File name:

QHAccount.exe

Full analysis: https://app.any.run/tasks/9238f5ec-9d9e-4db7-b4af-31554b03b010
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 11, 2024, 11:34:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
blacksuit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

57EBF50902949E13220B379C136DB8A7

SHA1:

75D55564986C8FB2D24C2F467E9C0CD2196A2055

SHA256:

2ADCF43D221DE2F72BA5088DAC3A3193219412882DF711D095F04E3F5B40767C

SSDEEP:

98304:lgHCJZe8xYx1DGklPAI2cKtfKAEIUvoypGmI23Hhwulxnz21Iid8zOlBOLED:W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKSUIT has been detected

      • QHAccount.exe (PID: 6512)

    • BLACKSUIT note has been found

      • QHAccount.exe (PID: 6512)

    • Renames files like ransomware

      • QHAccount.exe (PID: 6512)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • QHAccount.exe (PID: 6512)

    • Creates file in the systems drive root

      • QHAccount.exe (PID: 6512)

    • Drops the executable file immediately after the start

      • QHAccount.exe (PID: 6512)

    • Uses pipe srvsvc via SMB (transferring data)

      • QHAccount.exe (PID: 6512)

    • Creates files like ransomware instruction

      • QHAccount.exe (PID: 6512)

  • INFO

    • Checks supported languages

      • QHAccount.exe (PID: 6512)
      • TextInputHost.exe (PID: 6896)

    • Reads the computer name

      • QHAccount.exe (PID: 6512)
      • TextInputHost.exe (PID: 6896)

    • Reads the machine GUID from the registry

      • QHAccount.exe (PID: 6512)

    • Creates files in the program directory

      • QHAccount.exe (PID: 6512)

    • Dropped object may contain TOR URL's

      • QHAccount.exe (PID: 6512)

    • Manual execution by a user

      • regedit.exe (PID: 5540)
      • regedit.exe (PID: 2648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.9)
.exe | Win64 Executable (generic) (15)
.exe | Win32 Executable (generic) (2.4)
.exe | Generic Win/DOS Executable (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:10:26 14:25:41+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 1550848
InitializedDataSize: 645120
UninitializedDataSize: -
EntryPoint: 0x144306
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 9.0.0.1291
ProductVersionNumber: 9.0.0.1291
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Qihoo 360 Technology Co. Ltd.
FileDescription: Account Application
FileVersion: 9, 0, 0, 1291
InternalName: QHAccount
LegalCopyright: (C) Qihoo 360 Technology Co. Ltd., All rights reserved.
OriginalFileName: QHAccount.exe
ProductName: Account Application
ProductVersion: 9, 0, 0, 1291
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKSUIT qhaccount.exe cmd.exe no specs conhost.exe no specs textinputhost.exe no specs regedit.exe no specs regedit.exe

Process information

PID
CMD
Path
Indicators
Parent process
2648"C:\WINDOWS\regedit.exe" C:\Windows\regedit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
5540"C:\WINDOWS\regedit.exe" C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
6512"C:\Users\admin\Desktop\QHAccount.exe" -id 00000000000000000000000000000000C:\Users\admin\Desktop\QHAccount.exe
explorer.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
Account Application
Exit code:
0
Version:
9, 0, 0, 1291
Modules
Images
c:\users\admin\desktop\qhaccount.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6544cmd.exe /c vssadmin delete shadows /all /quietC:\Windows\SysWOW64\cmd.exeQHAccount.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6896"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
8 100
Read events
7 813
Write events
143
Delete events
144

Modification events

(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
70190000557CEC71E2EBDA01
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A01022EAF75553ED11085C55E931432C23BF84A2EA61914AF0C4F196284AB47F
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
\\?\C:\DumpStack.log.tmp
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
518E545B96BED24B9E6799CD200A38279C287C5BF7144A67BEA26918E02D02C7
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
蹑孔뺖䯒枞춙ਠ✸⢜孼ᓷ杊ꊾᡩⷠ윂
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
\\?\C:\DumpStack.log.tmp
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
Ⴀ嗷ࠑ啜㇩ⱃ뼣ꊄ懪䪑쓰雱䨨羴
(PID) Process:(6512) QHAccount.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
Executable files
0
Suspicious files
325
Text files
78
Unknown types
1

Dropped files

PID
Process
Filename
Type
6512QHAccount.exeC:\ProgramData\Adobe\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\ProgramData\Microsoft OneDrive\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\ProgramData\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\bootTel.datbinary
MD5:2D7D95519FA17E8DE41CBD185B0B2F53
SHA256:225F285CDB66B0B88E14E82830B55FF29E2383171D1F874A29C56F7822BF8587
6512QHAccount.exeC:\ProgramData\PLUG\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\ProgramData\Oracle\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\ProgramData\Microsoft\DeviceSync\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
6512QHAccount.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.json.blacksuitbinary
MD5:230B8EF39777A9227EC20D17AF69C697
SHA256:45E9C1A29F505E58BEAAE02B7F54F4C03042C3D2A4A240A537EA0AE058FCBDEC
6512QHAccount.exeC:\Users\admin\readme.blacksuit.txttext
MD5:B998D433168B18428F7F7713D1851F23
SHA256:06453319ED3BD3FA04DA6B9D1C2ADA5EB445E1E0A878C0EB3AF54F751DACE513
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
47
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4056
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6512
QHAccount.exe
192.168.100.2:445
whitelisted
6512
QHAccount.exe
192.168.100.1:445
unknown
4
System
192.168.100.2:445
whitelisted
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
88.221.221.129:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 88.221.221.129
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
th.bing.com
  • 88.221.221.120
whitelisted
r.bing.com
  • 88.221.221.115
whitelisted
browser.pipe.aria.microsoft.com
  • 52.182.143.211
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
QHAccount.exe