Malware Analysis Report

2024-09-23 04:54

Sample ID 220621-3kgrbseggr
Target 2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30
SHA256 2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30
Tags
qulab discovery ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30

Threat Level: Known bad

The file 2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30 was found to be: Known bad.

Malicious Activity Summary

qulab discovery ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Suspicious behavior: RenamesItself

NTFS ADS

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-21 23:34

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 23:34

Reported

2022-06-21 23:37

Platform

win10v2004-20220414-en

Max time kernel

162s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe

"C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe"

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\1\*"

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.26.8.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 89.191.233.38:65233 tcp

Files

memory/2552-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

memory/2552-133-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2552-134-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2552-135-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2552-136-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/1192-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\tsmf.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

memory/1192-139-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\1\Information.txt

MD5 6db01f44febdb758d91b1a69cac23114
SHA1 2b0aa18eb4cc0445d5e6bb51e4fc2de71def770f
SHA256 191cd40110af40421e796cff2d6e1876f811a5e0b49849b40b98aa7d66279136
SHA512 604eb605142937b5d7638bbd949380eee20d0aac7d26b468552da0b023b51dc5d59cf14cc9dbb8d9bc7404d058961ca4c19ee6ce3744426a397931d5a51c3d43

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\1\Screen.jpg

MD5 5aa624ded5ec21c9c1a558ef4c732673
SHA1 178a3122878404c5d1a5ad4dd48586ef540d80fe
SHA256 aa0dfea7582d30fb0d6bf1fc1f7c7a72d39d3cdccafbbaebbbf4ec8ea19835ae
SHA512 c919c894b260151068f8cebb7ff5a85103ef5e896049292f9ba62c1e10bb9ccafbf37192768c3e8447c234a8b8e8dd630513850ade15e1f502bce0a64d219ce6

memory/1192-142-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\ENU_801FE97C5F89A74E9D41.7z

MD5 fc3e605571dde7c793fe8b3299bd31b3
SHA1 e8c420f6de92af7107b5db213e2d7dc7ef74cea6
SHA256 d9856b7b0bfd78c718f4171606010aa38e71cb7d531fc2b19c52e35141326109
SHA512 249926d96188f399bf35867d43dc2b0b73ef06a9647b221ef37dc4b6296f7be22f9c7b0dd674dff50c53f6679157077162d205b92d38ac8b0ac595990c4e9e57

C:\Users\Admin\AppData\Roaming\amd64_wcf-system.identitymodel.selectors\ENU_801FE97C5F89A74E9D41

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 23:34

Reported

2022-06-21 23:37

Platform

win7-20220414-en

Max time kernel

34s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe"

Signatures

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe

"C:\Users\Admin\AppData\Local\Temp\2f29ff04628295bb49533a23bbc4b55e6ec1eaada8f792d5e67b5d555936fb30.exe"

Network

N/A

Files

memory/1216-54-0x00000000759F1000-0x00000000759F3000-memory.dmp