Malware Analysis Report

2024-09-23 04:52

Sample ID 220608-wpnxwaehc9
Target 1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46
SHA256 1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46

Threat Level: Known bad

The file 1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Sets file to hidden

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

AutoIT Executable

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

NTFS ADS

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-08 18:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-08 18:05

Reported

2022-06-08 20:31

Platform

win10v2004-20220414-en

Max time kernel

90s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe"

Signatures

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe

"C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5100 -ip 5100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1092

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
US 52.168.117.170:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-08 18:05

Reported

2022-06-08 20:30

Platform

win7-20220414-en

Max time kernel

124s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 1064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 1064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 1064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 1976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe
PID 1976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe
PID 1976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe
PID 1976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe
PID 1976 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Windows\SysWOW64\attrib.exe
PID 1976 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe C:\Windows\SysWOW64\attrib.exe
PID 324 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe
PID 324 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe

"C:\Users\Admin\AppData\Local\Temp\1839619cf00da397e395b9555b6d0c9e30ac389ef48dfbbd0ddba4a083a7eb46.exe"

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\ENU_687FE9737473A97E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {7F9DDA98-503A-4C01-AF9A-CF2CC18F6324} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.69.226:443 ipapi.co tcp
UA 217.147.169.126:80 tcp
UA 217.147.169.126:80 tcp

Files

memory/1064-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

memory/1976-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/1976-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/2004-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\odbccp32.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\1\Information.txt

MD5 02e129a8364d221c89609b3baacd049f
SHA1 0444a9640abbb7dad2866c70703d8daa43544912
SHA256 95a6558d9a3489cf654cb3e8e994960330d04dd4d91cbbc6d5a290bb0b4dd425
SHA512 6f1e43c3ea0d748306c6628b44a76b6fc1ccd179cd752b36e87a5a26aea4a79cccf04fec3e26a0ed5d26c887b7a0a44f8d62058007033454d3b2474a356361fb

C:\Users\Admin\AppData\Roaming\amd64_cpu.inf.resources\1\Screen.jpg

MD5 5640032d4119d4264f50fa69fb5201fa
SHA1 69bbf3d3b5d6d8313bdae9d21848ed3449d991ce
SHA256 8ab97ad7639d8c4b4372df6a2f7bdbf49715e822c6f57f020a37a8a42d8d6c2b
SHA512 f369cd2c7bd5b80bfd71acaa26386b0840daa8151192eab8de2d7b7a4ddc893d48930cf5088d95001a0a3145a3b2c6df4dc75d8ed2e12105ab9a4e04a4e0f39b

memory/2004-66-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1976-67-0x0000000004310000-0x000000000438D000-memory.dmp

memory/1976-68-0x0000000004310000-0x000000000438D000-memory.dmp

memory/1692-69-0x0000000000000000-mapping.dmp

memory/804-70-0x0000000000000000-mapping.dmp

memory/700-72-0x0000000000000000-mapping.dmp