Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2022, 06:58 UTC

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.19566.exe

  • Size

    2.3MB

  • MD5

    7278f8490937cab29d3dd5bc75cb52ab

  • SHA1

    69a0419c995fc139ea27e731a44205cb1b686f1d

  • SHA256

    0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b

  • SHA512

    71f6b363327b6ef6d5204cbfd31e2cb71d456ef54c24d53cd504bed6eec5b14079605f60cf47bc7ec9fbffe8b89ca37766b418ab236801193838417b4587deb7

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/276-67-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

  • memory/276-68-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/276-56-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/276-57-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/276-59-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/276-61-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/276-64-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/276-79-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1156-69-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1156-71-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1156-74-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1156-76-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1156-78-0x0000000002450000-0x000000000250C000-memory.dmp

    Filesize

    752KB

  • memory/1904-54-0x00000000009F0000-0x0000000000C4C000-memory.dmp

    Filesize

    2.4MB

  • memory/1904-55-0x0000000004DB0000-0x0000000004FFC000-memory.dmp

    Filesize

    2.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.