qulab | a8378d35eb92c8427a1f9505e9b12de0059a3e0463a7a465ae1665301dbf0c7c

Analysis

max time kernel
135s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe
Size

1.5MB
MD5

1e2fab3a423ffc11c1bc916a500c9085
SHA1

46a473fb927d91424c14dddfc2f425e5a3915d39
SHA256

a8378d35eb92c8427a1f9505e9b12de0059a3e0463a7a465ae1665301dbf0c7c
SHA512

de0067448d6cc9f5faa9073d48c0373e4c67bd08c521f223057cf7fb7ead0aada7a6a273ff92c81c804d2d051c22d29f7ee5ac440e0e5a9c9d75086f66e2bfc5
SSDEEP

24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaiz91j7Arls9Z1q8nwh0oRdXDEpF2R88C5:Uh+ZkldoPK8Yaiz9ire/1zxGgpFs8h

Score

10^/10

qulab discovery ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 06.05.2024, 20:15:01 Main Information: - OS: Windows 10 x64 / Build: 19041 - UserName: Admin - ComputerName: LFKTDJGL - VideoCard: Microsoft Basic Display Adapter - Processor: 12th Gen Intel(R) Core(TM) i5-12400 - Memory: 8.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Windows Desktop Runtime - 8.0.2 (x64) - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Windows Desktop Runtime - 6.0.27 (x64) - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Windows Desktop Runtime - 7.0.16 (x64) - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 356 - csrss.exe / PID: 444 - wininit.exe / PID: 520 - csrss.exe / PID: 528 - winlogon.exe / PID: 616 - services.exe / PID: 656 - lsass.exe / PID: 672 - svchost.exe / PID: 788 - fontdrvhost.exe / PID: 796 - fontdrvhost.exe / PID: 804 - svchost.exe / PID: 904 - svchost.exe / PID: 964 - dwm.exe / PID: 384 - svchost.exe / PID: 428 - svchost.exe / PID: 1004 - svchost.exe / PID: 1040 - svchost.exe / PID: 1136 - svchost.exe / PID: 1152 - svchost.exe / PID: 1160 - svchost.exe / PID: 1168 - svchost.exe / PID: 1240 - svchost.exe / PID: 1296 - svchost.exe / PID: 1356 - svchost.exe / PID: 1448 - svchost.exe / PID: 1456 - svchost.exe / PID: 1564 - svchost.exe / PID: 1580 - svchost.exe / PID: 1680 - svchost.exe / PID: 1732 - svchost.exe / PID: 1764 - svchost.exe / PID: 1772 - svchost.exe / PID: 1868 - svchost.exe / PID: 1980 - svchost.exe / PID: 1992 - svchost.exe / PID: 2040 - svchost.exe / PID: 1080 - svchost.exe / PID: 2068 - spoolsv.exe / PID: 2076 - svchost.exe / PID: 2148 - svchost.exe / PID: 2212 - svchost.exe / PID: 2340 - svchost.exe / PID: 2348 - svchost.exe / PID: 2452 - svchost.exe / PID: 2576 - svchost.exe / PID: 2632 - sysmon.exe / PID: 2644 - svchost.exe / PID: 2680 - svchost.exe / PID: 2696 - unsecapp.exe / PID: 2956 - sihost.exe / PID: 2788 - svchost.exe / PID: 920 - taskhostw.exe / PID: 3140 - svchost.exe / PID: 3160 - svchost.exe / PID: 3216 - svchost.exe / PID: 3336 - explorer.exe / PID: 3424 - svchost.exe / PID: 3540 - dllhost.exe / PID: 3724 - StartMenuExperienceHost.exe / PID: 3816 - RuntimeBroker.exe / PID: 3884 - SearchApp.exe / PID: 3972 - RuntimeBroker.exe / PID: 1796 - svchost.exe / PID: 5100 - sppsvc.exe / PID: 3864 - svchost.exe / PID: 4384 - svchost.exe / PID: 2236 - svchost.exe / PID: 1616 - svchost.exe / PID: 4824 - OfficeClickToRun.exe / PID: 640 - SppExtComObj.Exe / PID: 4468 - svchost.exe / PID: 4528 - dllhost.exe / PID: 2224 - svchost.exe / PID: 736 - TextInputHost.exe / PID: 4724 - RuntimeBroker.exe / PID: 4808 - upfc.exe / PID: 2376 - svchost.exe / PID: 1084 - backgroundTaskHost.exe / PID: 4832 - backgroundTaskHost.exe / PID: 1848 - spwmp.exe / PID: 1612 - backgroundTaskHost.exe / PID: 348 - RuntimeBroker.exe / PID: 5104

