Malware Analysis Report

2025-06-16 03:31

Sample ID 220815-zhpglsfeer
Target sd.exe_
SHA256 b2f57cb17dbb818945da02b099575625b904c4732f54ffd91560b95f72d95160
Tags
blustealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2f57cb17dbb818945da02b099575625b904c4732f54ffd91560b95f72d95160

Threat Level: Known bad

The file sd.exe_ was found to be: Known bad.

Malicious Activity Summary

blustealer

Blustealer family

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-08-15 20:43

Signatures

Blustealer family

blustealer

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 20:43

Reported

2022-08-15 20:48

Platform

win7-20220812-en

Max time kernel

43s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sd.exe

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-15 20:43

Reported

2022-08-15 20:48

Platform

win10-20220812-en

Max time kernel

53s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sd.exe

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Network

Country Destination Domain Proto
FR 2.16.119.157:443 tcp
US 20.44.10.123:443 tcp
BE 67.24.35.254:80 tcp

Files

memory/844-117-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-118-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-119-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-120-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-121-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-122-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-123-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-124-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-125-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-126-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-127-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-128-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-129-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-130-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-131-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-132-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-133-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-134-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-136-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-135-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-137-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-138-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-139-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-140-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-141-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-142-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-143-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-144-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-146-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-147-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-149-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-150-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-151-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-152-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-153-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-154-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-155-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-156-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-157-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-158-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-159-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-160-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-161-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-162-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-163-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-164-0x0000000077880000-0x0000000077A0E000-memory.dmp

memory/844-165-0x0000000077880000-0x0000000077A0E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-08-15 20:43

Reported

2022-08-15 20:48

Platform

win10v2004-20220812-en

Max time kernel

61s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sd.exe

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Network

Country Destination Domain Proto
US 52.182.143.210:443 tcp
US 67.24.171.254:80 tcp
US 67.24.171.254:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2022-08-15 20:43

Reported

2022-08-15 20:43

Platform

win11-20220223-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A