Analysis Overview
SHA256
58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3
Threat Level: Known bad
The file 58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-24 05:52
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-24 05:52
Reported
2022-07-25 15:35
Platform
win7-20220715-en
Max time kernel
33s
Max time network
38s
Command Line
Signatures
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe
"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"
Network
Files
memory/1800-54-0x0000000075D41000-0x0000000075D43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-24 05:52
Reported
2022-07-25 15:36
Platform
win10v2004-20220721-en
Max time kernel
125s
Max time network
119s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe
"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\*"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 89.191.233.38:65233 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2972-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.sqlite3.module.dll
| MD5 | a6e1b13b0b624094e6fb3a7bedb70930 |
| SHA1 | 84b58920afd8e88181c4286fa2438af81f097781 |
| SHA256 | 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd |
| SHA512 | 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.sqlite3.module.dll
| MD5 | a6e1b13b0b624094e6fb3a7bedb70930 |
| SHA1 | 84b58920afd8e88181c4286fa2438af81f097781 |
| SHA256 | 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd |
| SHA512 | 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591 |
memory/2972-133-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2972-134-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/3404-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe
| MD5 | 9c5b4e4fcae7eb410f09c9e46ffb4a6d |
| SHA1 | 9d233bbe69676b1064f1deafba8e70a9acc00773 |
| SHA256 | 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9 |
| SHA512 | 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5 |
memory/3404-137-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe
| MD5 | 9c5b4e4fcae7eb410f09c9e46ffb4a6d |
| SHA1 | 9d233bbe69676b1064f1deafba8e70a9acc00773 |
| SHA256 | 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9 |
| SHA512 | 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\Information.txt
| MD5 | a5a2fd479390bf6c208d59f1c50a121d |
| SHA1 | ba47051b1c44c331d474ad3f69308ef7e1c4d7ce |
| SHA256 | 5f4b16ba18c63c8481f22bc72f83ead5639af08b630ba3fd4ef65c6dcad8418e |
| SHA512 | f7a2dea05a31f81174cdc065f2720693346c31c70afdac7cc08112814cd2ab68ecc6278ccb84e269486e6b8a53754a305727cc9e675b7dd5f391d410289867f5 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\Screen.jpg
| MD5 | 044e384671dd074137cc21f4b32e873a |
| SHA1 | 25bec3d31e68bac891d653cdec073c47a1a402cc |
| SHA256 | 000c8b295df49ab637a6baac62f2cc51634874ecbd451fee14f29e60c3295253 |
| SHA512 | 7ee5eac3e6f086d2e295613ead296507a5a5f5ad00a34794ffbf47711febff29550a4891d041c4c658023975863f674f8743810cb45d428d84c9e6114fdbcde0 |
memory/3404-141-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41.7z
| MD5 | bc246af96e1a4bbc51aa7d26466cfc34 |
| SHA1 | 5c1fd3518dfd33ef0c7312c084d64b6fab2cd00d |
| SHA256 | d09f72ba3db3f6dee3ead4c7d6a13aa0f34db6b74b78a24b820fa91c2ec3aba8 |
| SHA512 | e3fd98972179f95985e5a7c9ff06373142ba452f8fd5a3c6b801e57ac37df0f46f2c0d21d40551565e3622526140b0c89dcba333f606e0a94a65cba2396e381e |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2972-144-0x0000000061E00000-0x0000000061ED1000-memory.dmp
memory/2972-145-0x0000000061E00000-0x0000000061ED1000-memory.dmp