Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
03/08/2022, 07:45 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Quotation - Drawing Data Base .xlsx.exe
Resource
win7-20220715-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Quotation - Drawing Data Base .xlsx.exe
Resource
win10v2004-20220721-en
5 signatures
150 seconds
General
-
Target
Quotation - Drawing Data Base .xlsx.exe
-
Size
73KB
-
MD5
11e1af92f7cceed0e7b989b40c6be67e
-
SHA1
31cb4829e6ded8a4633642cecf5c42a4fbadc1b2
-
SHA256
dceab4eabbcf9787ac9a36c289afaa036782a24edd35523fb3072b030029faf2
-
SHA512
78e4aa806dcd5086cb3c1e4b2b6c13b03f46df07e46254d40e34c66c606629665e357bb5552b06b7ab53825ce2d29cbd693a5323df5502c23b661395db186132
Score
10/10
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1872 set thread context of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1872 Quotation - Drawing Data Base .xlsx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3296 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83 PID 1872 wrote to memory of 3296 1872 Quotation - Drawing Data Base .xlsx.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation - Drawing Data Base .xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Quotation - Drawing Data Base .xlsx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3296
-
Network
-
Remote address:208.67.105.125:80RequestGET /vik/B2.txt HTTP/1.1
Host: 208.67.105.125
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) OpenSSL/1.1.1a PHP/7.3.2
Last-Modified: Tue, 02 Aug 2022 06:52:43 GMT
ETag: "40000-5e53c902f9e07"
Accept-Ranges: bytes
Content-Length: 262144
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
-
Remote address:208.67.105.125:80RequestGET /vik/DLLL.txt HTTP/1.1
Host: 208.67.105.125
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) OpenSSL/1.1.1a PHP/7.3.2
Last-Modified: Tue, 02 Aug 2022 21:52:15 GMT
ETag: "6d58-5e5492125fec7"
Accept-Ranges: bytes
Content-Length: 27992
Content-Type: text/plain
-
322 B 7
-
322 B 7
-
5.3kB 299.3kB 113 215
HTTP Request
GET http://208.67.105.125/vik/B2.txtHTTP Response
200HTTP Request
GET http://208.67.105.125/vik/DLLL.txtHTTP Response
200 -
322 B 7
-
322 B 7
-
260 B 5
-
208 B 4
No results found