Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-10-2021 12:17
Static task
static1
Behavioral task
behavioral1
Sample
T98765434567898.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
T98765434567898.exe
Resource
win10v20210408
General
-
Target
T98765434567898.exe
-
Size
1.2MB
-
MD5
abb26d1600dda55b1004b39d569178a8
-
SHA1
8e6cba40d4ddd9d6ff6b781f79febbb47e58855b
-
SHA256
1d0e997a1e0cca7446644a5082da18ea191862c85a3e222b0296bdb158c2a387
-
SHA512
8d560a240bba2f915ff5a7b05bd061cbc68c8ce2268ee8b6815834f00452232e4f63da89e8d9b565dec45f0e9df232931676caae8ac6242995d14ad1222eb3e4
Malware Config
Extracted
blustealer
https://api.telegram.org/bot1838876767:AAEiDKTcT_A4WBwpMo9nnrtBP7OvsmEUnNU/sendMessage?chat_id=1300181783
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Loads dropped DLL 1 IoCs
Processes:
T98765434567898.exepid Process 656 T98765434567898.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
T98765434567898.exedescription pid Process procid_target PID 656 set thread context of 3856 656 T98765434567898.exe 72 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
T98765434567898.exepid Process 3856 T98765434567898.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
T98765434567898.exedescription pid Process procid_target PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72 PID 656 wrote to memory of 3856 656 T98765434567898.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\T98765434567898.exe"C:\Users\Admin\AppData\Local\Temp\T98765434567898.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\T98765434567898.exe"C:\Users\Admin\AppData\Local\Temp\T98765434567898.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3856
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
593ae51744a3a1518c88249d88f6e0d8
SHA1799fc91d7871e4387fd487da8c066a5908263088
SHA256f5b07baf233029ae6a86a512fd84161c07d27827ef0222eea9783296249f646b
SHA51291d538a964f803b97b5983ca7bfab265cbfca1d481c9da7038d478bef56cea033cd9fc7acaf18b5a9680fb684cacab950df66fc9b4264ba8b5ed63c56e80cf6a