Analysis

  • max time kernel
    171s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 15:49

General

  • Target

    49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe

  • Size

    3.7MB

  • MD5

    e6d939a4cbc17992753b158c1173451c

  • SHA1

    90d8898167449cd08ba3a1728432e681a8754db5

  • SHA256

    49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184

  • SHA512

    b14222727e86440fe3173f2c6ce5a7b41b1da3151c78e406fdce525bb692fccc71a2df17a1a064dfc9199ce35b8459256a707b698ef06819df354d7df48098c6

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 13.07.2022, 06:15:10 Main Information: - OS: Windows 10 X64 / Build: 19041 - UserName: Admin - ComputerName: TWJYXOUL - Processor: Intel Core Processor (Broadwell) - VideoCard: Microsoft Basic Display Adapter - Memory: 4.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 352 - csrss.exe / PID: 436 - wininit.exe / PID: 528 - csrss.exe / PID: 536 - winlogon.exe / PID: 612 - services.exe / PID: 668 - lsass.exe / PID: 680 - svchost.exe / PID: 784 - fontdrvhost.exe / PID: 796 - fontdrvhost.exe / PID: 804 - svchost.exe / PID: 900 - svchost.exe / PID: 960 - dwm.exe / PID: 376 - svchost.exe / PID: 524 - svchost.exe / PID: 388 - svchost.exe / PID: 920 - svchost.exe / PID: 1052 - svchost.exe / PID: 1084 - svchost.exe / PID: 1116 - svchost.exe / PID: 1128 - svchost.exe / PID: 1136 - svchost.exe / PID: 1268 - svchost.exe / PID: 1284 - svchost.exe / PID: 1340 - svchost.exe / PID: 1392 - svchost.exe / PID: 1400 - svchost.exe / PID: 1532 - svchost.exe / PID: 1548 - svchost.exe / PID: 1620 - svchost.exe / PID: 1696 - svchost.exe / PID: 1736 - svchost.exe / PID: 1744 - svchost.exe / PID: 1768 - svchost.exe / PID: 1860 - svchost.exe / PID: 2008 - svchost.exe / PID: 2024 - svchost.exe / PID: 1660 - svchost.exe / PID: 1644 - svchost.exe / PID: 1812 - spoolsv.exe / PID: 2124 - svchost.exe / PID: 2164 - svchost.exe / PID: 2212 - svchost.exe / PID: 2300 - svchost.exe / PID: 2500 - svchost.exe / PID: 2508 - sihost.exe / PID: 2656 - svchost.exe / PID: 2724 - svchost.exe / PID: 2784 - OfficeClickToRun.exe / PID: 2792 - svchost.exe / PID: 2832 - svchost.exe / PID: 2852 - svchost.exe / PID: 2864 - taskhostw.exe / PID: 2872 - svchost.exe / PID: 676 - explorer.exe / PID: 3136 - svchost.exe / PID: 3252 - dllhost.exe / PID: 3448 - StartMenuExperienceHost.exe / PID: 3556 - RuntimeBroker.exe / PID: 3620 - SearchApp.exe / PID: 3700 - RuntimeBroker.exe / PID: 3880 - dllhost.exe / PID: 4124 - RuntimeBroker.exe / PID: 4324 - sppsvc.exe / PID: 4204 - svchost.exe / PID: 4288 - svchost.exe / PID: 2284 - svchost.exe / PID: 2236 - svchost.exe / PID: 1020 - WmiPrvSE.exe / PID: 2272 - WmiPrvSE.exe / PID: 4336 - SppExtComObj.Exe / PID: 3548 - svchost.exe / PID: 3860 - svchost.exe / PID: 3080 - backgroundTaskHost.exe / PID: 3188 - svchost.exe / PID: 3300 - svchost.exe / PID: 3836 - upfc.exe / PID: 3376 - svchost.exe / PID: 400 - sbeio.exe / PID: 4056
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 12 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe
    "C:\Users\Admin\AppData\Local\Temp\49b8fccdb9059ec9d100159ecd7b0a9d1e03928d6c40340d99c94757001c9184.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
      C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
      2⤵
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe
        C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\*"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db"
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2580
  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
    C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3372
  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
    C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.exe
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4812

