qulab | a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526

General

Target

a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe
Size

1.8MB
MD5

df854228c8bdb6b7fc5fb60d53a6f452
SHA1

f3ba2eddaa4c66ae6689293b2c0fb03ec6672f54
SHA256

a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526
SHA512

efc63e532073c7da51a5ddc73bd0cb78df3b5868cc5a24fac710ae0dbb255bbdc9658acd3051a6256f8683e90355d5af992d4e39587b2444eefad8b495832567

Score

10^/10

qulab discovery evasion spyware stealer upx

Malware Config

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231c3-131.dat	acprotect
behavioral2/files/0x00070000000231c3-132.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
996	wmsgapi.module.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4540	attrib.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000231c3-131.dat	upx
behavioral2/files/0x00070000000231c3-132.dat	upx
behavioral2/files/0x00070000000231c9-136.dat	upx
behavioral2/files/0x00070000000231c9-137.dat	upx
behavioral2/memory/996-140-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/996-141-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1408	wmsgapi.exe
1408	wmsgapi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipapi.co
17	ipapi.co

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	wmsgapi.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	wmsgapi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\winmgmts:\localhost\	wmsgapi.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	wmsgapi.exe
1408	wmsgapi.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2508	a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	996	wmsgapi.module.exe
Token: 35	996	wmsgapi.module.exe
Token: SeSecurityPrivilege	996	wmsgapi.module.exe
Token: SeSecurityPrivilege	996	wmsgapi.module.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1408	2508	a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe	82
PID 2508 wrote to memory of 1408	2508	a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe	82
PID 2508 wrote to memory of 1408	2508	a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe	82
PID 1408 wrote to memory of 996	1408	wmsgapi.exe	84
PID 1408 wrote to memory of 996	1408	wmsgapi.exe	84
PID 1408 wrote to memory of 996	1408	wmsgapi.exe	84
PID 1408 wrote to memory of 4540	1408	wmsgapi.exe	92
PID 1408 wrote to memory of 4540	1408	wmsgapi.exe	92
PID 1408 wrote to memory of 4540	1408	wmsgapi.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe
"C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
  C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
    C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\[] .7z" "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4540

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
1⤵
- Drops file in System32 directory
PID:100

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
1⤵
- Drops file in System32 directory
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\Information.txt

Filesize
3KB

MD5
65a52ccf7f59daea41675a675e51e855

SHA1
ebe09ccb3838320d6c601e30dbe3110a57514d3b

SHA256
cfa76882cd8b301dff77d22e682f183c80f3d69c1ee9af79cd1eeee41101cd91

SHA512
a51252739fddd3d4f06fa559a3fcedd1d6dd8c3126b9cb2f4a3da010799d2be3f163c6ea51ad2ef22baaa9cdc752ac6f6cf78ccdd7212eb7410392d1ee4426a3

Download Submit
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\Screen.jpg

Filesize
50KB

MD5
5da5cb4d4342f1e9df83fc6a7dd17b59

SHA1
7b6734767b70ad8d42a576795b7a3f7ec6977f78

SHA256
d6117fe18db3f533000ed570ee2cbae9c54c70ed98cba917bb1e03da024e03b9

SHA512
961f69d3de07aa3667d41ad40a9f7e4b7cd45f3003aff21d25739fa2a81477280a6a2e327d59b6c5f5e5cd5c8788c6f25ec4b1e93d55d9d1aa7acc80655c881e

Download Submit
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\[] .7z

Filesize
44KB

MD5
6731a182fc7298fbfa8bfb680a792092

SHA1
2a1c21b95d2e522e00fa1490cc8275d136e3ae08

SHA256
ccf103efdd6ff6b2e4c8eb46362539e729738e2a10ee79d1257d07d2fd82e325

SHA512
53a82c32fee9729469f6fccf9359ccfca6bb8f3ea78fb41118ea0c176b979d0441764117de4b3a909a1975cda47cc3d071ad78f5b6c59f674076e6fa1dbff292

Download Submit
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/996-140-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/996-141-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1408-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1408-142-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1408-143-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1408-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads