General
-
Target
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea.exe
-
Size
2.4MB
-
Sample
240723-bgcvesyhlm
-
MD5
ea1227cd8e872accf26b2fa1c1596b38
-
SHA1
d4198173a75fd8cc36e16635badd0905c43d4bc6
-
SHA256
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea
-
SHA512
236e6ab36184af1eb85e6c8bb2357e0a3d9e2674eff3d5208c9dbaffae0541f73c066cda90131c2d08c967bdf07749812cd8fe89661f143e7be7d8434274994c
-
SSDEEP
49152:bh+ZkldoPK8YaGMOtjR/uuO3qn1C5Qs2fA3FJ8nfy7iShZji7/M:E2cPK84hjR/ci1C51MAVJ8WUr
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-g..icy-policymaker-mof\1\Information.txt
Family
qulab
Ransom Note
# /===============================\
# |=== QULAB CLIPPER + STEALER ===|
# |===============================|
# |==== BUY CLIPPER + STEALER ====|
# |=== http://teleg.run/QulabZ ===|
# \===============================/
Date: 23.07.2024, 01:06:52
Main Information:
- OS: Windows 7 X64 / Build: 7601
- UserName: Admin
- ComputerName: WHMFPZKA
- Processor: Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz
- VideoCard: Standard VGA Graphics Adapter
- Memory: 0.50 Gb
- KeyBoard Layout ID: 00000409
- Resolution: 1280x720x32, 1 GHz
Other Information:
<error>
Soft / Windows Components / Windows Updates:
- Adobe AIR
- Google Chrome
- Microsoft Office Professional Plus 2010
- Adobe AIR
- Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
- Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704
- Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660
- Microsoft Office Professional Plus 2010
- Microsoft Office Access MUI (English) 2010
- Microsoft Office Excel MUI (English) 2010
- Microsoft Office PowerPoint MUI (English) 2010
- Microsoft Office Publisher MUI (English) 2010
- Microsoft Office Outlook MUI (English) 2010
- Microsoft Office Word MUI (English) 2010
- Microsoft Office Proof (English) 2010
- Microsoft Office Proof (French) 2010
- Microsoft Office Proof (Spanish) 2010
- Microsoft Office Proofing (English) 2010
- Microsoft Office InfoPath MUI (English) 2010
- Microsoft Office Shared MUI (English) 2010
- Microsoft Office OneNote MUI (English) 2010
- Microsoft Office Groove MUI (English) 2010
- Microsoft Office Shared Setup Metadata MUI (English) 2010
- Microsoft Office Access Setup Metadata MUI (English) 2010
- Update for Microsoft .NET Framework 4.7.2 (KB4087364)
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
- Adobe Reader 9
- Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
- Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
- Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704
- Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660
- Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
- Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704
Process List:
- [System Process] / PID: 0
- System / PID: 4
- smss.exe / PID: 256
- csrss.exe / PID: 336
- wininit.exe / PID: 384
- csrss.exe / PID: 392
- winlogon.exe / PID: 432
- services.exe / PID: 476
- lsass.exe / PID: 492
- lsm.exe / PID: 500
- svchost.exe / PID: 604
- svchost.exe / PID: 680
- svchost.exe / PID: 760
- svchost.exe / PID: 812
- svchost.exe / PID: 844
- audiodg.exe / PID: 924
- svchost.exe / PID: 968
- svchost.exe / PID: 280
- spoolsv.exe / PID: 948
- taskhost.exe / PID: 1072
- svchost.exe / PID: 1100
- dwm.exe / PID: 1148
- explorer.exe / PID: 1172
- dllhost.exe / PID: 1320
- OSPPSVC.EXE / PID: 1564
- WmiPrvSE.exe / PID: 808
- svchost.exe / PID: 2428
- sppsvc.exe / PID: 2064
- notepad.exe / PID: 2792
- SRCOM.exe / PID: 2876
URLs
http://teleg.run/QulabZ
Extracted
Path
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-g..icy-policymaker-mof\1\Information.txt
Family
qulab
Ransom Note
# /===============================\
# |=== QULAB CLIPPER + STEALER ===|
# |===============================|
# |==== BUY CLIPPER + STEALER ====|
# |=== http://teleg.run/QulabZ ===|
# \===============================/
Date: 23.07.2024, 01:06:48
Main Information:
- OS: Windows 10 X64 / Build: 19041
- UserName: Admin
- ComputerName: XZBQXJLF
