Overview

overview

10

Static

static

8

f0e9e44c5e...33.exe

windows7_x64

10

f0e9e44c5e...33.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33

  • Size

    2.7MB

  • Sample

    210518-4arfgah6sa

  • MD5

    4db32a31b88adc5bc8148cb870341e22

  • SHA1

    3c2ed928dce81f21baa9461eed865ae8d5235517

  • SHA256

    f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33

  • SHA512

    5eb34d89d94b28789a60f1e57cded29c447d65e197c3c53cbf84362a9fd688441e45023a158844ef98eaf39d2c9fdf0e64f0f8992dcbb164a2284400d7082e83

Score
10/10
qulabdiscoveryevasionransomwarespywarestealerupxvmprotect

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 19.05.2021, 00:57:27 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: QWOCTUPM - Processor: Persocon Processor 2.5+ - VideoCard: Standard VGA Graphics Adapter - Memory: 0.50 Gb - KeyBoard Layout ID: 00020409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Adobe Reader 9 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 372 - csrss.exe / PID: 384 - winlogon.exe / PID: 420 - services.exe / PID: 464 - lsass.exe / PID: 480 - lsm.exe / PID: 488 - svchost.exe / PID: 580 - svchost.exe / PID: 664 - svchost.exe / PID: 728 - svchost.exe / PID: 804 - svchost.exe / PID: 844 - svchost.exe / PID: 872 - svchost.exe / PID: 292 - spoolsv.exe / PID: 108 - svchost.exe / PID: 1092 - taskhost.exe / PID: 1104 - dwm.exe / PID: 1180 - explorer.exe / PID: 1212 - WMIADAP.exe / PID: 2024 - svchost.exe / PID: 2028 - sppsvc.exe / PID: 1172 - WmiPrvSE.exe / PID: 688 - / PID: 1780
URLs

http://teleg.run/QulabZ

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-security-ngc-ctnrsvc\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 18.05.2021, 22:49:30 Main Information: - OS: Windows 10 X64 / Build: 15063 - UserName: Admin - ComputerName: RJMQBVDN - Processor: Persocon Processor 2.5+ - VideoCard: Microsoft Basic Display Adapter - Memory: 1.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Java Auto Updater - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 316 - csrss.exe / PID: 400 - wininit.exe / PID: 472 - csrss.exe / PID: 480 - winlogon.exe / PID: 544 - services.exe / PID: 612 - lsass.exe / PID: 620 - fontdrvhost.exe / PID: 700 - fontdrvhost.exe / PID: 704 - svchost.exe / PID: 720 - svchost.exe / PID: 792 - svchost.exe / PID: 840 - svchost.exe / PID: 880 - dwm.exe / PID: 976 - svchost.exe / PID: 284 - svchost.exe / PID: 388 - svchost.exe / PID: 608 - svchost.exe / PID: 936 - svchost.exe / PID: 808 - svchost.exe / PID: 1100 - svchost.exe / PID: 1156 - svchost.exe / PID: 1216 - svchost.exe / PID: 1256 - svchost.exe / PID: 1264 - svchost.exe / PID: 1328 - svchost.exe / PID: 1408 - svchost.exe / PID: 1424 - svchost.exe / PID: 1464 - svchost.exe / PID: 1476 - svchost.exe / PID: 1532 - svchost.exe / PID: 1612 - svchost.exe / PID: 1628 - svchost.exe / PID: 1712 - svchost.exe / PID: 1736 - svchost.exe / PID: 1760 - svchost.exe / PID: 1784 - svchost.exe / PID: 1944 - spoolsv.exe / PID: 2020 - svchost.exe / PID: 2056 - svchost.exe / PID: 2064 - svchost.exe / PID: 2132 - audiodg.exe / PID: 2204 - svchost.exe / PID: 2336 - svchost.exe / PID: 2348 - svchost.exe / PID: 2376 - sihost.exe / PID: 2404 - svchost.exe / PID: 2416 - svchost.exe / PID: 2556 - OfficeClickToRun.exe / PID: 2576 - svchost.exe / PID: 2588 - svchost.exe / PID: 2612 - svchost.exe / PID: 2636 - svchost.exe / PID: 2660 - taskhostw.exe / PID: 2708 - explorer.exe / PID: 3008 - ShellExperienceHost.exe / PID: 3212 - SearchUI.exe / PID: 3228 - RuntimeBroker.exe / PID: 3528 - dllhost.exe / PID: 3784 - dllhost.exe / PID: 1732 - svchost.exe / PID: 3864 - WmiPrvSE.exe / PID: 3620 - sppsvc.exe / PID: 4092 - WMIADAP.exe / PID: 3452 - svchost.exe / PID: 1796 - WmiPrvSE.exe / PID: 636 - svchost.exe / PID: 1132 - svchost.exe / PID: 1820 - dllhost.exe / PID: 2088 - kbd101a.exe / PID: 2752
URLs

http://teleg.run/QulabZ

Targets

    • Target

      f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33

    • Size

      2.7MB

    • MD5

      4db32a31b88adc5bc8148cb870341e22

    • SHA1

      3c2ed928dce81f21baa9461eed865ae8d5235517

    • SHA256

      f0e9e44c5e6baee47e3f6d946155c305c3175c8150d948120b7ca2d393df2a33

    • SHA512

      5eb34d89d94b28789a60f1e57cded29c447d65e197c3c53cbf84362a9fd688441e45023a158844ef98eaf39d2c9fdf0e64f0f8992dcbb164a2284400d7082e83

    Score
    10/10
    qulabdiscoveryevasionransomwarespywarestealerupxvmprotect

    • Qulab Stealer & Clipper

      Infostealer and clipper created with AutoIt.

      stealerqulab

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks