Overview

overview

10

Static

static

account.exe

windows7-x64

10

account.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2022, 20:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    account.exe

  • Size

    834KB

  • MD5

    ed087331c9c97859d6d30bca5245b42d

  • SHA1

    6f1f422171174486c9de328041a0606273b763aa

  • SHA256

    15af08408332677507425dd21c6e04fa469e1129c21dc9ae2d830cc5c8aa0642

  • SHA512

    336290c2b7b578fd9022b8d2b5708f27be6e56a8ac2cdcc2369a705896ad00a6920c76d295f24715c3063de4e71e7829cccd80a1c63558dc662b7544522daf0a

  • SSDEEP

    12288:nF75eRgPwqoXY+mzoRtbvRT7PJ7Na+6ZmvatTu7Fm8gAxYS6L9ETD:nZ5wXY+mzo3bv/Ra+CmiRusyYD

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5402813712:AAG__8vfwqo_1K9XHIpxzTR9T7UW4raysO4/sendMessage?chat_id=5034680713

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\account.exe
    "C:\Users\Admin\AppData\Local\Temp\account.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QSBpOi.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:992
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QSBpOi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE1B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1044
    • C:\Users\Admin\AppData\Local\Temp\account.exe
      "C:\Users\Admin\AppData\Local\Temp\account.exe"
      2⤵
        PID:712
      • C:\Users\Admin\AppData\Local\Temp\account.exe
        "C:\Users\Admin\AppData\Local\Temp\account.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:3360

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmpDE1B.tmp
            Filesize

            1KB

            MD5

            a789704e28ddf2b5d51dd0aafa23cb78

            SHA1

            c003378c122a090f552d4c136f54590882b5e9ee

            SHA256

            0c5bbbe73519851989ea2ddb959c03eaeec07b96863f4839ab64df771c28e0e0

            SHA512

            b9455959501aba7d09c7455da920ba59ef7298c416a9ca785d33f8ff07dc40107c6ef7db8cf65c31545e83f6477b7034055941438fb2d793133d62e32bead17b

            Download Submit

          • memory/992-159-0x00000000705E0000-0x000000007062C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/992-163-0x00000000073D0000-0x00000000073DA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/992-167-0x00000000075F0000-0x00000000075F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/992-166-0x00000000076A0000-0x00000000076BA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/992-161-0x00000000079D0000-0x000000000804A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/992-158-0x0000000007010000-0x0000000007042000-memory.dmp

            Filesize

            200KB

            Download

          • memory/992-143-0x00000000026F0000-0x0000000002726000-memory.dmp

            Filesize

            216KB

            Download

          • memory/992-150-0x0000000005020000-0x0000000005042000-memory.dmp

            Filesize

            136KB

            Download

          • memory/992-146-0x0000000005180000-0x00000000057A8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/992-165-0x00000000075B0000-0x00000000075BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/992-160-0x0000000006FF0000-0x000000000700E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/992-162-0x0000000006570000-0x000000000658A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/992-164-0x0000000007600000-0x0000000007696000-memory.dmp

            Filesize

            600KB

            Download

          • memory/992-157-0x00000000058F0000-0x000000000590E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/992-151-0x00000000050C0000-0x0000000005126000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1860-148-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1860-152-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3360-156-0x0000000000910000-0x000000000092A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3584-137-0x0000000005A10000-0x0000000005AA2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3584-135-0x0000000000F10000-0x0000000000FE8000-memory.dmp

            Filesize

            864KB

            Download

          • memory/3584-138-0x00000000059A0000-0x00000000059AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3584-136-0x0000000005F20000-0x00000000064C4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3584-140-0x0000000009480000-0x00000000094E6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3584-139-0x0000000009270000-0x000000000930C000-memory.dmp

            Filesize

            624KB

            Download