG1DbDExYnFsWkE&export=download

http://117.27.243.29/ws.cdn.baidupcs.com/file/.../WpA=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=868&sta_ft=exe&sta_ct=3&newver=1&newfm=1&flow_ver=3&expires=8h&rt=sh&r=521483881&mlogid=3059464112&vuk=789237344&vbdid=2033473196&fn=QvodTerminal.exe&wshc_tag=0&wsts_tag=54129c73&wsid_tag=ec69b96&wsiphost=ipdbm

http://117.27.243.29/ws.cdn.baidupcs.com/.../0d9b85fb604c1d3590e4c902f21f8168?xcode=ef299eeed7dbcf4ca0e108d08e992d72843f13fe546574c1837047dfb5e85c39&fid=1129662672-250528-990284467151599&time=1410505716&sign=FDTAXER-DCb740ccc5511e5e8fedcff06b081203-MwnTkWxJcWpvXLyW2M3ny k4orQ=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=868&sta_ft=exe&sta_ct=3&newver=1&newfm=1&flow_ver=3&expires=8h&rt=sh&r=747070478&mlogid=1035404256&vuk=789237344&vbdid=2033473196&fn=QvodTerminal.exe&wshc_tag=0&wsts_tag=54129bf4&wsid_tag=ec69b96&wsiphost=ipdbm

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to bb119-74-85-102.singnet.com.sg  (119.74.85.102:20000)

TCP:
Connects to bb42-61-234-128.singnet.com.sg  (42.61.234.128:20003)

TCP:
Connects to 100.72.156.175.unknown.m1.com.sg  (175.156.72.100:20112)

TCP:
Connects to n11923621073.netvigator.com  (119.236.21.73:7876)

TCP:
Connects to 74.71.49.60.klj04-home.tm.net.my  (60.49.71.74:6611)

TCP:
Connects to 166.81.197.124.unknown.m1.com.sg  (124.197.81.166:20100)

Scan QvodTerminal.exe - Powered by Reason Core Security