Malware Analysis Report

2024-09-23 04:57

Sample ID 220701-rm4hbsfggr
Target a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526
SHA256 a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526
Tags
qulab discovery evasion spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526

Threat Level: Known bad

The file a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Script User-Agent

NTFS ADS

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-01 14:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 14:19

Reported

2022-07-01 14:50

Platform

win10v2004-20220414-en

Max time kernel

170s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
PID 2508 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
PID 2508 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe
PID 1408 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
PID 1408 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
PID 1408 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe
PID 1408 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe C:\Windows\SysWOW64\attrib.exe
PID 1408 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe C:\Windows\SysWOW64\attrib.exe
PID 1408 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe

"C:\Users\Admin\AppData\Local\Temp\a2a50f6b94aa1197a1b67de009d282ebde0e9c2d5d04939cafad95d846e23526.exe"

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\[] .7z" "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch"

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.8.44:443 ipapi.co tcp
IE 20.54.110.249:443 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 crl.godaddy.com udp
US 192.124.249.36:80 crl.godaddy.com tcp
US 192.124.249.31:80 crl.godaddy.com tcp
US 8.8.8.8:53 crl.godaddy.com udp
US 192.124.249.41:80 crl.godaddy.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 192.124.249.41:80 crl.godaddy.com tcp
US 192.124.249.41:80 crl.godaddy.com tcp
US 192.124.249.36:80 crl.godaddy.com tcp

Files

memory/1408-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/1408-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1408-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/996-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\wmsgapi.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\Information.txt

MD5 65a52ccf7f59daea41675a675e51e855
SHA1 ebe09ccb3838320d6c601e30dbe3110a57514d3b
SHA256 cfa76882cd8b301dff77d22e682f183c80f3d69c1ee9af79cd1eeee41101cd91
SHA512 a51252739fddd3d4f06fa559a3fcedd1d6dd8c3126b9cb2f4a3da010799d2be3f163c6ea51ad2ef22baaa9cdc752ac6f6cf78ccdd7212eb7410392d1ee4426a3

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\1\Screen.jpg

MD5 5da5cb4d4342f1e9df83fc6a7dd17b59
SHA1 7b6734767b70ad8d42a576795b7a3f7ec6977f78
SHA256 d6117fe18db3f533000ed570ee2cbae9c54c70ed98cba917bb1e03da024e03b9
SHA512 961f69d3de07aa3667d41ad40a9f7e4b7cd45f3003aff21d25739fa2a81477280a6a2e327d59b6c5f5e5cd5c8788c6f25ec4b1e93d55d9d1aa7acc80655c881e

memory/996-140-0x0000000000400000-0x000000000047D000-memory.dmp

memory/996-141-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1408-142-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1408-143-0x0000000061E00000-0x0000000061ED2000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_netfx-applaunch\[] .7z

MD5 6731a182fc7298fbfa8bfb680a792092
SHA1 2a1c21b95d2e522e00fa1490cc8275d136e3ae08
SHA256 ccf103efdd6ff6b2e4c8eb46362539e729738e2a10ee79d1257d07d2fd82e325
SHA512 53a82c32fee9729469f6fccf9359ccfca6bb8f3ea78fb41118ea0c176b979d0441764117de4b3a909a1975cda47cc3d071ad78f5b6c59f674076e6fa1dbff292

memory/4540-145-0x0000000000000000-mapping.dmp