Analysis
-
max time kernel
93s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
19-09-2022 10:50
General
-
Target
sample.exe
-
Size
1.0MB
-
MD5
82a1be67742da347df519c0c0b75ed87
-
SHA1
163e5d1758c7be66a6a3a35d2f9973d209383567
-
SHA256
02a1835ea805bb1a6ca8d1706fa5a811279ec3fcb1524eb83cfa60f0314cf0dd
-
SHA512
d2051aa0284e0ab9151417d05eafc037695c32d6bf67512b2c8155ecc303774bdc950c24a658fb88787c4f1c3f6ae8bb0bba2017d90129afcbf484f40baaa4a7
-
SSDEEP
12288:I5bIINzS9JAJgapke+yoaYRy6Wrq2vElGv9W:qbNzoJ0gakNy9cjWm2UGv
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5415235188:AAGqakDD6FZcw5LLX6hH5qVayV-1OGURlEo/sendMessage?chat_id=1372472614
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fjuIjtcpvLma.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fjuIjtcpvLma" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF20.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50d69b519de6730983e7a2ffe468b5aba
SHA18b815a2abc4a0accbc494df71e7c4e7ecafb677c
SHA256cd6ef0c744b9db3ed48251b484b4e211d0f541d5de8529d942c9e44992d98c66
SHA512fc3b3b971f09f66fc43ef55458ca55effc36df94f67f101b0548f4b25f9d006bb8e1134c135eced45e23bed4a9a33cc70fa9bacacbc587c4765be207d54cafc2
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
520KB
-
Filesize
168KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
5.7MB
-
Filesize
5.7MB