General
-
Target
https://yadi.sk/d/LLgD0R6wU1SSLg
-
Sample
211227-lbc84sceb5
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\1\Information.txt
Family
qulab
Ransom Note
# /===============================\
# |=== QULAB CLIPPER + STEALER ===|
# |===============================|
# |==== BUY CLIPPER + STEALER ====|
# |=== http://teleg.run/QulabZ ===|
# \===============================/
Date: 10.12.2021, 12:03:25
OS: Windows 10 X64 / Build: 15063
UserName: Admin
ComputerName: EZNBLWLT
Processor: Intel Core Processor (Broadwell)
VideoCard: Microsoft Basic Display Adapter
Memory: 4.00 Gb
KeyBoard Layout ID: 00000409
Resolution: 1280x720x32, 64 GHz
Other Information:
<error>
Soft / Windows Components / Windows Updates:
- Google Chrome
- Java Auto Updater
- Adobe Acrobat Reader DC
- Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
- Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660
- Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702
Process List:
- [System Process] / PID: 0
- System / PID: 4
- smss.exe / PID: 344
- csrss.exe / PID: 424
- wininit.exe / PID: 496
- csrss.exe / PID: 504
- winlogon.exe / PID: 560
- services.exe / PID: 636
- lsass.exe / PID: 644
- svchost.exe / PID: 728
- fontdrvhost.exe / PID: 752
- fontdrvhost.exe / PID: 748
- svchost.exe / PID: 768
- svchost.exe / PID: 860
- svchost.exe / PID: 908
- dwm.exe / PID: 996
- svchost.exe / PID: 304
- svchost.exe / PID: 412
- svchost.exe / PID: 696
- svchost.exe / PID: 932
- svchost.exe / PID: 1052
- svchost.exe / PID: 1112
- svchost.exe / PID: 1144
- svchost.exe / PID: 1184
- svchost.exe / PID: 1192
- svchost.exe / PID: 1280
- svchost.exe / PID: 1376
- svchost.exe / PID: 1392
- svchost.exe / PID: 1400
- svchost.exe / PID: 1456
- svchost.exe / PID: 1464
- svchost.exe / PID: 1544
- svchost.exe / PID: 1600
- svchost.exe / PID: 1652
- svchost.exe / PID: 1672
- svchost.exe / PID: 1680
- svchost.exe / PID: 1788
- svchost.exe / PID: 1804
- svchost.exe / PID: 1820
- spoolsv.exe / PID: 1980
- svchost.exe / PID: 1248
- svchost.exe / PID: 2072
- audiodg.exe / PID: 2204
- svchost.exe / PID: 2244
- svchost.exe / PID: 2300
- svchost.exe / PID: 2316
- svchost.exe / PID: 2348
- OfficeClickToRun.exe / PID: 2356
- svchost.exe / PID: 2420
- svchost.exe / PID: 2428
- svchost.exe / PID: 2472
- svchost.exe / PID: 2508
- svchost.exe / PID: 2692
- sihost.exe / PID: 2852
- svchost.exe / PID: 2872
- taskhostw.exe / PID: 2984
- explorer.exe / PID: 2760
- ShellExperienceHost.exe / PID: 3288
- SearchUI.exe / PID: 3300
- RuntimeBroker.exe / PID: 3512
- dllhost.exe / PID: 3784
- dllhost.exe / PID: 368
- svchost.exe / PID: 2028
- svchost.exe / PID: 508
- svchost.exe / PID: 1204
- sppsvc.exe / PID: 2568
- svchost.exe / PID: 3496
- chrome.exe / PID: 3264
- WmiPrvSE.exe / PID: 3280
- WmiPrvSE.exe / PID: 1884
- svchost.exe / PID: 2228
- dpnet.exe / PID: 3960
- dllhost.exe / PID: 2080
URLs
http://teleg.run/QulabZ
Targets
-
-
Target
https://yadi.sk/d/LLgD0R6wU1SSLg
Score10/10-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
autoit_exe
AutoIT scripts compiled to PE executables.
-