Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 10050395.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ 10050395.exe
Resource
win10v2004-20220414-en
General
-
Target
RFQ 10050395.exe
-
Size
733KB
-
MD5
208b8885063f4562e1e181c63f155bd1
-
SHA1
b0071008c3ae769433c6c71acd49c80a4b5a853d
-
SHA256
a47f1b1a2995865a081e270569e3cb0857d3af3759c2e06b72e3f418e9611a87
-
SHA512
96f48b489308904e883c004514cc0cd33cfeb893f03e4f9d9454b88c95c991cad2b9773040c4a9d08d524d0f79cf7232e4cc81352ea0a0100c4c7dbf99c5e3f7
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5330579892:AAHDIOXrD-d-pMU_JI4pPczBI962-9fokRs/sendMessage?chat_id=1494890429
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RFQ 10050395.exeRFQ 10050395.exedescription pid process target process PID 392 set thread context of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 4368 set thread context of 4596 4368 RFQ 10050395.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RFQ 10050395.exepid process 4368 RFQ 10050395.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
RFQ 10050395.exeRFQ 10050395.exedescription pid process target process PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 392 wrote to memory of 4368 392 RFQ 10050395.exe RFQ 10050395.exe PID 4368 wrote to memory of 4596 4368 RFQ 10050395.exe AppLaunch.exe PID 4368 wrote to memory of 4596 4368 RFQ 10050395.exe AppLaunch.exe PID 4368 wrote to memory of 4596 4368 RFQ 10050395.exe AppLaunch.exe PID 4368 wrote to memory of 4596 4368 RFQ 10050395.exe AppLaunch.exe PID 4368 wrote to memory of 4596 4368 RFQ 10050395.exe AppLaunch.exe -
outlook_office_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/392-130-0x00000000000E0000-0x000000000019C000-memory.dmpFilesize
752KB
-
memory/392-131-0x0000000005140000-0x00000000056E4000-memory.dmpFilesize
5.6MB
-
memory/392-132-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/392-133-0x0000000004B30000-0x0000000004B3A000-memory.dmpFilesize
40KB
-
memory/392-134-0x0000000008460000-0x00000000084FC000-memory.dmpFilesize
624KB
-
memory/4368-135-0x0000000000000000-mapping.dmp
-
memory/4368-136-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4368-138-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4368-141-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4368-144-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4596-142-0x0000000000000000-mapping.dmp
-
memory/4596-143-0x0000000000D60000-0x0000000000DC6000-memory.dmpFilesize
408KB