qulab | 829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e

General

Target

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe
Size

2.0MB
MD5

3d9eb095d2972bde3181d98d31dabbb2
SHA1

8983da6d2e8ed54bf039d0d4be70619945a87635
SHA256

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e
SHA512

20d6a862cdafd6cbf8d790d7640106b1d4ac70a46adbe95ff176f0fbde823ee93693c6f881085a727f1120e9ea5c552652f78b02007debf8623c6a84a7abcc12
SSDEEP

49152:uh+ZkldoPK8Ya7W/JN6MHUXobM38O5tj+fm4na/tJExr4oQtI3:n2cPK8VXb8UUfPoJE9

Score

10^/10

qulab discovery evasion ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 29.01.2023, 17:29:36 OS: Windows 10 X64 / Build: 19041 UserName: Admin ComputerName: GBQHURCC Processor: Intel Core Processor (Broadwell) VideoCard: Microsoft Basic Display Adapter Memory: 4.00 Gb KeyBoard Layout ID: 00000409 Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 352 - csrss.exe / PID: 436 - wininit.exe / PID: 524 - csrss.exe / PID: 532 - winlogon.exe / PID: 588 - services.exe / PID: 660 - lsass.exe / PID: 668 - svchost.exe / PID: 784 - fontdrvhost.exe / PID: 792 - fontdrvhost.exe / PID: 800 - svchost.exe / PID: 908 - svchost.exe / PID: 960 - dwm.exe / PID: 64 - svchost.exe / PID: 536 - svchost.exe / PID: 756 - svchost.exe / PID: 956 - svchost.exe / PID: 1028 - svchost.exe / PID: 1084 - svchost.exe / PID: 1108 - svchost.exe / PID: 1188 - svchost.exe / PID: 1276 - svchost.exe / PID: 1296 - svchost.exe / PID: 1304 - svchost.exe / PID: 1444 - svchost.exe / PID: 1456 - svchost.exe / PID: 1472 - svchost.exe / PID: 1544 - svchost.exe / PID: 1624 - svchost.exe / PID: 1668 - svchost.exe / PID: 1716 - svchost.exe / PID: 1724 - svchost.exe / PID: 1808 - svchost.exe / PID: 1820 - svchost.exe / PID: 1932 - svchost.exe / PID: 1964 - svchost.exe / PID: 1976 - svchost.exe / PID: 2040 - spoolsv.exe / PID: 1836 - svchost.exe / PID: 2096 - svchost.exe / PID: 2148 - svchost.exe / PID: 2168 - svchost.exe / PID: 2336 - svchost.exe / PID: 2344 - svchost.exe / PID: 2468 - sihost.exe / PID: 2484 - svchost.exe / PID: 2504 - OfficeClickToRun.exe / PID: 2516 - svchost.exe / PID: 2528 - svchost.exe / PID: 2584 - svchost.exe / PID: 2640 - svchost.exe / PID: 2648 - svchost.exe / PID: 2656 - taskhostw.exe / PID: 2708 - explorer.exe / PID: 2592 - svchost.exe / PID: 3148 - dllhost.exe / PID: 3344 - StartMenuExperienceHost.exe / PID: 3448 - RuntimeBroker.exe / PID: 3516 - SearchApp.exe / PID: 3600 - RuntimeBroker.exe / PID: 3788 - dllhost.exe / PID: 4068 - RuntimeBroker.exe / PID: 4664 - svchost.exe / PID: 4512 - svchost.exe / PID: 4792 - svchost.exe / PID: 4612 - sppsvc.exe / PID: 544 - svchost.exe / PID: 880 - svchost.exe / PID: 4480 - svchost.exe / PID: 3436 - WmiPrvSE.exe / PID: 1732 - SppExtComObj.Exe / PID: 3228 - svchost.exe / PID: 3548 - svchost.exe / PID: 4172 - upfc.exe / PID: 4464 - svchost.exe / PID: 4908 - MMDevAPI.exe / PID: 2220

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	acprotect
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

MMDevAPI.module.exe

pid process

5112 MMDevAPI.module.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4628 attrib.exe

pid	process
5112	MMDevAPI.module.exe

pid	process
4628	attrib.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	upx
behavioral2/memory/2220-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp	upx
behavioral2/memory/2220-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe	upx
behavioral2/memory/5112-142-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

MMDevAPI.exe

pid process

2220 MMDevAPI.exe
2220 MMDevAPI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipapi.co
6 ipapi.co
21 ipapi.co

pid	process
2220	MMDevAPI.exe
2220	MMDevAPI.exe

flow	ioc
5	ipapi.co
6	ipapi.co
21	ipapi.co

Drops file in System32 directory 2 IoCs

Processes:

