qulab | 7921c12179578321423314c5458842e5f057609027c7b0a7fb4c072295ad8d6b

Resubmissions

25/02/2025, 02:57

250225-dfwbgszjs4 10

25/02/2025, 02:35

250225-c3cl8axpw8 10

Analysis

max time kernel
45s
max time network
56s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Private_Cheat by pc_Ret v8.exe
Size

2.8MB
MD5

9f031ba9a4e474e8a87e16e49bf61bc4
SHA1

37f4299fb8888fd7bc477e659e50adac41c3f4f1
SHA256

7921c12179578321423314c5458842e5f057609027c7b0a7fb4c072295ad8d6b
SHA512

95218bbf2f905d791e7aca7d659eaca073f132e6380a2b0a4c152785653618cb919b5e3d0455c57094e99f414283b459c2280703785ace3a929a6c03235d1e5a
SSDEEP

49152:ah+ZkldoPK8YaMWS1/D+MRMOtjR/zTqny/f5ft1xSKHYS:z2cPK821/iMRhjR/zXR1jT

Score

10^/10

qulab agilenet discovery ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 25.02.2025, 02:35:53 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: CCJBVTGQ - Processor: Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 256 - csrss.exe / PID: 336 - wininit.exe / PID: 384 - csrss.exe / PID: 392 - winlogon.exe / PID: 432 - services.exe / PID: 480 - lsass.exe / PID: 488 - lsm.exe / PID: 496 - svchost.exe / PID: 588 - svchost.exe / PID: 672 - svchost.exe / PID: 748 - svchost.exe / PID: 816 - svchost.exe / PID: 856 - audiodg.exe / PID: 924 - svchost.exe / PID: 968 - svchost.exe / PID: 112 - spoolsv.exe / PID: 352 - taskhost.exe / PID: 1052 - svchost.exe / PID: 1088 - dwm.exe / PID: 1140 - explorer.exe / PID: 1164 - dllhost.exe / PID: 2004 - OSPPSVC.EXE / PID: 864 - WmiPrvSE.exe / PID: 1512 - svchost.exe / PID: 1480 - sppsvc.exe / PID: 2160 - Baldr (11).exe / PID: 2748 - WmiPrvSE.exe / PID: 1932 - Wpc.exe / PID: 2536

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab
Qulab family
qulab

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000019023-74.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
2748	Baldr (11).exe
2660	Build.exe
2536	Wpc.exe
1728	Wpc.module.exe

Loads dropped DLL 11 IoCs

pid	Process
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2780	Private_Cheat by pc_Ret v8.exe
2536	Wpc.exe
2536	Wpc.exe
2536	Wpc.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2748-28-0x00000000002D0000-0x0000000000316000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipapi.co
9	ipapi.co

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000001873d-39.dat	autoit_exe
behavioral1/memory/2660-61-0x0000000000BC0000-0x0000000000D97000-memory.dmp	autoit_exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-76-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx
behavioral1/files/0x0008000000019023-74.dat	upx
behavioral1/memory/2536-73-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx
behavioral1/files/0x0007000000019613-105.dat	upx
behavioral1/memory/1728-107-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/1728-111-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral1/memory/2536-115-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx
behavioral1/memory/2536-116-0x0000000061E00000-0x0000000061ED1000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Private_Cheat by pc_Ret v8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baldr (11).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Build.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	Wpc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.module.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	Build.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\winmgmts:\localhost\	Wpc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2748	Baldr (11).exe
2748	Baldr (11).exe
2536	Wpc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	Baldr (11).exe
Token: SeRestorePrivilege	1728	Wpc.module.exe
Token: 35	1728	Wpc.module.exe
Token: SeSecurityPrivilege	1728	Wpc.module.exe
Token: SeSecurityPrivilege	1728	Wpc.module.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2748	2780	Private_Cheat by pc_Ret v8.exe	30
PID 2780 wrote to memory of 2748	2780	Private_Cheat by pc_Ret v8.exe	30
PID 2780 wrote to memory of 2748	2780	Private_Cheat by pc_Ret v8.exe	30
PID 2780 wrote to memory of 2748	2780	Private_Cheat by pc_Ret v8.exe	30
PID 2780 wrote to memory of 2660	2780	Private_Cheat by pc_Ret v8.exe	31
PID 2780 wrote to memory of 2660	2780	Private_Cheat by pc_Ret v8.exe	31
PID 2780 wrote to memory of 2660	2780	Private_Cheat by pc_Ret v8.exe	31
PID 2780 wrote to memory of 2660	2780	Private_Cheat by pc_Ret v8.exe	31
PID 2660 wrote to memory of 2536	2660	Build.exe	33
PID 2660 wrote to memory of 2536	2660	Build.exe	33
PID 2660 wrote to memory of 2536	2660	Build.exe	33
PID 2660 wrote to memory of 2536	2660	Build.exe	33
PID 2536 wrote to memory of 1728	2536	Wpc.exe	34
PID 2536 wrote to memory of 1728	2536	Wpc.exe	34
PID 2536 wrote to memory of 1728	2536	Wpc.exe	34
PID 2536 wrote to memory of 1728	2536	Wpc.exe	34

