qulab | 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020

General

Target

358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe
Size

1.6MB
MD5

cfe244a13a7c4c4b6d4490efa712f32f
SHA1

ab66780f1ed25f841142ba142f973ae4924af479
SHA256

358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020
SHA512

57d4561ff936bce62afeb480bc40cfe04ddbc1b40ad0495a5d29786b6c1695384dbf11057347f31ad797736965d2cc5d33059966410ec31e218839e55ce7e371

Score

10^/10

qulab discovery ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 27.06.2022 Time: 02:06:35 OS: Windows 7 X64 / Build: 7601 UserName: Admin ComputerName: TVHJCWMH Processor: Intel Core Processor (Broadwell) VideoCard: Standard VGA Graphics Adapter Memory: 2.00 Gb KeyBoard Layout ID: 00000409 Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 380 - winlogon.exe / PID: 420 - services.exe / PID: 464 - lsass.exe / PID: 480 - lsm.exe / PID: 488 - svchost.exe / PID: 584 - svchost.exe / PID: 660 - svchost.exe / PID: 736 - svchost.exe / PID: 808 - svchost.exe / PID: 844 - svchost.exe / PID: 876 - svchost.exe / PID: 300 - spoolsv.exe / PID: 276 - svchost.exe / PID: 1040 - taskhost.exe / PID: 1128 - dwm.exe / PID: 1200 - explorer.exe / PID: 1256 - svchost.exe / PID: 968 - sppsvc.exe / PID: 956 - CortanaMapiHelper.ProxyStub.exe / PID: 1512

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll	acprotect
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

CortanaMapiHelper.ProxyStub.module.exe

pid process

1932 CortanaMapiHelper.ProxyStub.module.exe

pid	process
1932	CortanaMapiHelper.ProxyStub.module.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll	upx
behavioral1/memory/1512-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

CortanaMapiHelper.ProxyStub.exe

pid	process
1512	CortanaMapiHelper.ProxyStub.exe
1512	CortanaMapiHelper.ProxyStub.exe
1512	CortanaMapiHelper.ProxyStub.exe
1512	CortanaMapiHelper.ProxyStub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipapi.co
5 ipapi.co

flow	ioc
4	ipapi.co
5	ipapi.co

Drops file in System32 directory 2 IoCs

Processes:

CortanaMapiHelper.ProxyStub.exeCortanaMapiHelper.ProxyStub.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	CortanaMapiHelper.ProxyStub.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	CortanaMapiHelper.ProxyStub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exeCortanaMapiHelper.ProxyStub.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\winmgmts:\localhost\	CortanaMapiHelper.ProxyStub.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CortanaMapiHelper.ProxyStub.exe

pid process

1512 CortanaMapiHelper.ProxyStub.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe

pid process

1880 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe

pid	process
1880	358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exetaskeng.exeCortanaMapiHelper.ProxyStub.exe

description	pid	process	target process
PID 1880 wrote to memory of 1512	1880	358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe	CortanaMapiHelper.ProxyStub.exe
PID 1880 wrote to memory of 1512	1880	358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe	CortanaMapiHelper.ProxyStub.exe
PID 1880 wrote to memory of 1512	1880	358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe	CortanaMapiHelper.ProxyStub.exe
PID 1880 wrote to memory of 1512	1880	358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1512 wrote to memory of 1932	1512	CortanaMapiHelper.ProxyStub.exe	CortanaMapiHelper.ProxyStub.module.exe
PID 1512 wrote to memory of 1932	1512	CortanaMapiHelper.ProxyStub.exe	CortanaMapiHelper.ProxyStub.module.exe
PID 1512 wrote to memory of 1932	1512	CortanaMapiHelper.ProxyStub.exe	CortanaMapiHelper.ProxyStub.module.exe
PID 1512 wrote to memory of 1932	1512	CortanaMapiHelper.ProxyStub.exe	CortanaMapiHelper.ProxyStub.module.exe
PID 1192 wrote to memory of 784	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 784	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 784	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 784	1192	taskeng.exe	CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe
"C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe a -y "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\41646D696E5456484A43574D4857494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\*"
    3⤵
    - Executes dropped EXE
    PID:1932

C:\Windows\system32\taskeng.exe
taskeng.exe {217071D1-02C7-4FBD-8DB4-76D13AE7067B} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
  2⤵
  - Drops file in System32 directory
  PID:1724
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
  2⤵
  - Drops file in System32 directory
  PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Information.txt

Filesize
3KB

MD5
514ab51be212d8fd4466278bf6b783b5

SHA1
0468b6c465fa846cefbcb28f8c5af4b643291b27

SHA256
c50c8535dc69bb051b0ece5a2623c5a8efc925dc39509067a4f84bf7c597130f

SHA512
d323e389563fc096880f91bdbc82b138c373081783b2a2f3cfaac408197cfb643aec0f2fce2717283a4c5f7851e965f1b06fe1f956a7e2348c28cf2a2dbe9daf

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Screen.jpg

Filesize
49KB

MD5
d19934e02a4b7e07459b8aee8e65b746

SHA1
d7d15c75a67c94a6cb03496154b7be0646b42e9b

SHA256
7f5a4476bec35426150883920e8a8cfac9e7183b1dfed052d25b7cc653940c85

SHA512
b1dcce64eefed2a449d009ae9bfc13d91322035bd6c2b5f78899ea01e5c77e7bb201bcfdff2181add6518ed8d52c61a8616f4069e18981b6e75ad086a974fc5f

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

Filesize
325KB

MD5
0668ef8068965996eb556fe0022c3459

SHA1
2bf527ce2db7e7a68e53467be9b0d71c06de4d6f

SHA256
ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620

SHA512
b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

Filesize
325KB

MD5
0668ef8068965996eb556fe0022c3459

SHA1
2bf527ce2db7e7a68e53467be9b0d71c06de4d6f

SHA256
ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620

SHA512
b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

Filesize
325KB

MD5
0668ef8068965996eb556fe0022c3459

SHA1
2bf527ce2db7e7a68e53467be9b0d71c06de4d6f

SHA256
ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620

SHA512
b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll

Filesize
359KB

MD5
81a0ebd8d7c725a249d14c403a67a2c0

SHA1
843658a33936628bcb18f4bb8c08b2e0a4643696

SHA256
da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8

SHA512
d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll

Filesize
359KB

MD5
81a0ebd8d7c725a249d14c403a67a2c0

SHA1
843658a33936628bcb18f4bb8c08b2e0a4643696

SHA256
da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8

SHA512
d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3

Download Submit
memory/784-68-0x0000000000000000-mapping.dmp

Download
memory/1512-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1512-55-0x0000000000000000-mapping.dmp

Download
memory/1724-60-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/1932-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads