Overview

overview

10

Static

static

5

c67cb51af4...d6.exe

windows7-x64

10

c67cb51af4...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe

  • Size

    1.8MB

  • MD5

    f91f2ecf8588064b9e29be6260ab34ba

  • SHA1

    4d4b13685aae0765951466263dcc77df401cecc7

  • SHA256

    c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6

  • SHA512

    012773b7ad4ade2cbc0f67cc63f94e7aeb59ae3e4849c0a7f7a0330b05e72e2d61f29428c4ff08c1fe01c2a1189a8a8b7f8f0b89d6746bee89dfe0662bead541

  • SSDEEP

    49152:6h+ZkldoPK8YaybKfbYGrBhMTXfnFbDSZ:T2cPK8gbm4PFbDS

Score
10/10
qulabdiscoveryransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 29.01.2023, 16:29:00 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: RYNKSFQE - Processor: Intel Core Processor (Broadwell) - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 384 - winlogon.exe / PID: 420 - services.exe / PID: 464 - lsass.exe / PID: 480 - lsm.exe / PID: 488 - svchost.exe / PID: 588 - svchost.exe / PID: 664 - svchost.exe / PID: 748 - svchost.exe / PID: 804 - svchost.exe / PID: 844 - svchost.exe / PID: 868 - svchost.exe / PID: 340 - spoolsv.exe / PID: 288 - svchost.exe / PID: 1056 - taskhost.exe / PID: 1112 - dwm.exe / PID: 1176 - explorer.exe / PID: 1200 - svchost.exe / PID: 1724 - sppsvc.exe / PID: 792 - WMIADAP.exe / PID: 1876 - odexl32.exe / PID: 2036
URLs

http://teleg.run/QulabZ

Signatures

  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe
    "C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
      C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
      2⤵
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
        C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\ENU_687FE975163BE92E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\*"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {578F13C7-B993-417F-9356-F9BA17FDEB75} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
      C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1956
    • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
      C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Information.txt
    Filesize

    3KB

    MD5

    a28a8b512fa4aed87debc6de13ebeaa5

    SHA1

    f12be137cd54940bc514d36734cfbe2d036d3286

    SHA256

    022402fd7129201d04b5bdb0cba3cdb1c4a6db318e132348a562903bb9cd2790

    SHA512

    96b44cdc765f0e43d93c8af5e0bce8d659296e21510588b26ef3d578885280733543054dd3c123d10a034f67fc5a63f72a1f4dbac7bb412a8d396c258e175001

    Download Submit

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Screen.jpg
    Filesize

    46KB

    MD5

    06e9e79e83f75903a732e4bf8194512d

    SHA1

    121f72b924b8157d38ac2893e9fd41ff0729f49f

    SHA256

    c7e0bf15dd3b768880646f1fceb2d20ca50b6891bc495230af965ea48f003d42

    SHA512

    f5b094823236ee7084f23af66bbe85bc80e38d02e58fdde47b3a8c520ac3829e5cf31ab3e8193684770134a094193df99366b182c9201bcf36f42b93f3dd6bc6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
    Filesize

    218KB

    MD5

    9c5b4e4fcae7eb410f09c9e46ffb4a6d

    SHA1

    9d233bbe69676b1064f1deafba8e70a9acc00773

    SHA256

    0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

    SHA512

    59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

    Download Submit

  • \Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
    Filesize

    218KB

    MD5

    9c5b4e4fcae7eb410f09c9e46ffb4a6d

    SHA1

    9d233bbe69676b1064f1deafba8e70a9acc00773

    SHA256

    0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

    SHA512

    59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

    Download Submit

  • \Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll
    Filesize

    359KB

    MD5

    a6e1b13b0b624094e6fb3a7bedb70930

    SHA1

    84b58920afd8e88181c4286fa2438af81f097781

    SHA256

    3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

    SHA512

    26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

    Download Submit

  • \Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll
    Filesize

    359KB

    MD5

    a6e1b13b0b624094e6fb3a7bedb70930

    SHA1

    84b58920afd8e88181c4286fa2438af81f097781

    SHA256

    3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

    SHA512

    26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

    Download Submit

  • memory/900-71-0x0000000000000000-mapping.dmp

    Download

  • memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1656-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1656-66-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1956-69-0x0000000000000000-mapping.dmp

    Download

  • memory/2036-60-0x0000000061E00000-0x0000000061ED1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-67-0x0000000061E00000-0x0000000061ED1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-68-0x0000000061E00000-0x0000000061ED1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-59-0x0000000061E00000-0x0000000061ED1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-55-0x0000000000000000-mapping.dmp

    Download