Trojan

Trojan-Banker.Win32.Qbot.wlh (file analysis)

Malware Removal

The Trojan-Banker.Win32.Qbot.wlh is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Trojan-Banker.Win32.Qbot.wlh virus can do?

  • Executable code extraction
  • Injection (inter-process)
  • Injection (Process Hollowing)
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Presents an Authenticode digital signature
  • Creates RWX memory
  • Mimics the system’s user agent string for its own requests
  • Possible date expiration check, exits too soon after checking local time
  • A process attempted to delay the analysis task.
  • A named pipe was used for inter-process communication
  • Expresses interest in specific running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • A process created a hidden window
  • Performs some HTTP requests
  • Uses Windows utilities for basic functionality
  • Executed a process and injected code into it, probably while unpacking
  • A system process is generating network traffic likely as a result of process injection
  • Installs itself for autorun at Windows startup
  • Checks the version of Bios, possibly for anti-virtualization
  • Checks the CPU name from registry, possibly for anti-virtualization
  • Collects information to fingerprint the system
  • Anomalous binary characteristics

Related domains:

www.ip-adress.com

How to determine Trojan-Banker.Win32.Qbot.wlh?



File Info:

crc32: D31873B3
md5: 95f9539fe0469a59516eaadd94775cc9
name: tmphoa66gpe
sha1: 8a4e3a5b3f39ad5c4b1a42bca9da4a563c293768
sha256: 20280c7dcbd18c06904909eacd69ddfabc8df9bab3f5d2e4292fd8d97c17d8d3
sha512: a4703c7d04272e3083c68a040cc098593c7ae9ea6f4b5f7424f47f3f830690eefb5206f6a4bf30c4b53d4d4e7c6c714c8c25520ceba495a3662e0af9106aa596
ssdeep: 6144:ayYoQTHwJ9vNDc+lZaoQgIw6bE3nSW0yLnvI2XzPygGzk23MOaXFKn6U:ie6X03nSezvXXzF23MOqIH
type: PE32 executable (GUI) Intel 80386, for MS Windows


Version Info:

LegalCopyright: xa9 Microsoft Corporation. All rights reserved.
InternalName: dpapimig
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
CompanyName: Microsoft Corporation
ProductName: Microsoftxae Windowsxae Operating System
ProductVersion: 6.1.7600.16385
FileDescription: DPAPI Key Migration Wizard
OriginalFilename: dpapimig.exe
Translation: 0x0409 0x04b0

Trojan-Banker.Win32.Qbot.wlh also known as:

BkavW32.AIDetectVM.malware2
MicroWorld-eScanTrojan.GenericKDZ.68113
FireEyeGeneric.mg.95f9539fe0469a59
McAfeeW32/PinkSbot-GW!95F9539FE046
CylanceUnsafe
K7AntiVirusTrojan ( 005696301 )
BitDefenderTrojan.GenericKDZ.68113
K7GWTrojan ( 005696301 )
Cybereasonmalicious.b3f39a
SymantecML.Attribute.HighConfidence
APEXMalicious
GDataTrojan.GenericKDZ.68113
KasperskyTrojan-Banker.Win32.Qbot.wlh
Endgamemalicious (high confidence)
EmsisoftTrojan.GenericKDZ.68113 (B)
Invinceaheuristic
McAfee-GW-EditionArtemis
Trapminemalicious.high.ml.score
SophosTroj/Qbot-FS
IkarusTrojan.Qakbot
MAXmalware (ai score=80)
Antiy-AVLGrayWare/Win32.Kryptik.ehls
ArcabitTrojan.Generic.D10A11
ZoneAlarmTrojan-Banker.Win32.Qbot.wlh
MicrosoftTrojan:Win32/Qbot.DEE!MTB
Acronissuspicious
VBA32BScope.Trojan.Zenpak
Ad-AwareTrojan.GenericKDZ.68113
MalwarebytesTrojan.Emotet
PandaTrj/GdSda.A
ESET-NOD32a variant of Win32/Kryptik.HEHX
RisingTrojan.Kryptik!1.C745 (RDMK:cmRtazpHz6jLr8YOPFABU1r+xeG/)
SentinelOneDFI – Malicious PE
eGambitPE.Heur.InvalidSig
FortinetW32/GenKryptik.ELJF!tr
BitDefenderThetaGen:NN.ZexaF.34128.NI1@aqJOaVji
CrowdStrikewin/malicious_confidence_100% (D)
Qihoo-360HEUR/QVM19.1.1E5A.Malware.Gen

How to remove Trojan-Banker.Win32.Qbot.wlh?

Trojan-Banker.Win32.Qbot.wlh removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment