Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 11:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe
Resource
win10v2004-20220901-en
General
-
Target
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe
-
Size
777KB
-
MD5
ce4b52b35918a6aaae436aa29b5c9c0f
-
SHA1
fe4a06c24070a66782678c487db865fde69dc391
-
SHA256
3a0d8ce7111fd0d66caa1d06cb554a6e953e0f8d0b9828b53d5cc8318366e111
-
SHA512
4782192f68234e456cddbdb2b64a0300bd1c2ba1064fb222e977c10e3896555895b355b61ec5f1982207d8b23df4c6ceccc2d14d006712433f770a9669d2dbfa
-
SSDEEP
12288:6U4jXCnPKrDSaLvb2tRSCfJgMH5BxAaQSRFqwwgOmA:61jXMPKrDbDoRSCfGOPvlRhwkA
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1284-146-0x0000000000FA0000-0x0000000000FBA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2436 set thread context of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 4916 set thread context of 1284 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1284 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 2436 wrote to memory of 4916 2436 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 100 PID 4916 wrote to memory of 1284 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 101 PID 4916 wrote to memory of 1284 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 101 PID 4916 wrote to memory of 1284 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 101 PID 4916 wrote to memory of 1284 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 101 PID 4916 wrote to memory of 1284 4916 SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe 101 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.21167.21247.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1284
-
-