qulab | c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6

General

Target

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe
Size

1.8MB
MD5

f91f2ecf8588064b9e29be6260ab34ba
SHA1

4d4b13685aae0765951466263dcc77df401cecc7
SHA256

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6
SHA512

012773b7ad4ade2cbc0f67cc63f94e7aeb59ae3e4849c0a7f7a0330b05e72e2d61f29428c4ff08c1fe01c2a1189a8a8b7f8f0b89d6746bee89dfe0662bead541
SSDEEP

49152:6h+ZkldoPK8YaybKfbYGrBhMTXfnFbDSZ:T2cPK8gbm4PFbDS

Score

10^/10

qulab discovery ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 29.01.2023, 17:30:33 Main Information: - OS: Windows 10 X64 / Build: 19041 - UserName: Admin - ComputerName: SOCAAGDT - Processor: Intel Core Processor (Broadwell) - VideoCard: Microsoft Basic Display Adapter - Memory: 4.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 352 - csrss.exe / PID: 436 - csrss.exe / PID: 512 - wininit.exe / PID: 524 - winlogon.exe / PID: 580 - services.exe / PID: 648 - lsass.exe / PID: 656 - svchost.exe / PID: 776 - fontdrvhost.exe / PID: 792 - fontdrvhost.exe / PID: 800 - svchost.exe / PID: 892 - svchost.exe / PID: 940 - dwm.exe / PID: 1016 - svchost.exe / PID: 372 - svchost.exe / PID: 428 - svchost.exe / PID: 936 - svchost.exe / PID: 1048 - svchost.exe / PID: 1100 - svchost.exe / PID: 1144 - svchost.exe / PID: 1188 - svchost.exe / PID: 1260 - svchost.exe / PID: 1304 - svchost.exe / PID: 1336 - svchost.exe / PID: 1356 - svchost.exe / PID: 1368 - svchost.exe / PID: 1472 - svchost.exe / PID: 1488 - svchost.exe / PID: 1520 - svchost.exe / PID: 1616 - svchost.exe / PID: 1652 - svchost.exe / PID: 1676 - svchost.exe / PID: 1764 - svchost.exe / PID: 1836 - svchost.exe / PID: 1848 - svchost.exe / PID: 1920 - svchost.exe / PID: 1932 - svchost.exe / PID: 1960 - spoolsv.exe / PID: 1584 - svchost.exe / PID: 1756 - svchost.exe / PID: 2096 - svchost.exe / PID: 2196 - svchost.exe / PID: 2308 - svchost.exe / PID: 2316 - OfficeClickToRun.exe / PID: 2392 - svchost.exe / PID: 2416 - svchost.exe / PID: 2476 - svchost.exe / PID: 2516 - svchost.exe / PID: 2524 - svchost.exe / PID: 2544 - sihost.exe / PID: 2708 - svchost.exe / PID: 2816 - taskhostw.exe / PID: 2864 - svchost.exe / PID: 2924 - explorer.exe / PID: 764 - svchost.exe / PID: 2892 - dllhost.exe / PID: 3256 - StartMenuExperienceHost.exe / PID: 3344 - RuntimeBroker.exe / PID: 3412 - SearchApp.exe / PID: 3488 - RuntimeBroker.exe / PID: 3652 - dllhost.exe / PID: 4400 - RuntimeBroker.exe / PID: 4628 - sppsvc.exe / PID: 2056 - svchost.exe / PID: 2432 - svchost.exe / PID: 2764 - svchost.exe / PID: 4532 - svchost.exe / PID: 2184 - WmiPrvSE.exe / PID: 4316 - SppExtComObj.Exe / PID: 2556 - svchost.exe / PID: 2404 - svchost.exe / PID: 1124 - backgroundTaskHost.exe / PID: 5044 - svchost.exe / PID: 1976 - svchost.exe / PID: 1068 - svchost.exe / PID: 3804 - svchost.exe / PID: 1692 - SIHClient.exe / PID: 4552 - odexl32.exe / PID: 4344

