Overview

overview

10

Static

static

YTHK21082400.exe

windows7_x64

10

YTHK21082400.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    73s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-09-2021 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YTHK21082400.exe

  • Size

    6KB

  • MD5

    3ffff737bfe1a900b328599fe9da58b6

  • SHA1

    64a930f90248f8e1702fc29a40860081076a7b38

  • SHA256

    d27b2ee1f364b72f66ea452754cf56477c5028ab5c6ad0041fb97d9c40506639

  • SHA512

    570813e30b91a93f916ec078b3aa2076062e8d2ca22f5b63fdc9708f86ce7444bc2d78f84e4d40ba349feb52133e8581ad3b7fc32cef44ead5c26f9d1e5fe984

Score
10/10
a310loggerblustealercollectionspywarestealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.enche.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Merchandise08012021

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • A310logger Executable 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YTHK21082400.exe
    "C:\Users\Admin\AppData\Local\Temp\YTHK21082400.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:4008
      • C:\Program Files (x86)\Windows Mail\WinMail.exe
        "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
          4⤵
            PID:3040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/664-116-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/664-117-0x0000000000E40000-0x0000000000E9F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/664-118-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-119-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/4008-128-0x000000001B690000-0x000000001B692000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4008-126-0x0000000000890000-0x0000000000891000-memory.dmp

      Filesize

      4KB

      Download