Overview

overview

10

Static

static

SecuriteIn...27.exe

windows7-x64

10

SecuriteIn...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2022 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.27727.exe

  • Size

    1.2MB

  • MD5

    e0c7918a16a8e9b865c0380cda868ad3

  • SHA1

    e08b4392b8a4b2ab1fcad4b4d0d2a0cb1379b292

  • SHA256

    143f907099ab94069a33c8b30f9b124c85d8836ff3db9fcefef2e7220f41cdf6

  • SHA512

    33b5cf5ef076c31d21f336c85bc486c8d62fba40e0b553fa58d16573cffe19fb2849b66b6954cf598305f991f8d510e168d03fe71f93cbdd435ed58b02d62730

Score
10/10
blustealerstealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    satport.shop
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    e.,)09BL8xF7

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.27727.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.27727.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
      "C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1408
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
          PID:1628
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          3⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3060

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      dd4176111ac77b4c576aa376aecaa81b

      SHA1

      bf082f855b142068d123843c525ec2a78dff7979

      SHA256

      8b4d0780972b48c3299f5fe860112a6835c065b69abefd96699c4cc7b42d337e

      SHA512

      891fcdc623f0c6aca6db2b2ff811e3b90c7074c3055a174c9244e4fd9b704e00e2a9a93367f78b564ae70985185daf824cdd2bbdebf500e55679e670beeebd43

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
      Filesize

      501KB

      MD5

      5d40227761c5b9164c28b698ec4c362f

      SHA1

      d1e174d4011fd9f08d9ad2422428884cf1726566

      SHA256

      664b983035d624e058baf171280a3fb69c8018f1e3da2d98b4b0b9a6a68a4cbd

      SHA512

      8052c8cea656298228decc1dfcf3ced28b93bf5c9323e6401aedeff8cbe5d2e11b33293ccd0ce6232ebe983238342fe450a7191e8789266cda67fb126388d6da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Nctgblwyzbsgpink.exe
      Filesize

      501KB

      MD5

      5d40227761c5b9164c28b698ec4c362f

      SHA1

      d1e174d4011fd9f08d9ad2422428884cf1726566

      SHA256

      664b983035d624e058baf171280a3fb69c8018f1e3da2d98b4b0b9a6a68a4cbd

      SHA512

      8052c8cea656298228decc1dfcf3ced28b93bf5c9323e6401aedeff8cbe5d2e11b33293ccd0ce6232ebe983238342fe450a7191e8789266cda67fb126388d6da

      Download Submit

    • memory/1292-136-0x00000000053E0000-0x0000000005416000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1292-137-0x0000000005A50000-0x0000000006078000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1292-139-0x00000000062D0000-0x0000000006336000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1292-140-0x0000000006990000-0x00000000069AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1292-141-0x0000000007F90000-0x000000000860A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1292-142-0x0000000006E40000-0x0000000006E5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1292-138-0x00000000061F0000-0x0000000006256000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2952-161-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2952-162-0x00000000054A0000-0x0000000005532000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2952-163-0x0000000005480000-0x000000000548A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3060-156-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3060-150-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3060-157-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3060-148-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3184-132-0x0000000000260000-0x000000000039E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3184-134-0x0000000005090000-0x00000000050B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3184-133-0x0000000005430000-0x00000000059D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3828-146-0x00000000007E0000-0x0000000000862000-memory.dmp

      Filesize

      520KB

      Download