Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
104bfff4e7a7f04efd06e865cce96c4d.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
104bfff4e7a7f04efd06e865cce96c4d.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
104bfff4e7a7f04efd06e865cce96c4d.exe
-
Size
87KB
-
MD5
104bfff4e7a7f04efd06e865cce96c4d
-
SHA1
f05c8e92b0cc671aa27606347026383cfe179309
-
SHA256
6d22dfb53e173bdd14f24a6e08bd334596c89bd18519bfd5d9e1371991934ae9
-
SHA512
9be13b498850a8223119afa3d8e26b1e1cf15a4dc60a3130120944868c1ab531a7d274bd95caf98594fda249364f02cbc971355358bac1cb08c9423c0980cec4
Score
10/10
Malware Config
Extracted
Family
blustealer
Credentials
Protocol: smtp- Host:
reptw.xyz - Port:
587 - Username:
[email protected] - Password:
2HRgrc+HEz}8
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
104bfff4e7a7f04efd06e865cce96c4d.exedescription pid Process procid_target PID 2192 set thread context of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
104bfff4e7a7f04efd06e865cce96c4d.exepid Process 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 2192 104bfff4e7a7f04efd06e865cce96c4d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
104bfff4e7a7f04efd06e865cce96c4d.exedescription pid Process Token: SeDebugPrivilege 2192 104bfff4e7a7f04efd06e865cce96c4d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
104bfff4e7a7f04efd06e865cce96c4d.exepid Process 3800 104bfff4e7a7f04efd06e865cce96c4d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
104bfff4e7a7f04efd06e865cce96c4d.exedescription pid Process procid_target PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70 PID 2192 wrote to memory of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe"C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exeC:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:3800
-