C:\Users\Admin\AppData\Local\Temp\Private_Cheat by pc_Ret v8.exe
"C:\Users\Admin\AppData\Local\Temp\Private_Cheat by pc_Ret v8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe
  "C:\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe
  "C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
    C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe
      C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\ENU_687FE9717462A33E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\*"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Z1004308289\Build.exe

Filesize
1.8MB

MD5
e30988e3026df37370cac7ce85faec85

SHA1
7e2f2cecb759372b6e381afbcda9dffc3e475ad9

SHA256
37bc62e63d2cccc8c326ba42dfbc24d0ed2a2ec967eb4b24c1dce9dedbda5d08

SHA512
ae21cee091a3bb2109552508a2f03c46c9c6ea63a2b33c794fce9b6ee3ceae185e9a06ccf6d11894696b231935c5c3c5dfea9aec370b1b4282a5bce58fde1c7b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Information.txt

Filesize
3KB

MD5
a77292fabfcb1340f50397ce278e399c

SHA1
021ab33ec4fca4046fd9b00751d29da83dd98628

SHA256
f249efc16962e9beb4ef18849c130b4ac5d79c066fffdfe60c02afb610771685

SHA512
1c9808de82c210a20fa6c123fd09603af746942615fda81d39d7800f18edfe2572eb0dc8863b4ed49d501570dfb055e696c6df6cb9a0491411c90c7b7de60ed2

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\1\Screen.jpg

Filesize
47KB

MD5
2a160aa5e0870cc49a72e83a51b89358

SHA1
4a8a042b8b0b3499d49c0160d768564d4fda7eeb

SHA256
31b550e86123cd76f38479e416b2709388c77ce058397404e9342b460de30542

SHA512
1d9c02737450c15e3d5b2a81fcec56498a14cc20c11d6e0c77f8d15984d8adfc5ad90e684aca3fecac88f64559f31e696356af96932f0ca33ef9878689943c5a

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe

Filesize
218KB

MD5
9c5b4e4fcae7eb410f09c9e46ffb4a6d

SHA1
9d233bbe69676b1064f1deafba8e70a9acc00773

SHA256
0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9

SHA512
59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.module.exe.6

Filesize
218KB

MD5
e82f9401a1e258f204020186f9a714ec

SHA1
9493e1ecaf8d24dc41df6811b96b459fe046dbdc

SHA256
76eb583552ef509e5c1c2cac4abc8442c0bbd59ce5c78a46c0f3da18158d542e

SHA512
f3514debb1e1f1a5dea4565e236105adbdbe05cbe509e8335ad4f1558b4beffbfbf0c519bcb4530760f5a3c39743ff1935818949c140bb694803a8ad15beddaf

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.sqlite3.module.dll.6

Filesize
359KB

MD5
434da06978e9724ffa6d90b93ef62c75

SHA1
d469ed20d82e8dec3140aec8d52b4d56d975dedc

SHA256
6350e9044f2ac74d8d51793a8b446b944081e533bf2915faf9bc14aaa0c55795

SHA512
391404b4678f296d74d2bc81ae89bb4c423199adc509e69cd573717313ac3078e0f09a90e1dd4e618001608ae5b5aa0f10ae7855d98866179dc05cebfc50053c

Download Submit
\Users\Admin\AppData\Roaming\Z1004308289\Baldr (11).exe

Filesize
321KB

MD5
d24276ac40d35830f2b62afae1eb92a4

SHA1
eef691098d9635be8aa8739a3830aae5be889ef7

SHA256
3675e60b99fbbf818883e12da047223ef7490f08fd52df40867785e4586186e7

SHA512
ede7e171d73d64c20681362420f1662a8871bc6dffec806ced6800e3147f2f2d452be68ef738eebe71fce34d24f6549174cb930c1c7368266d416fd40d8db5aa

Download Submit
\Users\Admin\AppData\Roaming\x86_microsoft-windows-winre-recoveryagent\Wpc.sqlite3.module.dll

Filesize
359KB

MD5
a6e1b13b0b624094e6fb3a7bedb70930

SHA1
84b58920afd8e88181c4286fa2438af81f097781

SHA256
3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd

SHA512
26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

Download Submit
memory/1728-111-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1728-107-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2536-73-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/2536-115-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/2536-118-0x0000000002880000-0x000000000290E000-memory.dmp

Filesize
568KB

Download
memory/2536-116-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/2536-76-0x0000000061E00000-0x0000000061ED1000-memory.dmp

Filesize
836KB

Download
memory/2536-106-0x0000000002880000-0x000000000290E000-memory.dmp

Filesize
568KB

Download
memory/2660-61-0x0000000000BC0000-0x0000000000D97000-memory.dmp

Filesize
1.8MB

Download
memory/2748-41-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-40-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2748-19-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2748-112-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2748-113-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-114-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-28-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/2748-42-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-117-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-43-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download