blustealer | 01ef2c89715afa5aa532c1a0a88e17d3c64a549ff2edf4ecca852eda40abdc32

Resubmissions

22-09-2022 07:51

220922-jpwlhaaeg8 10

22-09-2022 07:48

220922-jm45vsaeg2 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2022 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comprobante+transferencia.xlxs.pdf(_67KB).iso
Size

1.2MB
MD5

79e511e1400420cc78df09173d8e52d1
SHA1

110422750df351e8c5ba4239320254bed4cb5818
SHA256

01ef2c89715afa5aa532c1a0a88e17d3c64a549ff2edf4ecca852eda40abdc32
SHA512

9d8944cb931de1bc3935062d5e1993a029d01e3fc8043be89b58786f8d426c3841f76e097fb2d80e403a5a0f970b8947cfe301b3acaf3b3c62b257a1a1b24dcf
SSDEEP

3072:4KFHC+bcA0wmv5GZopfShP5yEsuTSj6deVoL+Lb4bnrzoyKOH:5Ys0wmv5yotShP5ygej6deGrfd

Score

10^/10

blustealer stormkitty collection persistence spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4044-163-0x0000000000350000-0x000000000036A000-memory.dmp	family_stormkitty

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
104	icanhazip.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 3572	852	Comprobante transferencia.xlxs.pdf.exe	120
PID 3572 set thread context of 4044	3572	aspnet_compiler.exe	121
PID 3412 set thread context of 492	3412	Comprobante transferencia.xlxs.pdf.exe	125
PID 3096 set thread context of 980	3096	Comprobante transferencia.xlxs.pdf.exe	127

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1516	msedge.exe
1516	msedge.exe
480	msedge.exe
480	msedge.exe
852	Comprobante transferencia.xlxs.pdf.exe
852	Comprobante transferencia.xlxs.pdf.exe
3412	Comprobante transferencia.xlxs.pdf.exe
3412	Comprobante transferencia.xlxs.pdf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	Comprobante transferencia.xlxs.pdf.exe
Token: SeDebugPrivilege	4044	AppLaunch.exe
Token: SeDebugPrivilege	3412	Comprobante transferencia.xlxs.pdf.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3572	aspnet_compiler.exe
492	aspnet_compiler.exe
980	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 480 wrote to memory of 4496	480	msedge.exe	91
PID 480 wrote to memory of 4496	480	msedge.exe	91
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 4608	480	msedge.exe	92
PID 480 wrote to memory of 1516	480	msedge.exe	93
PID 480 wrote to memory of 1516	480	msedge.exe	93
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95
PID 480 wrote to memory of 4780	480	msedge.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Comprobante+transferencia.xlxs.pdf(_67KB).iso
1⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dcomproante%26form%3DWNSGPH%26qs%3DSW%26cvid%3Ddb1d1348079e4376ac44f868fc9317dd%26pq%3Dcomproante%26cc%3DUS%26setlang%3Den-US%26nclid%3D9C0DA10A27A69B5F4DC9FC093B60234D%26ts%3D1663840324550%26nclidts%3D1663840324%26tsms%3D550
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd86de46f8,0x7ffd86de4708,0x7ffd86de4718
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,10504790801435944013,13652223766816438986,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:1240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x424
1⤵
PID:4676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4740

\??\E:\Comprobante transferencia.xlxs.pdf.exe
"E:\Comprobante transferencia.xlxs.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:4284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4044

C:\Users\Admin\Desktop\Comprobante transferencia.xlxs.pdf.exe
"C:\Users\Admin\Desktop\Comprobante transferencia.xlxs.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:4472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:492

C:\Users\Admin\Desktop\Comprobante transferencia.xlxs.pdf.exe
"C:\Users\Admin\Desktop\Comprobante transferencia.xlxs.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Comprobante transferencia.xlxs.pdf.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
memory/492-175-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/852-153-0x0000000000AD0000-0x0000000000AFE000-memory.dmp

Filesize
184KB

Download
memory/980-182-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-161-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-166-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-156-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-158-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4044-165-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/4044-163-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/4044-164-0x0000000004B00000-0x0000000004B66000-memory.dmp

Filesize
408KB

Download