MMDevAPI.exeMMDevAPI.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	MMDevAPI.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	MMDevAPI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exeMMDevAPI.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\winmgmts:\localhost\	MMDevAPI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MMDevAPI.exe

pid process

2220 MMDevAPI.exe
2220 MMDevAPI.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe

pid process

1036 829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe

pid	process
2220	MMDevAPI.exe
2220	MMDevAPI.exe

pid	process
1036	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MMDevAPI.module.exe

description	pid	process
Token: SeRestorePrivilege	5112	MMDevAPI.module.exe
Token: 35	5112	MMDevAPI.module.exe
Token: SeSecurityPrivilege	5112	MMDevAPI.module.exe
Token: SeSecurityPrivilege	5112	MMDevAPI.module.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exeMMDevAPI.exe

description	pid	process	target process
PID 1036 wrote to memory of 2220	1036	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 1036 wrote to memory of 2220	1036	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 1036 wrote to memory of 2220	1036	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 2220 wrote to memory of 5112	2220	MMDevAPI.exe	MMDevAPI.module.exe
PID 2220 wrote to memory of 5112	2220	MMDevAPI.exe	MMDevAPI.module.exe
PID 2220 wrote to memory of 5112	2220	MMDevAPI.exe	MMDevAPI.module.exe
PID 2220 wrote to memory of 4628	2220	MMDevAPI.exe	attrib.exe
PID 2220 wrote to memory of 4628	2220	MMDevAPI.exe	attrib.exe
PID 2220 wrote to memory of 4628	2220	MMDevAPI.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4628 attrib.exe

pid	process
4628	attrib.exe

C:\Users\Admin\AppData\Local\Temp\829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe
"C:\Users\Admin\AppData\Local\Temp\829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\ENU_801FE9733258127E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4628

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
1⤵
- Drops file in System32 directory
PID:4672

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
1⤵
- Drops file in System32 directory
PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\Information.txt

Filesize
3KB

MD5
16f3e74d9c9f685b0cef9d2c5dfd31b8

SHA1
e11ac514954433983292e25e95a329d9f6fddc0f

SHA256
969a2819513f80e003596990aec2653eb113a8e3431886397380ef28e13c7447

SHA512
032b906d2b3d3f62680f78db89246f0f8aa38d4558514a17b7ca8c9be61eb16e6978f45eb7fc57b042ca272498ea674e548081f84b652f17a7fe5a630125953f

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\Screen.jpg

Filesize
53KB

MD5
3210acb071870f916c4f2ff54910a97c

SHA1
73caee0d266771afd095c578628be59c159dc268

SHA256
734c71189f3606f796d3f1e80ce81d3e66c09caaceb71a66af2646a551f05833

SHA512
06a478c0a5f7da955b492d2433e38de2f065d9cefab4223dcefdacfe3df7f88d6a08111aa0d5b166238b945c7d032c1d002a3d83df6797101b2644f7afb225ce

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe

Filesize
197KB

MD5
51942faf8ad170cbffbf73c3ee0d2487

SHA1
7acc325f4b6fe6a14350636f08d2ac88ff478814

SHA256
2c2bf05d3dcb37856d36a2fc13cf56363a3ad962c265a46ecd29c289125f421e

SHA512
0e2b6455e5108c08dfd714443bfb347627dd8479033c3ae4aac2aa06fab22148439c58c04c8d6085a36a1372d5e76f322ce3c1aaca1da5cac0c5c9f630c1882e

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe

Filesize
197KB

MD5
51942faf8ad170cbffbf73c3ee0d2487

SHA1
7acc325f4b6fe6a14350636f08d2ac88ff478814

SHA256
2c2bf05d3dcb37856d36a2fc13cf56363a3ad962c265a46ecd29c289125f421e

SHA512
0e2b6455e5108c08dfd714443bfb347627dd8479033c3ae4aac2aa06fab22148439c58c04c8d6085a36a1372d5e76f322ce3c1aaca1da5cac0c5c9f630c1882e

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll

Filesize
360KB

MD5
42923a2f6d29a7b23207f0691b2f6c94

SHA1
ce0cdffe4266464aeed9c912b80d186bf8b71871

SHA256
f0a4c7a420b415e1e17fee1905aa3e99721ff5c48594a0f62fdf33469acf7bd6

SHA512
7f344b2b0fa11070333fcd1eec39c7f68df3cab91e874e2d23b3956cc5918fe962be07cddaeb4afffb4c1978cd2a920d99b425a1a922dbb0c723ab148789c8d2

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll

Filesize
360KB

MD5
42923a2f6d29a7b23207f0691b2f6c94

SHA1
ce0cdffe4266464aeed9c912b80d186bf8b71871

SHA256
f0a4c7a420b415e1e17fee1905aa3e99721ff5c48594a0f62fdf33469acf7bd6

SHA512
7f344b2b0fa11070333fcd1eec39c7f68df3cab91e874e2d23b3956cc5918fe962be07cddaeb4afffb4c1978cd2a920d99b425a1a922dbb0c723ab148789c8d2

Download Submit
memory/2220-132-0x0000000000000000-mapping.dmp

Download
memory/2220-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/2220-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/4628-143-0x0000000000000000-mapping.dmp

Download
memory/5112-137-0x0000000000000000-mapping.dmp

Download
memory/5112-142-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads