Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/08/2022, 07:45 UTC

General

  • Target

    Quotation - Drawing Data Base .xlsx.exe

  • Size

    73KB

  • MD5

    11e1af92f7cceed0e7b989b40c6be67e

  • SHA1

    31cb4829e6ded8a4633642cecf5c42a4fbadc1b2

  • SHA256

    dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2

  • SHA512

    78e4aa806dcd5086cb3c1e4b2b6c13b03f46df07e46254d40e34c66c606629665e357bb5552b06b7ab53825ce2d29cbd693a5323df5502c23b661395db186132

Score
10/10

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation - Drawing Data Base .xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation - Drawing Data Base .xlsx.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:3296

Network

  • flag-us
    GET
    http://208.67.105.125/vik/B2.txt
    Quotation - Drawing Data Base .xlsx.exe
    Remote address:
    208.67.105.125:80
    Request
    GET /vik/B2.txt HTTP/1.1
    Host: 208.67.105.125
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 03 Aug 2022 07:45:14 GMT
    Server: Apache/2.4.38 (Win32) OpenSSL/1.1.1a PHP/7.3.2
    Last-Modified: Tue, 02 Aug 2022 06:52:43 GMT
    ETag: "40000-5e53c902f9e07"
    Accept-Ranges: bytes
    Content-Length: 262144
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/plain
  • flag-us
    GET
    http://208.67.105.125/vik/DLLL.txt
    Quotation - Drawing Data Base .xlsx.exe
    Remote address:
    208.67.105.125:80
    Request
    GET /vik/DLLL.txt HTTP/1.1
    Host: 208.67.105.125
    Response
    HTTP/1.1 200 OK
    Date: Wed, 03 Aug 2022 07:45:14 GMT
    Server: Apache/2.4.38 (Win32) OpenSSL/1.1.1a PHP/7.3.2
    Last-Modified: Tue, 02 Aug 2022 21:52:15 GMT
    ETag: "6d58-5e5492125fec7"
    Accept-Ranges: bytes
    Content-Length: 27992
    Content-Type: text/plain
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 208.67.105.125:80
    http://208.67.105.125/vik/DLLL.txt
    http
    Quotation - Drawing Data Base .xlsx.exe
    5.3kB
    299.3kB
    113
    215

    HTTP Request

    GET http://208.67.105.125/vik/B2.txt

    HTTP Response

    200

    HTTP Request

    GET http://208.67.105.125/vik/DLLL.txt

    HTTP Response

    200
  • 40.79.150.120:443
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    260 B
    5
  • 93.184.221.240:80
    208 B
    4
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1872-130-0x0000000000090000-0x00000000000A4000-memory.dmp

    Filesize

    80KB

  • memory/3296-134-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3296-132-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3296-137-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3296-138-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.