home

qebubk.exe

Sensei

The executable qebubk.exe has been detected as malware by 33 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Qebubk’. According to Microsoft Security Essentials, this Dorkbot IRC-based worm is designed to capture user names and passwords by intercepting on your network traffic, and can block websites that are related to security updates. It can also be used to launch denial of service (DoS) attacks.
Publisher:
Sensei

Description:
Master

Version:
5.7.2.2

MD5:
5b9c3ffa457d829d0aa2781180540cfb

SHA-1:
ec2780dc6cf517579ea66ae56117d12bf466d83a

SHA-256:
115e44e0af69b60235806a9ae455753b1a7250bed8b0385c1965777ceaa3907e

Scanner detections:
33 / 68

Status:
Malware

Analysis date:
5/7/2024 7:51:22 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKDZ.20547
1137

Agnitum Outpost
Backdoor.Ruskill
7.1.1

AhnLab V3 Security
Trojan/Win32.Inject
2013.12.04

Avira AntiVirus
TR/Dorkbot.192512.63
7.11.117.156

avast!
Win32:Malware-gen
2014.9-131225

AVG
Dropper.Generic8
2014.0.3615

Baidu Antivirus
Backdoor.Win32.Ruskill
4.0.3.131225

Bitdefender
Trojan.GenericKDZ.20547
1.0.20.1795

Bkav FE
W32.ArtemitDorkbotC.Trojan
1.3.0.4562

Comodo Security
UnclassifiedMalware
17379

Dr.Web
BackDoor.IRC.NgrBot.418
9.0.1.0359

Emsisoft Anti-Malware
Trojan.GenericKDZ.20547
8.13.12.25.10

ESET NOD32
Win32/Dorkbot
7.9126

Fortinet FortiGate
W32/Ruskill.VBF!tr.bdr
12/25/2013

F-Secure
Trojan.GenericKDZ.20547
11.2013-25-12_4

G Data
Trojan.GenericKDZ.20547
13.12.22

IKARUS anti.virus
Virus.Win32.DelfInject
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10396

Kaspersky
Backdoor.Win32.Ruskill
14.0.0.4568

Malwarebytes
Backdoor.IRCBot
v2013.12.25.10

McAfee
RDN/Generic BackDoor!pm
5600.7271

Microsoft Security Essentials
Worm:Win32/Dorkbot.A
1.163.1557.0

MicroWorld eScan
Trojan.GenericKDZ.20547
14.0.0.1077

NANO AntiVirus
Trojan.Win32.Ruskill.btowyc
0.28.0.56582

Norman
Suspicious_Gen4.ECONE
11.20131225

nProtect
Backdoor/W32.Ruskill.190976.B
13.12.03.01

Panda Antivirus
Trj/Dtcontx.E
13.12.25.10

Quick Heal
Backdoor.Ruskill.vbf
12.13.12.00

Sophos
W32/Dorkbot-GZ
4.95

Trend Micro House Call
WORM_DORKBOT.AO
7.2.359

Trend Micro
WORM_DORKBOT.AO
10.465.25

Vba32 AntiVirus
Worm.Luder
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
23978

File size:
186.5 KB (190,976 bytes)

Product version:
5.7.2.2

Trademarks:
Sensei

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\qebubk.exe

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
3072:+7Ho41k+15MAW31Tj49T7TLXglYeGTpvbhasnDt9NW6ZF3VOgHn0WyU+fhRZVMS+:+rt6FF453zgl4pNasjlFOgH0mKRz7jtM

Entry address:
0x7CF0

Entry point:
55, 8B, EC, 83, C4, F0, B8, A0, 7C, 40, 00, E8, 4C, B9, FF, FF, B8, 3C, 7D, 40, 00, E8, EA, C2, FF, FF, 8B, 15, AC, 81, 40, 00, 89, 02, 8B, 15, AC, 81, 40, 00, 8B, 12, A1, B0, 81, 40, 00, E8, 14, FC, FF, FF, A1, AC, 81, 40, 00, E8, D2, DF, FF, FF, E8, 79, B1, FF, FF, 00, FF, FF, FF, FF, 06, 00, 00, 00, 53, 68, 61, 61, 61, 61, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.6211

Code size:
27.5 KB (28,160 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Qebubk

Command:
C:\users\{user}\appdata\roaming\qebubk.exe


Remove qebubk.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.