qulab | 79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718

General

Target

79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe
Size

1.5MB
MD5

9718430597e4c4129c5a76346a5e0da7
SHA1

1dcb1d6af722ac2dfe64b02e5c95ea756af53732
SHA256

79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718
SHA512

84c1cd9761c11af95b31d5cf1f52ccf5eeb837ae585fb63d2f2be3f69a8bb7aece4f1d37c00325bd8bf66e3881cf8f72e2fc42f047f66a6641ff86e0f87ae3b5

Score

10^/10

qulab discovery ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 21.05.2022, 14:31:12 Main Information: - OS: Windows 10 x64 / Build: 19041 - UserName: Admin - ComputerName: TWJYXOUL - VideoCard: Microsoft Basic Display Adapter - Processor: Intel Core Processor (Broadwell) - Memory: 4.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 352 - csrss.exe / PID: 440 - wininit.exe / PID: 516 - csrss.exe / PID: 532 - winlogon.exe / PID: 612 - services.exe / PID: 656 - lsass.exe / PID: 672 - fontdrvhost.exe / PID: 776 - fontdrvhost.exe / PID: 784 - svchost.exe / PID: 792 - svchost.exe / PID: 900 - svchost.exe / PID: 952 - dwm.exe / PID: 332 - svchost.exe / PID: 388 - svchost.exe / PID: 424 - svchost.exe / PID: 916 - svchost.exe / PID: 1032 - svchost.exe / PID: 1084 - svchost.exe / PID: 1108 - svchost.exe / PID: 1152 - svchost.exe / PID: 1216 - svchost.exe / PID: 1276 - svchost.exe / PID: 1308 - svchost.exe / PID: 1328 - svchost.exe / PID: 1444 - svchost.exe / PID: 1484 - svchost.exe / PID: 1492 - svchost.exe / PID: 1500 - svchost.exe / PID: 1628 - svchost.exe / PID: 1688 - svchost.exe / PID: 1700 - svchost.exe / PID: 1716 - svchost.exe / PID: 1828 - svchost.exe / PID: 1868 - svchost.exe / PID: 1892 - svchost.exe / PID: 1904 - svchost.exe / PID: 1972 - svchost.exe / PID: 2012 - spoolsv.exe / PID: 1772 - svchost.exe / PID: 2080 - svchost.exe / PID: 2088 - svchost.exe / PID: 2192 - svchost.exe / PID: 2448 - svchost.exe / PID: 2464 - svchost.exe / PID: 2480 - svchost.exe / PID: 2488 - sihost.exe / PID: 2536 - OfficeClickToRun.exe / PID: 2552 - svchost.exe / PID: 2572 - svchost.exe / PID: 2588 - svchost.exe / PID: 2680 - svchost.exe / PID: 2724 - svchost.exe / PID: 2740 - taskhostw.exe / PID: 2908 - explorer.exe / PID: 3120 - svchost.exe / PID: 3232 - dllhost.exe / PID: 3432 - StartMenuExperienceHost.exe / PID: 3544 - RuntimeBroker.exe / PID: 3608 - SearchApp.exe / PID: 3700 - RuntimeBroker.exe / PID: 3860 - dllhost.exe / PID: 2276 - svchost.exe / PID: 4572 - sppsvc.exe / PID: 4608 - SppExtComObj.Exe / PID: 4656 - svchost.exe / PID: 4740 - svchost.exe / PID: 4336 - svchost.exe / PID: 3132 - svchost.exe / PID: 1400 - WmiPrvSE.exe / PID: 2144 - upfc.exe / PID: 2920 - svchost.exe / PID: 4056 - NlsData081a.exe / PID: 4152 - svchost.exe / PID: 4160

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.sqlite3.module.dll	acprotect
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

NlsData081a.module.exe

pid process

1476 NlsData081a.module.exe

pid	process
1476	NlsData081a.module.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.module.exe	upx

Loads dropped DLL 2 IoCs

Processes:

NlsData081a.exe

pid process

4152 NlsData081a.exe
4152 NlsData081a.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipapi.co
8 ipapi.co
24 ipapi.co

pid	process
4152	NlsData081a.exe
4152	NlsData081a.exe

flow	ioc
7	ipapi.co
8	ipapi.co
24	ipapi.co

Drops file in System32 directory 2 IoCs

Processes:

NlsData081a.exeNlsData081a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	NlsData081a.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	NlsData081a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exeNlsData081a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\winmgmts:\localhost\	NlsData081a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NlsData081a.exe

pid process

4152 NlsData081a.exe
4152 NlsData081a.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe

pid process

2620 79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe

pid	process
4152	NlsData081a.exe
4152	NlsData081a.exe

pid	process
2620	79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NlsData081a.module.exe

description	pid	process
Token: SeRestorePrivilege	1476	NlsData081a.module.exe
Token: 35	1476	NlsData081a.module.exe
Token: SeSecurityPrivilege	1476	NlsData081a.module.exe
Token: SeSecurityPrivilege	1476	NlsData081a.module.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exeNlsData081a.exe

description	pid	process	target process
PID 2620 wrote to memory of 4152	2620	79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe	NlsData081a.exe
PID 2620 wrote to memory of 4152	2620	79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe	NlsData081a.exe
PID 2620 wrote to memory of 4152	2620	79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe	NlsData081a.exe
PID 4152 wrote to memory of 1476	4152	NlsData081a.exe	NlsData081a.module.exe
PID 4152 wrote to memory of 1476	4152	NlsData081a.exe	NlsData081a.module.exe
PID 4152 wrote to memory of 1476	4152	NlsData081a.exe	NlsData081a.module.exe

C:\Users\Admin\AppData\Local\Temp\79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe
"C:\Users\Admin\AppData\Local\Temp\79da42bac6738149bfe9decb17aa555806536fbc9ddefd2a700aa559f44b1718.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.module.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1476

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.exe
1⤵
- Drops file in System32 directory
PID:4116

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.exe
1⤵
- Drops file in System32 directory
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\1\Information.txt

Filesize
3KB

MD5
19b0b33906652950667eea8f1f32c43a

SHA1
bd61571683aaad94b580874450034dc382e80840

SHA256
c2ea3fb30ce8c97691678699bd969089b425349f68c67bc369d743ea39283adb

SHA512
6229081847b8641e11c961b76ef8b6663b13b0e8bb603bce98eafed2889bca139a1fbf0e5ab6cffc221ae97f081a1129eb8ab131a7244c0bee356fd71eec81b2

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\1\Screen.jpg

Filesize
52KB

MD5
024bbf2ee92a5f0407a3436c48a8f10e

SHA1
c51e6bf9beb6e180d6d1666f4cdd7ca5ef8e7945

SHA256
8b830bb6b69d4d498609bcb90888bb0332c547c11a90e6e148a3e76b3d468952

SHA512
52886c35e733727ce4bb893a3dc427b64980cfbe49c80c219e53d63971426c69a8506d6f4b934bc75a3207efa9c89ffa94e99aa163c0a1809119aa3282e6b612

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.module.exe

Filesize
218KB

MD5
9c5b4e4fcae7eb410f09c9e46ffb4a6d

SHA1
9d233bbe69676b1064f1deafba8e70a9acc00773

SHA256
0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

SHA512
59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ehome-devices-ehreplay\NlsData081a.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
memory/1476-133-0x0000000000000000-mapping.dmp

Download
memory/4152-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads