» QvodTerminal.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (19)
Network (6)

QvodTerminal.exe

QvodTerminal

Shenzhen QVOD Technology Co.,Ltd

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘QvodTerminal’. The file has been seen being downloaded from docs.google.com and multiple other hosts.

File name:

QvodTerminal.exe

Publisher:

Shenzhen QVOD Technology Co.,Ltd (signed and verified)

Product:

QvodTerminal

Version:

5, 3, 82, 220

MD5:

0d9b85fb604c1d3590e4c902f21f8168

SHA-1:

0f573a392e3f4c083d2f8541ae1900b9dfea1cd3

SHA-256:

c20330365fb2c4b022eae80352483ba8708aa119269a30a73cd6bae4685895d5

Scanner detections:

4 / 68

Status:

Clean (4 probable false positive detections)

Explanation:

These detections are probably false positives (erroneous), the file is probably malware free.

Analysis date:

11/24/2024 6:32:54 AM UTC (today)

Scan engine

Detection

Engine version

Bkav FE

HW32.Laneul

1.3.0.4246

Dr.Web

probably DLOADER.Trojan

9.0.1.05190

SUPERAntiSpyware

Adware.Qvod

10468

Trend Micro House Call

TROJ_GEN.F47V1228

7.2.203

File size:

1.2 MB (1,240,496 bytes)

Product version:

5, 3, 82, 220

Original file name:

QvodTerminal.exe

File type:

Executable application (Win32 EXE)

Digital Signature

Signed by:

Shenzhen QVOD Technology Co.,Ltd

Authority:

VeriSign, Inc.

Valid from:

4/28/2013 8:00:00 AM

Valid to:

7/29/2015 7:59:59 AM

Subject:

CN="Shenzhen QVOD Technology Co.,Ltd", OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Shenzhen QVOD Technology Co.,Ltd", L=shenzhen, S=guangdong, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5062CBF9284543F8BECAA682EB4E2871

File PE Metadata

Compilation timestamp:

7/11/2014 6:23:14 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

24576:58fCdNx6ffowxuUDoQFIo8h/H2sjSS6CkXEgzUElAi:eKR6PBoQFIoWWs+S4gIAi

Entry address:

0xC7816

Entry point:

E8, 61, DB, 00, 00, E9, 16, FE, FF, FF, 6A, 0C, 68, 20, AE, 50, 00, E8, A0, 6A, 00, 00, 33, C0, 33, F6, 39, 75, 08, 0F, 95, C0, 3B, C6, 75, 1D, E8, 71, 35, 00, 00, C7, 00, 16, 00, 00, 00, 56, 56, 56, 56, 56, E8, 1C, B9, FF, FF, 83, C4, 14, 83, C8, FF, EB, 5F, E8, E6, 59, 00, 00, 6A, 20, 5B, 03, C3, 50, 6A, 01, E8, EC, 5A, 00, 00, 59, 59, 89, 75, FC, E8, CF, 59, 00, 00, 03, C3, 50, E8, 95, DB, 00, 00, 59, 8B, F8, 8D, 45, 0C, 50, 56, FF, 75, 08, E8, B7, 59, 00, 00, 03, C3, 50, E8, A3, 8A, 00, 00, 89, 45, E4... 
[+]

Entropy:

6.5736

Code size:

949.5 KB (972,288 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

QvodTerminal

Command:

"C:\qvodplayer\qvodterminal.exe" -autorun

The file QvodTerminal.exe has been seen being distributed by the following 19 URLs.

https://docs.google.com/uc?id=0B6Mqa_gqwBXNeG1DbDExYnFsWkE&export=download

https://mega.co.nz/temporary/.../70cEVDqQ

http://d.pcs.baidu.com/file/0d9b85fb604c1d3590e4c902f21f8168?fid=1129662672-250528-990284467151599&time=1414428992&rt=sh&sign=FDTAERY-DCb740ccc5511e5e8fedcff06b081203-o/zQGGzZaRVQ02kes9yP5lzKu14=&expires=8h&prisign=GF6x2T2CVlRV01o7Pki028kp4XDNjnf6nYJvYvdmp dC6iCzPtkM2R8bwngSJCtxUHOgSEDT93t Qs5HZbMU43qYSXTy Pdv87zzvCxFY3LF2AwR7/v8AoFPkn8yGFQgG ARR6sZ61H7w713nbdinLK4P8MIwsek8YrGIfnbrhQd9hftwh0T/LpiO4TBb3YhKfiwPKOCH/1RjiA0JvIiftCtgEME4/XAFxdlcH5Jp2nYf/.../HT3EMHfKj3obZBMpVgi4U61OIj41x0G1EQLg2HfrN97Kc74 3Pc=&chkv=0&chkbd=0&chkpc=et&r=522595347

