Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 23:52
General
-
Target
358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe
-
Size
1.6MB
-
MD5
cfe244a13a7c4c4b6d4490efa712f32f
-
SHA1
ab66780f1ed25f841142ba142f973ae4924af479
-
SHA256
358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020
-
SHA512
57d4561ff936bce62afeb480bc40cfe04ddbc1b40ad0495a5d29786b6c1695384dbf11057347f31ad797736965d2cc5d33059966410ec31e218839e55ce7e371
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe a -y "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\41646D696E4653484C5250544257494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\*"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe1⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD537f4aa89a0725a215a2fb993bd6dfbdc
SHA12706bbdbccf6a7eebb7e83ef94d9d6ac476f9451
SHA256773dc0ab88e38b6ab1a8f5f82985c34e16a817a7f88c9565d41f7a40d21823e9
SHA512723960d444b74f2bba7492f73bcb4c0f7795e32bb10ecb237b86485fa8b832c57193fdb6c7060e5b48df011cefd3cabc2b395b63ff242cb33757144bf3f91811
-
Filesize
47KB
MD5e1d90981393ea298b1fef240bdeabbbc
SHA16d09ffb4ffa85168b8c561ad8ae018d467b3a5ea
SHA256699f190151df9a0a261322a430465f07fc7e73556c0008a1634d4324a707bdc8
SHA512f82a6d8379a478241ede75ca682bc957a7228bcb68282d0f4b6f145d09622950af90f7fb8031c22a1903608e9c517d0a29ee371aa7e8178cb8a64f6d392d2603
-
Filesize
325KB
MD50668ef8068965996eb556fe0022c3459
SHA12bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d
-
Filesize
325KB
MD50668ef8068965996eb556fe0022c3459
SHA12bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d
-
Filesize
359KB
MD581a0ebd8d7c725a249d14c403a67a2c0
SHA1843658a33936628bcb18f4bb8c08b2e0a4643696
SHA256da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8
SHA512d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3
-
Filesize
359KB
MD581a0ebd8d7c725a249d14c403a67a2c0
SHA1843658a33936628bcb18f4bb8c08b2e0a4643696
SHA256da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8
SHA512d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3
-
-
-
Filesize
840KB
-
Filesize
840KB
