Malware Analysis Report

2024-09-23 04:57

Sample ID 220724-gksb6shfa5
Target 58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3
SHA256 58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3
Tags
qulab discovery ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3

Threat Level: Known bad

The file 58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3 was found to be: Known bad.

Malicious Activity Summary

qulab discovery ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-24 05:52

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 05:52

Reported

2022-07-25 15:35

Platform

win7-20220715-en

Max time kernel

33s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"

Signatures

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe

"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"

Network

N/A

Files

memory/1800-54-0x0000000075D41000-0x0000000075D43000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 05:52

Reported

2022-07-25 15:36

Platform

win10v2004-20220721-en

Max time kernel

125s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe

"C:\Users\Admin\AppData\Local\Temp\58fdef0ce9400990141d80e87e636dc61c8d0d320a6b5996274f774a0cb19ee3.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\*"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.8.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 89.191.233.38:65233 tcp
US 20.189.173.12:443 tcp
US 209.197.3.8:80 tcp

Files

memory/2972-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

memory/2972-133-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2972-134-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/3404-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

memory/3404-137-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\mfc40.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\Information.txt

MD5 a5a2fd479390bf6c208d59f1c50a121d
SHA1 ba47051b1c44c331d474ad3f69308ef7e1c4d7ce
SHA256 5f4b16ba18c63c8481f22bc72f83ead5639af08b630ba3fd4ef65c6dcad8418e
SHA512 f7a2dea05a31f81174cdc065f2720693346c31c70afdac7cc08112814cd2ab68ecc6278ccb84e269486e6b8a53754a305727cc9e675b7dd5f391d410289867f5

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\1\Screen.jpg

MD5 044e384671dd074137cc21f4b32e873a
SHA1 25bec3d31e68bac891d653cdec073c47a1a402cc
SHA256 000c8b295df49ab637a6baac62f2cc51634874ecbd451fee14f29e60c3295253
SHA512 7ee5eac3e6f086d2e295613ead296507a5a5f5ad00a34794ffbf47711febff29550a4891d041c4c658023975863f674f8743810cb45d428d84c9e6114fdbcde0

memory/3404-141-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41.7z

MD5 bc246af96e1a4bbc51aa7d26466cfc34
SHA1 5c1fd3518dfd33ef0c7312c084d64b6fab2cd00d
SHA256 d09f72ba3db3f6dee3ead4c7d6a13aa0f34db6b74b78a24b820fa91c2ec3aba8
SHA512 e3fd98972179f95985e5a7c9ff06373142ba452f8fd5a3c6b801e57ac37df0f46f2c0d21d40551565e3622526140b0c89dcba333f606e0a94a65cba2396e381e

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-d..iagnostic.resources\ENU_801FE97985769ECE9D41

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2972-144-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2972-145-0x0000000061E00000-0x0000000061ED1000-memory.dmp