- Processor: 12th Gen Intel(R) Core(TM) i5-12400
- VideoCard: Microsoft Basic Display Adapter
- Memory: 2.00 Gb
- KeyBoard Layout ID: 00000409
- Resolution: 1280x720x32, 64 GHz
Other Information:
<error>
Soft / Windows Components / Windows Updates:
- Google Chrome
- Microsoft Edge
- Microsoft Edge Update
- Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
- Java Auto Updater
- Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704
- Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660
- Microsoft Windows Desktop Runtime - 8.0.2 (x64)
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
- Adobe Acrobat Reader DC
- Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
- Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
- Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704
- Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
- Microsoft Windows Desktop Runtime - 6.0.27 (x64)
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660
- Microsoft Windows Desktop Runtime - 7.0.16 (x64)
- Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
- Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704
Process List:
- [System Process] / PID: 0
- System / PID: 4
- Registry / PID: 92
- smss.exe / PID: 352
- csrss.exe / PID: 440
- wininit.exe / PID: 512
- csrss.exe / PID: 520
- winlogon.exe / PID: 608
- services.exe / PID: 652
- lsass.exe / PID: 672
- fontdrvhost.exe / PID: 776
- fontdrvhost.exe / PID: 784
- svchost.exe / PID: 800
- svchost.exe / PID: 908
- svchost.exe / PID: 952
- dwm.exe / PID: 60
- svchost.exe / PID: 388
- svchost.exe / PID: 1000
- svchost.exe / PID: 704
- svchost.exe / PID: 1104
- svchost.exe / PID: 1112
- svchost.exe / PID: 1176
- svchost.exe / PID: 1188
- svchost.exe / PID: 1288
- svchost.exe / PID: 1336
- svchost.exe / PID: 1352
- svchost.exe / PID: 1380
- svchost.exe / PID: 1504
- svchost.exe / PID: 1528
- svchost.exe / PID: 1552
- svchost.exe / PID: 1672
- svchost.exe / PID: 1680
- svchost.exe / PID: 1756
- svchost.exe / PID: 1792
- svchost.exe / PID: 1836
- svchost.exe / PID: 1892
- svchost.exe / PID: 1904
- svchost.exe / PID: 1992
- svchost.exe / PID: 2016
- spoolsv.exe / PID: 1664
- svchost.exe / PID: 2064
- svchost.exe / PID: 2104
- svchost.exe / PID: 2208
- svchost.exe / PID: 2316
- svchost.exe / PID: 2424
- svchost.exe / PID: 2432
- sihost.exe / PID: 2596
- svchost.exe / PID: 2612
- svchost.exe / PID: 2620
- svchost.exe / PID: 2700
- sysmon.exe / PID: 2720
- svchost.exe / PID: 2756
- svchost.exe / PID: 2768
- taskhostw.exe / PID: 2936
- svchost.exe / PID: 3008
- unsecapp.exe / PID: 3060
- svchost.exe / PID: 3104
- svchost.exe / PID: 3332
- explorer.exe / PID: 3396
- svchost.exe / PID: 3560
- dllhost.exe / PID: 3736
- StartMenuExperienceHost.exe / PID: 3824
- RuntimeBroker.exe / PID: 3892
- SearchApp.exe / PID: 3984
- RuntimeBroker.exe / PID: 3676
- sppsvc.exe / PID: 4440
- svchost.exe / PID: 460
- svchost.exe / PID: 4292
- svchost.exe / PID: 4760
- svchost.exe / PID: 2152
- svchost.exe / PID: 2656
- OfficeClickToRun.exe / PID: 2140
- SppExtComObj.Exe / PID: 4036
- svchost.exe / PID: 2184
- dllhost.exe / PID: 2080
- svchost.exe / PID: 1052
- TextInputHost.exe / PID: 5016
- RuntimeBroker.exe / PID: 1044
- upfc.exe / PID: 3448
- svchost.exe / PID: 1064
- backgroundTaskHost.exe / PID: 1656
- backgroundTaskHost.exe / PID: 3596
- RuntimeBroker.exe / PID: 2452
- svchost.exe / PID: 2780
- notepad.exe / PID: 312
- RuntimeBroker.exe / PID: 3428
- SRCOM.exe / PID: 2712
URLs
http://teleg.run/QulabZ
Targets
-
-
Target
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea.exe
-
Size
2.4MB
-
MD5
ea1227cd8e872accf26b2fa1c1596b38
-
SHA1
d4198173a75fd8cc36e16635badd0905c43d4bc6
-
SHA256
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea
-
SHA512
236e6ab36184af1eb85e6c8bb2357e0a3d9e2674eff3d5208c9dbaffae0541f73c066cda90131c2d08c967bdf07749812cd8fe89661f143e7be7d8434274994c
-
SSDEEP
49152:bh+ZkldoPK8YaGMOtjR/uuO3qn1C5Qs2fA3FJ8nfy7iShZji7/M:E2cPK84hjR/ci1C51MAVJ8WUr
Score10/10-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-