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

spwmp.module.exe

pid process

4828 spwmp.module.exe
Loads dropped DLL 2 IoCs

Processes:

spwmp.exe

pid process

1612 spwmp.exe
1612 spwmp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4828	spwmp.module.exe

pid	process
1612	spwmp.exe
1612	spwmp.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.sqlite3.module.dll	upx
behavioral2/memory/1612-14-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx
behavioral2/memory/1612-17-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.module.exe	upx
behavioral2/memory/4828-48-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4828-53-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipapi.co
13 ipapi.co

flow	ioc
11	ipapi.co
13	ipapi.co

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1960-1-0x0000000000640000-0x00000000007CD000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

spwmp.exespwmp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	spwmp.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	spwmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exespwmp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\winmgmts:\localhost\	spwmp.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

spwmp.exe

pid process

1612 spwmp.exe
1612 spwmp.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe

pid process

1960 1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1612	spwmp.exe
1612	spwmp.exe

pid	process
1960	1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

spwmp.module.exe

description	pid	process
Token: SeRestorePrivilege	4828	spwmp.module.exe
Token: 35	4828	spwmp.module.exe
Token: SeSecurityPrivilege	4828	spwmp.module.exe
Token: SeSecurityPrivilege	4828	spwmp.module.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exespwmp.exe

description	pid	process	target process
PID 1960 wrote to memory of 1612	1960	1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe	spwmp.exe
PID 1960 wrote to memory of 1612	1960	1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe	spwmp.exe
PID 1960 wrote to memory of 1612	1960	1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe	spwmp.exe
PID 1612 wrote to memory of 4828	1612	spwmp.exe	spwmp.module.exe
PID 1612 wrote to memory of 4828	1612	spwmp.exe	spwmp.module.exe
PID 1612 wrote to memory of 4828	1612	spwmp.exe	spwmp.module.exe

C:\Users\Admin\AppData\Local\Temp\1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.exe
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.module.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\ENU_801FE97C7A44B6CE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4828

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.exe
1⤵
- Drops file in System32 directory
PID:2544

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.exe
1⤵
- Drops file in System32 directory
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\1\Information.txt

Filesize
4KB

MD5
48811e1e5a90fd07733952b37137ace4

SHA1
ddcf8cb3e85f5efaa1982208474575730f292627

SHA256
fc36ed536818bd2b39672f2e97b4784dad20b60218e5c64f74edfbe8a137a8d8

SHA512
99dbcc32fb5051b9da6d890312a7ebe984aeb668e9cc831d8106e9d602bd0d0ee54386ae86928e7b5d51de90c3467da5d615bc78fff345cf5fcfd3e1217ae4dc

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\1\Screen.jpg

Filesize
46KB

MD5
b1aaad58f6f48d4d9673086076d5fe80

SHA1
0cba632f7e39271244adfe7cc5a112254a5cc4cb

SHA256
e69a88c17d4317305d680a1300d9f4e19eb7fa7f26aa95ccff5e3239cf48a950

SHA512
ecc7508f6b01ba6aa096ae4c3bff68d62e7c59ff588df1a3265e36da3db4019bfc481aed9b7e65f89d3b5926ccd6363df9012ac85fc81faee6e51fda9605e17a

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\ENU_801FE97C7A44B6CE9D41.7z

Filesize
40KB

MD5
8ab5293379197fe4a42f30d6743747a2

SHA1
eba893889431b6f0310ed4ae1b7a20a6b6d1d1f9

SHA256
b41a4fa964d513d8c5dc359ec35aad384368034aede073ccc849e92ea2149b5f

SHA512
b75086ff91a0310caffe247e4b6a6327c9a94a4a374c7bd57011947c5ef228946a1714fd6eae263241d87f0721e8250f20a9bebd0dcee6f83a03591059143d12

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.module.exe

Filesize
218KB

MD5
9c5b4e4fcae7eb410f09c9e46ffb4a6d

SHA1
9d233bbe69676b1064f1deafba8e70a9acc00773

SHA256
0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

SHA512
59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.module.exe.7

Filesize
218KB

MD5
68d956f791dd8d41bb0c35a79490b267

SHA1
f3f8458ff5db32b82b51fca5980bc2c3ccbf6bc8

SHA256
8f1df770b761d2cbde142e2d6e772cca469c1447f2e43a8962b26adf46dd44e7

SHA512
5f6197a832f1a539115dac00f8b5a2b8bc1f3829ead90e72960ccc96afd5e9a035a40175c265475242f1fcd58a98c539ff3531dc9ceeb9ac286e0defa1fab60b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\spwmp.sqlite3.module.dll.7

Filesize
359KB

MD5
0d6b0c604f84af78305a6a77a96957fe

SHA1
73348cbd776fb032f4045b7c6e33f6996ad655d2

SHA256
039ab05913f1e60694ea48c101341a212a169c2eb24f42348459a963473c341a

SHA512
2957b4fffbb0719da90df5e58065b416cae83210e0ccf3853d34f64ec071e6ecec4f913348e20a252934c3ded187d95240726d71557b6f529cf3f61b07ed5327

Download Submit
memory/1612-17-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/1612-55-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1612-56-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1612-58-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1612-57-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1612-14-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/1960-1-0x0000000000640000-0x00000000007CD000-memory.dmp

Filesize
1.6MB

Download
memory/4828-48-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4828-53-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download