qulab | a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-05-2022 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
Size

3.4MB
MD5

792c7a9c3321bf6921c7e8b7ac042487
SHA1

65d77e31774552577375822302cc2c002f58100d
SHA256

a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8
SHA512

ed165e4b54e4678de04eaef2e8ae1fa9e0fd711ccfe3c65523c02b7127c7d210a64736052915408f0292638fbc07ed62636023b3bd87a9029b5aa8520815dca1

Score

10^/10

qulab discovery evasion spyware stealer upx

Malware Config

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000022e43-145.dat	acprotect
behavioral2/files/0x0008000000022e43-146.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5040	Storprop.module.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e43-145.dat	upx
behavioral2/files/0x0008000000022e43-146.dat	upx
behavioral2/files/0x0007000000022e52-148.dat	upx
behavioral2/files/0x0007000000022e52-149.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
4404	Storprop.exe
4404	Storprop.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ipapi.co
72	ipapi.co

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4848-135-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe
behavioral2/memory/4848-136-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe
behavioral2/memory/4848-137-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe
behavioral2/memory/4848-138-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe
behavioral2/memory/4404-142-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe
behavioral2/memory/4404-143-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe
behavioral2/memory/4404-144-0x0000000000400000-0x000000000077E000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2216 set thread context of 4404	2216	Storprop.exe	102

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\winmgmts:\localhost\	Storprop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4404	Storprop.exe
4404	Storprop.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4848	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
Token: SeDebugPrivilege	2216	Storprop.exe
Token: SeRestorePrivilege	5040	Storprop.module.exe
Token: 35	5040	Storprop.module.exe
Token: SeSecurityPrivilege	5040	Storprop.module.exe
Token: SeSecurityPrivilege	5040	Storprop.module.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 2288 wrote to memory of 4848	2288	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	99
PID 4848 wrote to memory of 2216	4848	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	101
PID 4848 wrote to memory of 2216	4848	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	101
PID 4848 wrote to memory of 2216	4848	a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe	101
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 2216 wrote to memory of 4404	2216	Storprop.exe	102
PID 4404 wrote to memory of 5040	4404	Storprop.exe	104
PID 4404 wrote to memory of 5040	4404	Storprop.exe	104
PID 4404 wrote to memory of 5040	4404	Storprop.exe	104
PID 4404 wrote to memory of 2704	4404	Storprop.exe	106
PID 4404 wrote to memory of 2704	4404	Storprop.exe	106
PID 4404 wrote to memory of 2704	4404	Storprop.exe	106
PID 4404 wrote to memory of 3456	4404	Storprop.exe	107
PID 4404 wrote to memory of 3456	4404	Storprop.exe	107
PID 4404 wrote to memory of 3456	4404	Storprop.exe	107
PID 4404 wrote to memory of 2676	4404	Storprop.exe	109
PID 4404 wrote to memory of 2676	4404	Storprop.exe	109
PID 4404 wrote to memory of 2676	4404	Storprop.exe	109

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2676	attrib.exe
3456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
"C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe
  "C:\Users\Admin\AppData\Local\Temp\a2b6b39830f2f48c9d4fd744160cf1a13a50b72a7ed4bf68f539dd0315418ac8.exe"
  2⤵
  - NTFS ADS
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
      "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe"
      4⤵
      Loads dropped DLL
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe
        
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ENU_688FE972402C836E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\*"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
        
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith"
        5⤵
        Views/modifies file attributes
        
        PID:3456
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith"
        5⤵
        Views/modifies file attributes
        
        PID:2676

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.exe
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Storprop.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\CompareBackup.txt

Filesize
676KB

MD5
8bdc403789c438d253a619f4ec81d7dd

SHA1
c512788f3561612d2b34315f93766154dedcda4b

SHA256
c651ca47756f82cca0b1fdeaf452d753a710eb090ab565782c65aa101051476d

SHA512
de4b5019001489692c6fe70ca3c16310c8c726873aa569bac966dbea541feeb129db393da5c25c590c90b2ad29a97dfec08d5dff9bb8f1c8355767e49aa54993

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\RemoveInstall.xlsx

Filesize
1.2MB

MD5
0a4303651e5c5aeca49cb008f5521ce4

SHA1
527fe0ef0537c811de8d8ba083084d2d353fdfcf

SHA256
990af4bc05a06d00ff27c302dcdd2aaeede6877fe6834915bd7110b0b73739e2

SHA512
449db15aea490e463ba07bfcaa0c02492d7b583826c3d973bdfada6158052f295e9c49ed8f86456e974a0da70ac33288b81d3e94a5db59efe18a3f5a67a65808

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\SaveShow.txt

Filesize
780KB

MD5
2c4ce54530dd33491de30966f61b84e5

SHA1
42e5ee535074b10f32a1d3ad9d545398c9daa244

SHA256
c185c71b02c65d8da7a4fb152929ae0901dbbc2ecd20bbaed562c0d584b66153

SHA512
1855e469169b0802f10e32a4d366719536c5133326f906f9cc2624a78229cede9c5e3b43e74ebf818a3ed4e7cb58307b4c3959db8c01527bc45930106f5527e3

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Desktop TXT Files\ts\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Information.txt

Filesize
3KB

MD5
49ccf820e498960cde41bf9e4d85cd5e

SHA1
12599f26e57a26d5807e564bfd3598b232cedd64

SHA256
87ca65510cab4eb3e874587b96532b866c5b78ebffa09ebfb268a10b061c3bb3

SHA512
612ae76943143c75262b21cfbcd7671b043c155e431504b72c2ef8e23273f5ef4ea2bcfc65bbc594bcb151f49955a4dd441a533a3c2385177192b932af4be35a

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\ABC\Screen.jpg

Filesize
49KB

MD5
ec5222e0aeb03ed81a2674aa19b9200b

SHA1
d85673c0dd441d69d0dee9d5e490504e4467ab42

SHA256
4dba8122686d8d3ba883b50ae991917abd5a285f4976dc19c26ad3a57e96c5fc

SHA512
3df4ced82400a66a6d8dfe49a99d545de37e4f672770499750e1b081ee314a7c7b4f99092f3f4f662a8c9e8c018abcf958c4fe5bc4427bb5397ae93bcae348f7

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-openwith\Storprop.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/2288-131-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/2288-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/2288-133-0x0000000004DB0000-0x0000000004DBA000-memory.dmp

Filesize
40KB

Download
memory/2288-130-0x0000000000080000-0x00000000003E4000-memory.dmp

Filesize
3.4MB

Download
memory/4404-144-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download
memory/4404-142-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download
memory/4404-143-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download
memory/4848-138-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download
memory/4848-137-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download
memory/4848-136-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download
memory/4848-135-0x0000000000400000-0x000000000077E000-memory.dmp

Filesize
3.5MB

Download