qulab | c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb

General

Target

c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe
Size

1.8MB
MD5

8f0fd7568d9b36ec7b32b89a7e54a256
SHA1

2a682a60381d366bcbabadd58661d6525864752a
SHA256

c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb
SHA512

799187150e329f5815d72cf4dcc4bdd49e122ede1e8f480255b7ff0d722bb894b919f54a374d3e24019f22fd6f71108cc430fcfe8e664fb583d6be70f354fc89

Score

10^/10

qulab discovery evasion ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 07.05.2022, 23:35:35 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: WYZSGDWS - Processor: Intel Core Processor (Broadwell) - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 380 - winlogon.exe / PID: 416 - services.exe / PID: 464 - lsass.exe / PID: 472 - lsm.exe / PID: 480 - svchost.exe / PID: 580 - svchost.exe / PID: 656 - svchost.exe / PID: 728 - svchost.exe / PID: 796 - svchost.exe / PID: 836 - svchost.exe / PID: 860 - svchost.exe / PID: 280 - spoolsv.exe / PID: 340 - svchost.exe / PID: 1052 - taskhost.exe / PID: 1112 - dwm.exe / PID: 1152 - explorer.exe / PID: 1188 - svchost.exe / PID: 2016 - sppsvc.exe / PID: 2040 - WMIADAP.exe / PID: 1536 - WmiPrvSE.exe / PID: 1960 - taskeng.exe / PID: 1496 - mciseq.exe / PID: 1232

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.sqlite3.module.dll	acprotect
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.sqlite3.module.dll	acprotect

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe	upx
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe	upx
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe	upx

Loads dropped DLL 2 IoCs

Processes:

mciseq.exe

pid process

1232 mciseq.exe
1232 mciseq.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipapi.co
4 ipapi.co
Drops file in System32 directory 1 IoCs

Processes:

mciseq.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ mciseq.exe

pid	process
1232	mciseq.exe
1232	mciseq.exe

flow	ioc
7	ipapi.co
4	ipapi.co

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	mciseq.exe

NTFS ADS 2 IoCs

Processes:

mciseq.exec7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\winmgmts:\localhost\	mciseq.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

mciseq.exe

pid process

1232 mciseq.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe

pid process

324 c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe

pid	process
1232	mciseq.exe

pid	process
324	c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exetaskeng.exe

description	pid	process	target process
PID 324 wrote to memory of 1004	324	c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe	mciseq.exe
PID 324 wrote to memory of 1004	324	c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe	mciseq.exe
PID 324 wrote to memory of 1004	324	c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe	mciseq.exe
PID 324 wrote to memory of 1004	324	c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe	mciseq.exe
PID 1496 wrote to memory of 1232	1496	taskeng.exe	mciseq.exe
PID 1496 wrote to memory of 1232	1496	taskeng.exe	mciseq.exe
PID 1496 wrote to memory of 1232	1496	taskeng.exe	mciseq.exe
PID 1496 wrote to memory of 1232	1496	taskeng.exe	mciseq.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

548 attrib.exe

pid	process
548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe
"C:\Users\Admin\AppData\Local\Temp\c7e5191b16640294ab397ba2287168307c8e727480ba9586565c9114536785fb.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.exe
  C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.exe
  2⤵
  - NTFS ADS
  PID:1004

C:\Windows\system32\taskeng.exe
taskeng.exe {836912E7-120C-4017-89FD-86F98A84F0CA} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.exe
  C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- - C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe
    C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\ENU_687FE9737473A97E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\1\*"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources"
    3⤵
    - Views/modifies file attributes
    PID:548
- C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.exe
  C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.exe
  2⤵
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\1\Information.txt

Filesize
3KB

MD5
11de323911568453ef3a77bcecbaf59a

SHA1
c9d11c292678e0582038577434530cb8f282a462

SHA256
a125f8c890adc530bf51ee9aaa925eccbac6b8f4c562b1c4661835ece855af98

SHA512
155aa3de732ac0456136dbaaa2dd79e463c75e7dc9894212c69f0c80f04e34825c5d803fe3d12af9abb8cf77ba5cf05b6545a9449b2ecf59d4cd097e52d6b358

Download Submit
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\1\Screen.jpg

Filesize
46KB

MD5
ac56417b8d12be0f31458a3df92cf1d6

SHA1
8799efaba7cfb12a3002a471bbfebe81ba68ee17

SHA256
d789d806b69686f9dbf6122fc77176c24b0ecb5230b4eec6109dfcbb86157d7d

SHA512
82706288866806ab3bfb5342d7cb4fa6e6f96328b46c0e2a74cb0370f2a97dc530565241ee1b46d3dc8ad8c242d1d96d46e686b82b2ae12223e6b7c08f8fb096

Download Submit
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-wow64-legacy.resources\mciseq.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/324-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/548-69-0x0000000000000000-mapping.dmp

Download
memory/960-63-0x0000000000000000-mapping.dmp

Download
memory/1004-55-0x0000000000000000-mapping.dmp

Download
memory/1232-57-0x0000000000000000-mapping.dmp

Download
memory/2032-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads