General
-
Target
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea.exe
-
Size
2.4MB
-
Sample
240723-r29b5aybke
-
MD5
ea1227cd8e872accf26b2fa1c1596b38
-
SHA1
d4198173a75fd8cc36e16635badd0905c43d4bc6
-
SHA256
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea
-
SHA512
236e6ab36184af1eb85e6c8bb2357e0a3d9e2674eff3d5208c9dbaffae0541f73c066cda90131c2d08c967bdf07749812cd8fe89661f143e7be7d8434274994c
-
SSDEEP
49152:bh+ZkldoPK8YaGMOtjR/uuO3qn1C5Qs2fA3FJ8nfy7iShZji7/M:E2cPK84hjR/ci1C51MAVJ8WUr
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-g..icy-policymaker-mof\1\Information.txt
Family
qulab
Ransom Note
# /===============================\
# |=== QULAB CLIPPER + STEALER ===|
# |===============================|
# |==== BUY CLIPPER + STEALER ====|
# |=== http://teleg.run/QulabZ ===|
# \===============================/
Date: 23.07.2024, 14:42:58
Main Information:
- OS: Windows 7 X64 / Build: 7601
- UserName: Admin
- ComputerName: PSBQWFYT
- Processor: Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz
- VideoCard: Standard VGA Graphics Adapter
- Memory: 0.50 Gb
- KeyBoard Layout ID: 00000409
- Resolution: 1280x720x32, 1 GHz
Other Information:
<error>
Soft / Windows Components / Windows Updates:
- Adobe AIR
- Google Chrome
- Microsoft Office Professional Plus 2010
- Adobe AIR
- Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
- Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704
- Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660
- Microsoft Office Professional Plus 2010
- Microsoft Office Access MUI (English) 2010
- Microsoft Office Excel MUI (English) 2010
- Microsoft Office PowerPoint MUI (English) 2010
- Microsoft Office Publisher MUI (English) 2010
- Microsoft Office Outlook MUI (English) 2010
- Microsoft Office Word MUI (English) 2010
- Microsoft Office Proof (English) 2010
- Microsoft Office Proof (French) 2010
- Microsoft Office Proof (Spanish) 2010
- Microsoft Office Proofing (English) 2010
- Microsoft Office InfoPath MUI (English) 2010
- Microsoft Office Shared MUI (English) 2010
- Microsoft Office OneNote MUI (English) 2010
- Microsoft Office Groove MUI (English) 2010
- Microsoft Office Shared Setup Metadata MUI (English) 2010
- Microsoft Office Access Setup Metadata MUI (English) 2010
- Update for Microsoft .NET Framework 4.7.2 (KB4087364)
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
- Adobe Reader 9
- Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
- Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
- Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704
- Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660
- Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
- Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704
Process List:
- [System Process] / PID: 0
- System / PID: 4
- smss.exe / PID: 256
- csrss.exe / PID: 332
- wininit.exe / PID: 380
- csrss.exe / PID: 392
- winlogon.exe / PID: 432
- services.exe / PID: 476
- lsass.exe / PID: 492
- lsm.exe / PID: 500
- svchost.exe / PID: 596
- svchost.exe / PID: 676
- svchost.exe / PID: 748
- svchost.exe / PID: 804
- svchost.exe / PID: 852
- audiodg.exe / PID: 916
- svchost.exe / PID: 960
- svchost.exe / PID: 108
- spoolsv.exe / PID: 1008
- svchost.exe / PID: 1040
- taskhost.exe / PID: 1112
- dwm.exe / PID: 1168
- explorer.exe / PID: 1200
- dllhost.exe / PID: 1300
- OSPPSVC.EXE / PID: 1536
- WmiPrvSE.exe / PID: 1688
- svchost.exe / PID: 2520
- sppsvc.exe / PID: 2552
- notepad.exe / PID: 2932
- SRCOM.exe / PID: 2820
URLs
http://teleg.run/QulabZ
Extracted
Path
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-g..icy-policymaker-mof\1\Information.txt
Family
qulab
Ransom Note
# /===============================\
# |=== QULAB CLIPPER + STEALER ===|
# |===============================|
# |==== BUY CLIPPER + STEALER ====|
# |=== http://teleg.run/QulabZ ===|
# \===============================/
Date: 23.07.2024, 14:42:57
Main Information:
- OS: Windows 10 X64 / Build: 19041
- UserName: Admin
- ComputerName: QIVBHIQT
- Processor: 12th Gen Intel(R) Core(TM) i5-12400
- VideoCard: Microsoft Basic Display Adapter
- Memory: 2.00 Gb
- KeyBoard Layout ID: 00000409
- Resolution: 1280x720x32, 64 GHz
Other Information:
<error>
Soft / Windows Components / Windows Updates:
- Google Chrome
- Microsoft Edge
- Microsoft Edge Update
- Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
- Java Auto Updater
- Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704
- Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660
- Microsoft Windows Desktop Runtime - 8.0.2 (x64)
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
- Adobe Acrobat Reader DC
- Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030
- Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030
- Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704
- Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
- Microsoft Windows Desktop Runtime - 6.0.27 (x64)
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660
- Microsoft Windows Desktop Runtime - 7.0.16 (x64)
- Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
- Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704
Process List:
- [System Process] / PID: 0
- System / PID: 4
- Registry / PID: 92
- smss.exe / PID: 356
- csrss.exe / PID: 444
- wininit.exe / PID: 520
- csrss.exe / PID: 536
- winlogon.exe / PID: 616
- services.exe / PID: 652
- lsass.exe / PID: 664
- fontdrvhost.exe / PID: 780
- fontdrvhost.exe / PID: 788
- svchost.exe / PID: 796
- svchost.exe / PID: 892
- svchost.exe / PID: 952
- dwm.exe / PID: 1016
- svchost.exe / PID: 408
- svchost.exe / PID: 1032
- svchost.exe / PID: 1040
- svchost.exe / PID: 1048
- svchost.exe / PID: 1056
- svchost.exe / PID: 1192
- svchost.exe / PID: 1244
- svchost.exe / PID: 1336
- svchost.exe / PID: 1368
- svchost.exe / PID: 1388
- svchost.exe / PID: 1396
- svchost.exe / PID: 1416
- svchost.exe / PID: 1460
- svchost.exe / PID: 1596
- svchost.exe / PID: 1624
- svchost.exe / PID: 1680
- svchost.exe / PID: 1736
- svchost.exe / PID: 1772
- svchost.exe / PID: 1872
- svchost.exe / PID: 1964
- svchost.exe / PID: 1972
- svchost.exe / PID: 1332
- svchost.exe / PID: 1800
- svchost.exe / PID: 2080
- spoolsv.exe / PID: 2144
- svchost.exe / PID: 2220
- svchost.exe / PID: 2268
- svchost.exe / PID: 2284
- sihost.exe / PID: 2548
- svchost.exe / PID: 2556
- svchost.exe / PID: 2564
- svchost.exe / PID: 2592
- svchost.exe / PID: 2748
- svchost.exe / PID: 2780
- taskhostw.exe / PID: 2792
- sysmon.exe / PID: 2840
- svchost.exe / PID: 2852
- svchost.exe / PID: 2864
- svchost.exe / PID: 2924
- unsecapp.exe / PID: 3108
- svchost.exe / PID: 3216
- svchost.exe / PID: 3488
- explorer.exe / PID: 3588
- svchost.exe / PID: 3724
- dllhost.exe / PID: 3912
- StartMenuExperienceHost.exe / PID: 4056
- RuntimeBroker.exe / PID: 740
- SearchApp.exe / PID: 3716
- RuntimeBroker.exe / PID: 4132
- sppsvc.exe / PID: 4780
- svchost.exe / PID: 1084
- svchost.exe / PID: 4524
- svchost.exe / PID: 4944
- svchost.exe / PID: 4684
- svchost.exe / PID: 4160
- SppExtComObj.Exe / PID: 848
- svchost.exe / PID: 1892
- OfficeClickToRun.exe / PID: 2204
- dllhost.exe / PID: 3640
- svchost.exe / PID: 2500
- TextInputHost.exe / PID: 3564
- RuntimeBroker.exe / PID: 1940
- RuntimeBroker.exe / PID: 3548
- RuntimeBroker.exe / PID: 2768
- upfc.exe / PID: 4088
- svchost.exe / PID: 3644
- backgroundTaskHost.exe / PID: 1108
- backgroundTaskHost.exe / PID: 4924
- svchost.exe / PID: 3320
- notepad.exe / PID: 4864
- SRCOM.exe / PID: 1164
URLs
http://teleg.run/QulabZ
Targets
-
-
Target
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea.exe
-
Size
2.4MB
-
MD5
ea1227cd8e872accf26b2fa1c1596b38
-
SHA1
d4198173a75fd8cc36e16635badd0905c43d4bc6
-
SHA256
06c8f98340f8db546d006d28f323fd4ab4164f2427ac026978d10e988e1d22ea
-
SHA512
236e6ab36184af1eb85e6c8bb2357e0a3d9e2674eff3d5208c9dbaffae0541f73c066cda90131c2d08c967bdf07749812cd8fe89661f143e7be7d8434274994c
-
SSDEEP
49152:bh+ZkldoPK8YaGMOtjR/uuO3qn1C5Qs2fA3FJ8nfy7iShZji7/M:E2cPK84hjR/ci1C51MAVJ8WUr
Score10/10-
Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-