http://g3.letv.cn/vod/.../MTA3LzI5LzM1L2xlY2xvdWQvMC91c3MvZmlsZWRvd25sb2FkL18wZDliODVmYjYwNGMxZDM1OTBlNGM5MDJmMjFmODE2OC4wMzc=?b=588800&mmsid=1&tm=1415869124&key=f91bb013bb3a4f6148d84bc1e42bc449&platid=14&splatid=1400&from=geturl&download_filename=QvodTerminal.exe&fname=QvodTerminal.exe

http://pic.kanxi.cc/.../QvodTerminal.exe

https://mega.nz/temporary/.../70cEVDqQ

http://download.698.es/.../QvodTerminal.exe

http://d.pcs.baidu.com/file/0d9b85fb604c1d3590e4c902f21f8168?fid=1129662672-250528-990284467151599&time=1410871103&rt=sh&sign=FDTAERY-DCb740ccc5511e5e8fedcff06b081203-KMv pO4Pd7enmxTAjMjLKInbxXU=&expires=8h&prisign=GF6x2T2CVlRV01o7Pki028kp4XDNjnf6nYJvYvdmp dC6iCzPtkM2aVC7McRJk1P9QVPB1kIp0CifNIlOMwtq9leEvhTVhjRcR83gRp4oLDRWmsGuAvcBYV8AuWyIY Mw6ZsBeaqSaq/.../OonCze4QS 8cCDFGVuTD1 dn1VM0ZQ==&chkv=0&chkbd=0&chkpc=et&r=662194405

https://mega.co.nz/persistent/.../70cEVDqQ

http://lx.cdn.baidupcs.com/file/.../vBsl8wkwbXtJdEprLps=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=1580&sta_ft=exe&sta_ct=5&newver=1&newfm=1&flow_ver=3&sl=81723466&expires=8h&rt=sh&r=459897602&mlogid=867420699&vuk=-&vbdid=3856581436&fin=QvodTerminal.exe&fn=QvodTerminal.exe

http://d.pcs.baidu.com/file/0d9b85fb604c1d3590e4c902f21f8168?fid=1129662672-250528-990284467151599&time=1410256344&rt=sh&sign=FDTAERY-DCb740ccc5511e5e8fedcff06b081203-fDI1A3I2/VoNT5 ae3H51a M/lI=&expires=8h&prisign=GF6x2T2CVlRV01o7Pki028kp4XDNjnf6nYJvYvdmp dC6iCzPtkM2fhqfly9UbAK9QVPB1kIp0CifNIlOMwtq9leEvhTVhjRcR83gRp4oLDRWmsGuAvcBYV8AuWyIY Mw6ZsBeaqSaojdEmyxc1d7sfDxXYCUoD7KsoRyLgl1pKCSsDq5LTecmiY8zBQMRNrLrvFbLiygllUK/.../m rjh7UAiLjQef zIgHzj PDHCDNDOAgZFWi8ZaCRqyjPE1G4gk a7ADQN7yIK2 w==&chkv=0&chkbd=0&chkpc=et&r=956461199

http://d.pcs.baidu.com/.../0d9b85fb604c1d3590e4c902f21f8168?fid=541208412-250528-404959065279477&time=1420277528&rt=sh&sign=FDTAERVY-DCb740ccc5511e5e8fedcff06b081203-aWG1FGXM1No4YkVen5wwP1yx0qY=&expires=8h&prisign=GF6x2T2CVlRV01o7Pki028kp4XDNjnf6nYJvYvdmp dC6iCzPtkM2aVC7McRJk1P9QVPB1kIp0CifNIlOMwtq9leEvhTVhjRcR83gRp4oLDRWmsGuAvcBYV8AuWyIY M5cPSDvxRAxcWV6HHmMzWxrliTehopodSguDOH6qielqU2cD6l8wpgPJyAjkDhb8mU8T3uIoQRx kUsDVz8jLkwvIbW6cEgC1Rr4J4H W4b8bZa bj54lpg==&chkv=1&chkbd=0&chkpc=et&r=459897602

http://117.27.243.29/ws.cdn.baidupcs.com/file/.../WpA=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=868&sta_ft=exe&sta_ct=3&newver=1&newfm=1&flow_ver=3&expires=8h&rt=sh&r=521483881&mlogid=3059464112&vuk=789237344&vbdid=2033473196&fn=QvodTerminal.exe&wshc_tag=0&wsts_tag=54129c73&wsid_tag=ec69b96&wsiphost=ipdbm

