Overview

overview

10

Static

static

5

bc87f6ec38...75.exe

windows7_x64

10

bc87f6ec38...75.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe

  • Size

    2.3MB

  • MD5

    a915fc346ed7e984e794aa9e0d497137

  • SHA1

    1590cc249c30218031844e22bfba50a135a9734d

  • SHA256

    bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375

  • SHA512

    7b95af591e6a54f197a41a34cf3964eb6df85f57dbb658994b29fe3c531f957487cc5c9f6ae126f8f14e05a2ac857c15b528bbc62057b9ee0c53b486a2ba1a9a

Score
10/10
qulabdiscoveryevasionransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 01.02.2022, 04:12:36 OS: Windows 7 X64 / Build: 7601 UserName: Admin ComputerName: VQVVOAJK Processor: Intel Core Processor (Broadwell) VideoCard: Standard VGA Graphics Adapter Memory: 2.00 Gb KeyBoard Layout ID: 00000409 Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Adobe Reader 9 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 384 - winlogon.exe / PID: 420 - services.exe / PID: 464 - lsass.exe / PID: 480 - lsm.exe / PID: 488 - svchost.exe / PID: 580 - svchost.exe / PID: 660 - svchost.exe / PID: 748 - svchost.exe / PID: 796 - svchost.exe / PID: 832 - svchost.exe / PID: 868 - audiodg.exe / PID: 940 - svchost.exe / PID: 296 - spoolsv.exe / PID: 388 - svchost.exe / PID: 1056 - taskhost.exe / PID: 1116 - dwm.exe / PID: 1184 - explorer.exe / PID: 1248 - svchost.exe / PID: 2020 - sppsvc.exe / PID: 2036 - advpack.exe / PID: 1212
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe
    "C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
      2⤵
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\41646D696E565156564F414A4B57494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\*"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll"
        3⤵
        • Views/modifies file attributes
        PID:1548
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {61FEE486-0C0A-4344-90E8-36F540E580F6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
      2⤵
      • Drops file in System32 directory
      PID:1712
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
      2⤵
      • Drops file in System32 directory
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Information.txt
    MD5

    232462866c5390687e8a1782600d9aeb

    SHA1

    d70ea492e8902bc743977e7e0a7adac5c3538b56

    SHA256

    6bb158dc9b63f4df774008e58ef42c1c2f3a27a18bb1c0bc7cdbcc93a7e15114

    SHA512

    3cfcf4296ddd2867b1b9e0032bd9b31fdb5861e9e6a84b6fbd1ffd2f7bd4ebf54bf7d41235d7fb9c53f1fb8fff39ca551e1e80f84c4547d858623b9058c583cd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Screen.jpg
    MD5

    bf873cec1cb93c6a31153a44f2bd7386

    SHA1

    dccaa097d5cde6749f7f2ca662e2507e23eb87ff

    SHA256

    0e171cd72e69623177561d067a75ee3494e541a89e86ee58b578aa8d3ed549a3

    SHA512

    a4eca46253c31bb920e198bc927280c4823d0222c045719dbf9bc3d0dda19d923cb1f06f0f118020cdf79a3262b07c234ee5989587251b9286a260c7e2015ad6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
    MD5

    965119091c292c96af5011f40dae87a5

    SHA1

    85708f7bab07528f1b6e9dfbf64648189a513043

    SHA256

    1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b

    SHA512

    244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
    MD5

    965119091c292c96af5011f40dae87a5

    SHA1

    85708f7bab07528f1b6e9dfbf64648189a513043

    SHA256

    1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b

    SHA512

    244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll
    MD5

    71000fc34d27d2016846743d1dcce548

    SHA1

    f75456389b8c0dd0398bb3d58f0b4745d862e1b5

    SHA256

    bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03

    SHA512

    d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

    Download Submit

  • \Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll
    MD5

    71000fc34d27d2016846743d1dcce548

    SHA1

    f75456389b8c0dd0398bb3d58f0b4745d862e1b5

    SHA256

    bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03

    SHA512

    d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c

    Download Submit

  • memory/1212-62-0x0000000002B90000-0x0000000002C30000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1696-54-0x0000000076001000-0x0000000076003000-memory.dmp

    Filesize

    8KB

    Download