Network

  • flag-us
    DNS
    api.telegram.org
    sbeio.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    GET
    https://api.telegram.org/bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMe
    sbeio.exe
    Remote address:
    149.154.167.220:443
    Request
    GET /bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMe HTTP/1.1
    User-Agent: AutoIt
    Host: api.telegram.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.18.0
    Date: Wed, 13 Jul 2022 04:14:30 GMT
    Content-Type: application/json
    Content-Length: 58
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    ipapi.co
    sbeio.exe
    Remote address:
    8.8.8.8:53
    Request
    ipapi.co
    IN A
    Response
    ipapi.co
    IN A
    104.26.9.44
    ipapi.co
    IN A
    172.67.69.226
    ipapi.co
    IN A
    104.26.8.44
  • flag-us
    GET
    https://ipapi.co/json
    sbeio.exe
    Remote address:
    172.67.69.226:443
    Request
    GET /json HTTP/1.1
    User-Agent: AutoIt
    Host: ipapi.co
    Cache-Control: no-cache
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Wed, 13 Jul 2022 04:15:13 GMT
    Content-Type: application/json
    Content-Length: 91
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, HEAD, OPTIONS
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yhS4A%2BHrnbnlv0JCGHhgjG8iQYilXfBhNpriGjVwr8FyoN7p%2FJoGBPOSMy36%2Bb3JRJB3J5ZKuc6X%2BZMSF2I3Pmnt0dOqOMEu8z4%2BghlRoriHvFhavv%2F%2BP40G"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 729f323cbc5db89a-AMS
  • 149.154.167.220:443
    https://api.telegram.org/bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMe
    tls, http
    sbeio.exe
    1.1kB
    6.7kB
    15
    12

    HTTP Request

    GET https://api.telegram.org/bot610711208:AAH_KYdito6nI-oMEXxgOOlOmAm7uhCpPrw/getMe

    HTTP Response

    401
  • 104.26.9.44:443
    ipapi.co
    tls
    sbeio.exe
    630 B
    3.1kB
    8
    7
  • 13.69.239.74:443
    322 B
    7
  • 20.54.110.249:443
    46 B
    1
  • 13.107.4.50:80
    322 B
    7
  • 13.107.4.50:80
    322 B
    7
  • 104.26.9.44:443
    ipapi.co
    sbeio.exe
    260 B
    5
  • 172.67.69.226:443
    https://ipapi.co/json
    tls, http
    sbeio.exe
    879 B
    5.3kB
    12
    10

    HTTP Request

    GET https://ipapi.co/json

    HTTP Response

    429
  • 193.233.30.150:65233
    sbeio.exe
    260 B
    200 B
    5
    5
  • 8.8.8.8:53
    api.telegram.org
    dns
    sbeio.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    ipapi.co
    dns
    sbeio.exe
    54 B
    102 B
    1
    1

    DNS Request

    ipapi.co

    DNS Response

    104.26.9.44
    172.67.69.226
    104.26.8.44

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Information.txt

    Filesize

    3KB

    MD5

    93ef7f7acea6b6c7c820f564a119e4d2

    SHA1

    def465acae236ae027a7b1c839957ae8bac30917

    SHA256

    bc2207ed62bf358feea6776e9f07b969eecf8589020b0e81d476a1490a579727

    SHA512

    cde64da388496dbd0f7ce1c4d679ece5d17f01f59e42dda1754c09640536971d61c94aeda661abe6a63c97df2c16a36d0f50c5575c45b2b6044362f9fb3c7705

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\1\Screen.jpg

    Filesize

    49KB

    MD5

    7d8789a6db9dd1e923efc3776efc5634

    SHA1

    4834cca776f0bef2913d27fe0900c32fdc13ec3e

    SHA256

    872f632526aa8ba4515d062994cd79066ae9d8e116bafff0a87e93a1262bf4b7

    SHA512

    6b37365f533bda00fe8f413985c86b009eb98044c05633dc73a55b20038fef6899480248a67b1c09e29d6c2180b76fa05418ee81477b184210daa206c0be8159

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.module.exe

    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-a..bility-assistant-db\sbeio.sqlite3.module.dll

    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

  • memory/2696-134-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/2696-136-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/2696-131-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/3372-160-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/3372-157-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4056-141-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4056-147-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

  • memory/4056-148-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

  • memory/4056-146-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4056-144-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

  • memory/4056-145-0x0000000061E00000-0x0000000061ED2000-memory.dmp

    Filesize

    840KB

  • memory/4056-137-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4056-140-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4496-154-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/4812-161-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4812-164-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

  • memory/4812-165-0x0000000000270000-0x0000000000A37000-memory.dmp

    Filesize

    7.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.