Analysis
-
max time kernel
125s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
24-07-2022 05:52
General
-
Target
58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe
-
Size
1.8MB
-
MD5
073b241eb2c930735b7018c70d19d989
-
SHA1
4010568d660b07da6b3405d137181423ee23d956
-
SHA256
58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3
-
SHA512
ed118dfd74356dbcec198d9f6acc64803c0923a9895929225cbcaf5b966a3c6ae40dc6d97f4ae8e6b2a55237470bfe8577dfd6a275898ed37d5b9fadb7985efc
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\*"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe1⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a5a2fd479390bf6c208d59f1c50a121d
SHA1ba47051b1c44c331d474ad3f69308ef7e1c4d7ce
SHA2565f4b16ba18c63c8481f22bc72f83ead5639af08b630ba3fd4ef65c6dcad8418e
SHA512f7a2dea05a31f81174cdc065f2720693346c31c70afdac7cc08112814cd2ab68ecc6278ccb84e269486e6b8a53754a305727cc9e675b7dd5f391d410289867f5
-
Filesize
52KB
MD5044e384671dd074137cc21f4b32e873a
SHA125bec3d31e68bac891d653cdec073c47a1a402cc
SHA256000c8b295df49ab637a6baac62f2cc51634874ecbd451fee14f29e60c3295253
SHA5127ee5eac3e6f086d2e295613ead296507a5a5f5ad00a34794ffbf47711febff29550a4891d041c4c658023975863f674f8743810cb45d428d84c9e6114fdbcde0
-
Filesize
46KB
MD5bc246af96e1a4bbc51aa7d26466cfc34
SHA15c1fd3518dfd33ef0c7312c084d64b6fab2cd00d
SHA256d09f72ba3db3f6dee3ead4c7d6a13aa0f34db6b74b78a24b820fa91c2ec3aba8
SHA512e3fd98972179f95985e5a7c9ff06373142ba452f8fd5a3c6b801e57ac37df0f46f2c0d21d40551565e3622526140b0c89dcba333f606e0a94a65cba2396e381e
-
Filesize
218KB
MD59c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA19d233bbe69676b1064f1deafba8e70a9acc00773
SHA2560376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA51259c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5
-
Filesize
218KB
MD59c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA19d233bbe69676b1064f1deafba8e70a9acc00773
SHA2560376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA51259c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5
-
Filesize
359KB
MD5a6e1b13b0b624094e6fb3a7bedb70930
SHA184b58920afd8e88181c4286fa2438af81f097781
SHA2563b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA51226c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591
-
Filesize
359KB
MD5a6e1b13b0b624094e6fb3a7bedb70930
SHA184b58920afd8e88181c4286fa2438af81f097781
SHA2563b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA51226c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
568KB
-
Filesize
568KB
