Analysis Overview
SHA256
a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526
Threat Level: Known bad
The file a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Script User-Agent
NTFS ADS
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 14:19
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Reported
0001-01-01 00:00
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 14:19
Reported
2022-07-01 14:50
Platform
win10v2004-20220414-en
Max time kernel
170s
Max time network
183s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe
"C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe"
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\[] .7z" "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch"
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.42.73.26:443 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| IE | 20.54.110.249:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | crl.godaddy.com | udp |
| US | 192.124.249.36:80 | crl.godaddy.com | tcp |
| US | 192.124.249.31:80 | crl.godaddy.com | tcp |
| US | 8.8.8.8:53 | crl.godaddy.com | udp |
| US | 192.124.249.41:80 | crl.godaddy.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 192.124.249.41:80 | crl.godaddy.com | tcp |
| US | 192.124.249.41:80 | crl.godaddy.com | tcp |
| US | 192.124.249.36:80 | crl.godaddy.com | tcp |
Files
memory/1408-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1408-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1408-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/996-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\Information.txt
| MD5 | 65a52ccf7f59daea41675a675e51e855 |
| SHA1 | ebe09ccb3838320d6c601e30dbe3110a57514d3b |
| SHA256 | cfa76882cd8b301dff77d22e682f183c80f3d69c1ee9af79cd1eeee41101cd91 |
| SHA512 | a51252739fddd3d4f06fa559a3fcedd1d6dd8c3126b9cb2f4a3da010799d2be3f163c6ea51ad2ef22baaa9cdc752ac6f6cf78ccdd7212eb7410392d1ee4426a3 |
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\Screen.jpg
| MD5 | 5da5cb4d4342f1e9df83fc6a7dd17b59 |
| SHA1 | 7b6734767b70ad8d42a576795b7a3f7ec6977f78 |
| SHA256 | d6117fe18db3f533000ed570ee2cbae9c54c70ed98cba917bb1e03da024e03b9 |
| SHA512 | 961f69d3de07aa3667d41ad40a9f7e4b7cd45f3003aff21d25739fa2a81477280a6a2e327d59b6c5f5e5cd5c8788c6f25ec4b1e93d55d9d1aa7acc80655c881e |
memory/996-140-0x0000000000400000-0x000000000047D000-memory.dmp
memory/996-141-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1408-142-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1408-143-0x0000000061E00000-0x0000000061ED2000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\[] .7z
| MD5 | 6731a182fc7298fbfa8bfb680a792092 |
| SHA1 | 2a1c21b95d2e522e00fa1490cc8275d136e3ae08 |
| SHA256 | ccf103efdd6ff6b2e4c8eb46362539e729738e2a10ee79d1257d07d2fd82e325 |
| SHA512 | 53a82c32fee9729469f6fccf9359ccfca6bb8f3ea78fb41118ea0c176b979d0441764117de4b3a909a1975cda47cc3d071ad78f5b6c59f674076e6fa1dbff292 |
memory/4540-145-0x0000000000000000-mapping.dmp