Overview

overview

10

Static

static

0987654323...54.exe

windows7-x64

10

0987654323...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2022 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    098765432345678987654.exe

  • Size

    1.7MB

  • MD5

    ca6a0d1a61d47ca4b6e9ea29bb5a357a

  • SHA1

    890525244230e81fddf090a13b0502132626bcdf

  • SHA256

    d8c010b7d4e2b63ed74a680750f3671ba6674e9c51eb061e610f1ed72ba63f1e

  • SHA512

    380dc32bef3f12bbcb14d14340ebbfb362ce37d1e0e54e198236419a9ab4ddefa5f67ce9efc2061b5711aab91f95327d110f190fdf2f1741905807435746df35

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\098765432345678987654.exe
    "C:\Users\Admin\AppData\Local\Temp\098765432345678987654.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Users\Admin\AppData\Local\Temp\098765432345678987654.exe
      "C:\Users\Admin\AppData\Local\Temp\098765432345678987654.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\CompatibleComparer.dll
    Filesize

    42KB

    MD5

    6b0c831b7e0312bca059afb14730242e

    SHA1

    97c13f5d1fdf1a124ba0ae8bf55ea879545c2a1a

    SHA256

    8f2cf1511d3cc1e5f975c7790f282e0004ff805a4bfa4f578443e7ff0546a1bf

    SHA512

    01ef11e6649ff679c4d444f76855aae7358db0350c7cc423354152ced87247a046c6dddf6c3a98365186796868461be38b8822fd6ba595e685f6f03cfa0637bc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CompatibleComparer.dll
    Filesize

    42KB

    MD5

    6b0c831b7e0312bca059afb14730242e

    SHA1

    97c13f5d1fdf1a124ba0ae8bf55ea879545c2a1a

    SHA256

    8f2cf1511d3cc1e5f975c7790f282e0004ff805a4bfa4f578443e7ff0546a1bf

    SHA512

    01ef11e6649ff679c4d444f76855aae7358db0350c7cc423354152ced87247a046c6dddf6c3a98365186796868461be38b8822fd6ba595e685f6f03cfa0637bc

    Download Submit

  • memory/1012-132-0x0000000000330000-0x00000000004EA000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1012-135-0x0000000005950000-0x0000000005962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-136-0x0000000005A10000-0x0000000005AAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2192-138-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2192-140-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2192-143-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2192-147-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3416-145-0x00000000005D0000-0x00000000005EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3416-146-0x0000000004C30000-0x0000000004C96000-memory.dmp

    Filesize

    408KB

    Download