Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
05/08/2022, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Resource
win10v2004-20220721-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
-
Size
2.3MB
-
MD5
7278f8490937cab29d3dd5bc75cb52ab
-
SHA1
69a0419c995fc139ea27e731a44205cb1b686f1d
-
SHA256
0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b
-
SHA512
71f6b363327b6ef6d5204cbfd31e2cb71d456ef54c24d53cd504bed6eec5b14079605f60cf47bc7ec9fbffe8b89ca37766b418ab236801193838417b4587deb7
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1904 set thread context of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 276 set thread context of 1156 276 MSBuild.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 276 MSBuild.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 1904 wrote to memory of 276 1904 SecuriteInfo.com.W32.AIDetectNet.01.19566.exe 27 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 PID 276 wrote to memory of 1156 276 MSBuild.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1156
-
-