http://ws.cdn.baidupcs.com/file/.../WpA=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=868&sta_ft=exe&sta_ct=3&newver=1&newfm=1&flow_ver=3&expires=8h&rt=sh&r=521483881&mlogid=3059464112&vuk=789237344&vbdid=2033473196&fn=QvodTerminal.exe

http://d.pcs.baidu.com/file/0d9b85fb604c1d3590e4c902f21f8168?fid=1129662672-250528-990284467151599&time=1410505842&rt=sh&sign=FDTAERY-DCb740ccc5511e5e8fedcff06b081203-y/jt0TUEuw0FU/RE/1DDiybzgQM=&expires=8h&prisign=GF6x2T2CVlRV01o7Pki028kp4XDNjnf6nYJvYvdmp dC6iCzPtkM2fhqfly9UbAK9QVPB1kIp0CifNIlOMwtq9leEvhTVhjRcR83gRp4oLDRWmsGuAvcBYV8AuWyIY M7LBC/.../OonCze4Qs1TBvILS4XQ5Lnn1FjEOpbfgfmKcpQhp&chkv=0&chkbd=0&chkpc=et&r=521483881

http://117.27.243.29/ws.cdn.baidupcs.com/.../0d9b85fb604c1d3590e4c902f21f8168?xcode=ef299eeed7dbcf4ca0e108d08e992d72843f13fe546574c1837047dfb5e85c39&fid=1129662672-250528-990284467151599&time=1410505716&sign=FDTAXER-DCb740ccc5511e5e8fedcff06b081203-MwnTkWxJcWpvXLyW2M3ny k4orQ=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=868&sta_ft=exe&sta_ct=3&newver=1&newfm=1&flow_ver=3&expires=8h&rt=sh&r=747070478&mlogid=1035404256&vuk=789237344&vbdid=2033473196&fn=QvodTerminal.exe&wshc_tag=0&wsts_tag=54129bf4&wsid_tag=ec69b96&wsiphost=ipdbm

http://ws.cdn.baidupcs.com/.../0d9b85fb604c1d3590e4c902f21f8168?xcode=ef299eeed7dbcf4ca0e108d08e992d72843f13fe546574c1837047dfb5e85c39&fid=1129662672-250528-990284467151599&time=1410505716&sign=FDTAXER-DCb740ccc5511e5e8fedcff06b081203-MwnTkWxJcWpvXLyW2M3ny k4orQ=&to=sc&fm=Bei,B,U,ny&sta_dx=1&sta_cs=868&sta_ft=exe&sta_ct=3&newver=1&newfm=1&flow_ver=3&expires=8h&rt=sh&r=747070478&mlogid=1035404256&vuk=789237344&vbdid=2033473196&fn=QvodTerminal.exe

http://d.pcs.baidu.com/file/0d9b85fb604c1d3590e4c902f21f8168?fid=1129662672-250528-990284467151599&time=1410505716&rt=sh&sign=FDTAERY-DCb740ccc5511e5e8fedcff06b081203-5gk6XoxppUH2r2POUdfEnQanG08=&expires=8h&prisign=GF6x2T2CVlRV01o7Pki028kp4XDNjnf6nYJvYvdmp dC6iCzPtkM2fhqfly9UbAK9QVPB1kIp0CifNIlOMwtq9leEvhTVhjRcR83gRp4oLDRWmsGuAvcBYV8AuWyIY M7LBC/yn0S8zpCLlok5DU7qo42QWNaZnkKsoRyLgl1pKCSsDq5LTecmiY8zBQMRNrLrvFbLiygllUK/.../m rjh7UAiLjQef zIgHzj PDHCDNDOAgWE2emyzXBdts4KLjcjDR aOUThimFjN6Q==&chkv=0&chkbd=0&chkpc=et&r=747070478

http://hot-wsdl.yunpan.cn/.../0

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to bb119-74-85-102.singnet.com.sg (119.74.85.102:20000)

TCP:

Connects to bb42-61-234-128.singnet.com.sg (42.61.234.128:20003)

TCP:

Connects to 100.72.156.175.unknown.m1.com.sg (175.156.72.100:20112)

TCP:

Connects to n11923621073.netvigator.com (119.236.21.73:7876)

TCP:

Connects to 74.71.49.60.klj04-home.tm.net.my (60.49.71.74:6611)

TCP:

Connects to 166.81.197.124.unknown.m1.com.sg (124.197.81.166:20100)

Scan QvodTerminal.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.