Overview

overview

10

Static

static

SecuriteIn...27.exe

windows7-x64

10

SecuriteIn...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2022 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.27727.exe

  • Size

    1.2MB

  • MD5

    e0c7918a16a8e9b865c0380cda868ad3

  • SHA1

    e08b4392b8a4b2ab1fcad4b4d0d2a0cb1379b292

  • SHA256

    143f907099ab94069a33c8b30f9b124c85d8836ff3db9fcefef2e7220f41cdf6

  • SHA512

    33b5cf5ef076c31d21f336c85bc486c8d62fba40e0b553fa58d16573cffe19fb2849b66b6954cf598305f991f8d510e168d03fe71f93cbdd435ed58b02d62730

Score
10/10
blustealerstealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    satport.shop
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    e.,)09BL8xF7

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.27727.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.27727.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
      "C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1168
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:864
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
    Filesize

    501KB

    MD5

    5d40227761c5b9164c28b698ec4c362f

    SHA1

    d1e174d4011fd9f08d9ad2422428884cf1726566

    SHA256

    664b983035d624e058baf171280a3fb69c8018f1e3da2d98b4b0b9a6a68a4cbd

    SHA512

    8052c8cea656298228decc1dfcf3ced28b93bf5c9323e6401aedeff8cbe5d2e11b33293ccd0ce6232ebe983238342fe450a7191e8789266cda67fb126388d6da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
    Filesize

    501KB

    MD5

    5d40227761c5b9164c28b698ec4c362f

    SHA1

    d1e174d4011fd9f08d9ad2422428884cf1726566

    SHA256

    664b983035d624e058baf171280a3fb69c8018f1e3da2d98b4b0b9a6a68a4cbd

    SHA512

    8052c8cea656298228decc1dfcf3ced28b93bf5c9323e6401aedeff8cbe5d2e11b33293ccd0ce6232ebe983238342fe450a7191e8789266cda67fb126388d6da

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    e1c567b41816e8fc82ae6bf73cf02113

    SHA1

    bf55555051fc0cfba4df13e551f0733df04f7726

    SHA256

    c95cd5ed8bf3d83cb9f806006ab09f5b4be70144756fb6a77d0d59060ebd8e39

    SHA512

    40402e529f17ef0ef67ed5ce750e36ab28022234a402e8498d95afd1e6f53b683b46cf71004c1173ccc328083d8fd6856987b587c226756ec24a35b729ef5c68

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\files\docs.exe
    Filesize

    501KB

    MD5

    5d40227761c5b9164c28b698ec4c362f

    SHA1

    d1e174d4011fd9f08d9ad2422428884cf1726566

    SHA256

    664b983035d624e058baf171280a3fb69c8018f1e3da2d98b4b0b9a6a68a4cbd

    SHA512

    8052c8cea656298228decc1dfcf3ced28b93bf5c9323e6401aedeff8cbe5d2e11b33293ccd0ce6232ebe983238342fe450a7191e8789266cda67fb126388d6da

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
    Filesize

    501KB

    MD5

    5d40227761c5b9164c28b698ec4c362f

    SHA1

    d1e174d4011fd9f08d9ad2422428884cf1726566

    SHA256

    664b983035d624e058baf171280a3fb69c8018f1e3da2d98b4b0b9a6a68a4cbd

    SHA512

    8052c8cea656298228decc1dfcf3ced28b93bf5c9323e6401aedeff8cbe5d2e11b33293ccd0ce6232ebe983238342fe450a7191e8789266cda67fb126388d6da

    Download Submit

  • memory/272-67-0x0000000000550000-0x00000000005C0000-memory.dmp

    Filesize

    448KB

    Download

  • memory/272-66-0x0000000001240000-0x00000000012C2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/864-90-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/864-88-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/864-102-0x0000000004925000-0x0000000004936000-memory.dmp

    Filesize

    68KB

    Download

  • memory/864-100-0x00000000003E0000-0x00000000003E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/864-99-0x00000000003B0000-0x00000000003E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/864-96-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/864-98-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/864-87-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/864-93-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/864-92-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1016-83-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1016-72-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1016-73-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1016-80-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1016-75-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1016-77-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1168-85-0x000000006E9B0000-0x000000006EF5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1168-84-0x000000006E9B0000-0x000000006EF5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1728-61-0x000000006EDF0000-0x000000006F39B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1728-60-0x000000006EDF0000-0x000000006F39B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2032-54-0x00000000008A0000-0x00000000009DE000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2032-55-0x0000000004AC0000-0x0000000004BEC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2032-56-0x0000000004210000-0x00000000042A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2032-57-0x0000000075A81000-0x0000000075A83000-memory.dmp

    Filesize

    8KB

    Download