Malware Analysis Report

2024-09-23 04:57

Sample ID 220714-f56jvsahb5
Target 47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8
SHA256 47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8

Threat Level: Known bad

The file 47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Sets file to hidden

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

NTFS ADS

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-14 05:28

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-14 05:28

Reported

2022-07-14 09:06

Platform

win7-20220414-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 1964 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 1964 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 1964 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 112 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
PID 112 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
PID 112 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
PID 112 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe
PID 112 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Windows\SysWOW64\attrib.exe
PID 112 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Windows\SysWOW64\attrib.exe
PID 112 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Windows\SysWOW64\attrib.exe
PID 112 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe C:\Windows\SysWOW64\attrib.exe
PID 360 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe

"C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows"

C:\Windows\system32\taskeng.exe

taskeng.exe {07CCD7BE-3923-4A04-9250-FF97CBBCF141} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 ipapi.co udp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.9.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmp

memory/112-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/112-58-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1204-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\imapi2.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\1\Information.txt

MD5 7131dcddc7333aaa6133e4e16235618f
SHA1 4fb04484cab5a8a3c4bda929f80656428c70a8d6
SHA256 f88e8e926294915d1ec205f75463ce5476ff385ea30d1fae04eeb021f5875240
SHA512 6abb5f471bcad92cbd46347eef0a393e1534bbf93fc0365f24f4d32b8a49e7dd26efcd93be099b5894e3c40fb03ef57501676cbadd3b8c35a652c7bfba8758f9

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-b..environment-windows\1\Screen.jpg

MD5 6a56d84c443886e6cc1bf5950f3011a6
SHA1 744ac937ff6ead74099e166f1448bea2421da022
SHA256 6d0cb97a82debda0dcae5de4e08c7e85454b40a68b0fce6e8e883c7ef1700e68
SHA512 8006b0e5498718912ec25804c1ff9d212952066fd8729744a3d3ea09db0adc1c24be3e185cce89607471f9f98fa06914dd5680614bf89a08c754e3f39db2154e

memory/1204-66-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1884-67-0x0000000000000000-mapping.dmp

memory/112-68-0x0000000002A80000-0x0000000002AFD000-memory.dmp

memory/112-69-0x0000000002A80000-0x0000000002AFD000-memory.dmp

memory/112-70-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/112-71-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1504-72-0x0000000000000000-mapping.dmp

memory/1080-74-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-14 05:28

Reported

2022-07-14 09:06

Platform

win10v2004-20220414-en

Max time kernel

93s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe"

Signatures

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe

"C:\Users\Admin\AppData\Local\Temp\47cc654925b72dc0dfefc34616c1760a680cb30f8973422c7bbc2a550ee1e1b8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 988

Network

Country Destination Domain Proto
GB 51.104.15.253:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.140:80 tcp
FR 2.16.119.157:443 tcp
FR 2.16.119.157:443 tcp

Files

N/A