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll	acprotect
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

odexl32.module.exe

pid process

2896 odexl32.module.exe

pid	process
2896	odexl32.module.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe	upx
behavioral2/memory/2896-143-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

odexl32.exe

pid process

4344 odexl32.exe
4344 odexl32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ipapi.co
25 ipapi.co
59 ipapi.co

pid	process
4344	odexl32.exe
4344	odexl32.exe

flow	ioc
24	ipapi.co
25	ipapi.co
59	ipapi.co

Drops file in System32 directory 2 IoCs

Processes:

odexl32.exeodexl32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	odexl32.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	odexl32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exeodexl32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\winmgmts:\localhost\	odexl32.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exeodexl32.exeodexl32.exeodexl32.exe

pid	process
5108	c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe
5108	c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe
4344	odexl32.exe
4344	odexl32.exe
4344	odexl32.exe
4344	odexl32.exe
4768	odexl32.exe
4768	odexl32.exe
3608	odexl32.exe
3608	odexl32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe

pid process

5108 c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

odexl32.module.exe

description	pid	process
Token: SeRestorePrivilege	2896	odexl32.module.exe
Token: 35	2896	odexl32.module.exe
Token: SeSecurityPrivilege	2896	odexl32.module.exe
Token: SeSecurityPrivilege	2896	odexl32.module.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exeodexl32.exe

description	pid	process	target process
PID 5108 wrote to memory of 4344	5108	c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe	odexl32.exe
PID 5108 wrote to memory of 4344	5108	c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe	odexl32.exe
PID 5108 wrote to memory of 4344	5108	c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe	odexl32.exe
PID 4344 wrote to memory of 2896	4344	odexl32.exe	odexl32.module.exe
PID 4344 wrote to memory of 2896	4344	odexl32.exe	odexl32.module.exe
PID 4344 wrote to memory of 2896	4344	odexl32.exe	odexl32.module.exe

C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe
"C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
  C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
    C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\ENU_801FE97447113F3E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2896

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Information.txt

Filesize
3KB

MD5
fcebb94a0a39c563103f05b9e434039f

SHA1
17e9bfa4d4d8eb3a9e50f0a1ad491102198b95c3

SHA256
3b3b3ae91ea27bba864c8a89f8884774ed28b98d6b7534ab3660c6c0944c102e

SHA512
33932c53f79a5f9ba086dcd2e02c7a813aabf58371996455c28e9ad8d63ce69c3d73dc71eabab7b16d37d4f78dbe7f42ad2f990f37093317ecb26544fe7344a5

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Screen.jpg

Filesize
53KB

MD5
c9dfc0c4a264f1fdfb751010b9fd7642

SHA1
83e74b4daad04f00f70a02196a23bcafd322c5c3

SHA256
abc994678a9a54f23d6c31678705602123576f7445b190ee41cff2469bafb88a

SHA512
bcec2d37536aed04639436aee0cc93931464eaf76f5546543feb54c3359956f073b13d230a6a3d43ee82a690c034cea5c38b85168036a181176f8d90d978fc68

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\ENU_801FE97447113F3E9D41.7z

Filesize
47KB

MD5
8a63c04bc6bdd651aefbdb85c179515a

SHA1
bf3db85373d324e5a0bbc0b0a57cf68e879145b0

SHA256
5d23e53d896a33d8e32c2eba0dc4822450a4ba11cf79f7914adee4e619cd32ce

SHA512
97a8c4545943726e7f9522a682cd7628057260f9106f81532d5ad3293480584f9fd059c5a1e32e50f94474cdf28d613c26b7c83ee5bce85c3c11e61fea88ba9b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe

Filesize
218KB

MD5
9c5b4e4fcae7eb410f09c9e46ffb4a6d

SHA1
9d233bbe69676b1064f1deafba8e70a9acc00773

SHA256
0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

SHA512
59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
memory/2896-143-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2896-139-0x0000000000000000-mapping.dmp

Download
memory/4344-135-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/4344-138-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/4344-137-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/4344-136-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/4344-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads