qz1.exe

First submission 2024-10-18 07:22:08

File details

File type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Mime type: application/x-dosexec
File size: 19.0 KB (19456 bytes)
Compile time: 1970-01-01 01:00:00
MD5: d4aa29575d62a2b48767b576f43e071b
SHA1: 9a695aca1b4761069d54ffbbd5eca05cfe8003c9
SHA256: 6796f19e369889be95d6f784536447faffd0e45967627d78077ce702741ed312
Import Hash : 147442e63270e287ed57d33257638324
Sections 9 .text .data .rdata .pdata .xdata .bss .idata .CRT .tls
Directories 2 import tls

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 57/77 VT report date: 2024-10-17 18:21:34
Malware Type 1 trojan
Threat Type 3 cobaltstrike dump marte

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://120.25.157.131/qz1.exe VirusTotal Report 120.25.157.131 VirusTotal Report 2024-10-18 07:22:08

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x20a8 8704 7990c3d0eb3d6829d9b7d23c3b69ee26d8d79a79 3040ba596609d0f7ba50ac030468b13e
.data 0x4000 0x4f0 1536 a9ed2802d5116a4da2ba0e38ca2cacbc0bad45ca 719375b0e939b8d1e1ab4fd62e8d8d95
.rdata 0x5000 0x910 2560 e28c7eadd25f9477b55c9265a1da7674029250b0 b02c91451e7abad85f4a5bbe48fd6333
.pdata 0x6000 0x2b8 1024 da5785b5a59be46929d82a70f8943e7fa0be0b66 ad5ec754cf0e204a3a3c39436081f3bc
.xdata 0x7000 0x238 1024 2714d9e2c3d1b1fd1575c12a5f1babce8e222944 6ce9e303fb86766d702ecb2b174cf348
.bss 0x8000 0x9d0 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x9000 0x8d8 2560 361120770d755e2c333edd52e03ced1675caa623 ec8dedb62953693cf02784f71f75d547
.CRT 0xa000 0x68 512 48e7f86626e0f41a8a0ee900c304c59e0f7d25f7 52d79e9aecf5d5c3145d3ec54aa197a8
.tls 0xb000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 3

GetLastError
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
KERNEL32.dll
MSVCRT.dll

Import functions

Name Latest seen MD5
gotomeeting.exe 2024-05-16 10:19:04 877187ad95d25a0e3582331588ac8892
beacon.exe 2024-05-25 14:10:04 927ee11071594552182a02d7b0b971fa
abc.exe 2024-06-01 11:06:03 0423137cc78e3e3d7af3ecb534847d1b
h.exe 2024-07-04 10:40:04 b958d6940edc44e8d99a9e5c074acd5a
Utility.exe 2024-08-30 16:42:03 3cd08960d873ee9bbe2bc64e4a5460ef
Journal.exe 2024-09-22 15:09:01 59fc81032d61afec30ba06c776f7f3cd
Charter.exe 2024-09-22 15:26:01 03487ec0103b22c20bcc2f6864a705e7
Utility2.exe 2024-09-22 16:01:02 4bd25a55bcb6aec078ab1d909cfabe64
service.exe 2024-09-22 16:04:01 4b6b4048c597d60f54030b1d4fb3f376
Utility3.exe 2024-09-22 16:08:02 0b86a1aad0c4a168bfffbe1da6cdd45e
Monitor.exe 2024-09-22 16:09:02 20cfd4b4f12dc4aae8971d7b95b870e2
update.exe 2024-09-28 15:22:02 dc66a0481a259a5c8820880822ff0b3a
system.exe 2024-10-06 04:17:03 24a4b0bab13585fcd3dbb00e8de9e78f
Session-https.exe 2024-10-13 01:42:02 f05982b55c7a85b9e71a941fe2295848
a.exe 2024-10-15 07:39:02 a3eb49b7dce841199a2882b7d1c27a57