Analysis
-
max time kernel
65s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-10-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Dekont.PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
Dekont.PDF.exe
-
Size
1.3MB
-
MD5
8feabe088c948dc8f387c098e6840ed4
-
SHA1
52522a7e7bae6061fc3b32ec3a25af902f164af8
-
SHA256
8908acf28585acbad787f5b1fc7b53b99ca8fb7d03ef05cdb6cd436102fd82cc
-
SHA512
593af500334afd603b4ab82d315362123000a078772a5f1f5dd5eb29aae39606eb87ef96cb9915bb243365c851de54646ffd81eff666b4277144184c008bef01
-
SSDEEP
24576:br3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussBq5fr+:0qhrk1QmY9OrXS76Fdj
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1048 set thread context of 1936 1048 Dekont.PDF.exe 31 PID 1936 set thread context of 872 1936 Dekont.PDF.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1048 Dekont.PDF.exe 1048 Dekont.PDF.exe 1424 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1048 Dekont.PDF.exe Token: SeDebugPrivilege 1424 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1936 Dekont.PDF.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1424 1048 Dekont.PDF.exe 27 PID 1048 wrote to memory of 1424 1048 Dekont.PDF.exe 27 PID 1048 wrote to memory of 1424 1048 Dekont.PDF.exe 27 PID 1048 wrote to memory of 1424 1048 Dekont.PDF.exe 27 PID 1048 wrote to memory of 1344 1048 Dekont.PDF.exe 29 PID 1048 wrote to memory of 1344 1048 Dekont.PDF.exe 29 PID 1048 wrote to memory of 1344 1048 Dekont.PDF.exe 29 PID 1048 wrote to memory of 1344 1048 Dekont.PDF.exe 29 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1048 wrote to memory of 1936 1048 Dekont.PDF.exe 31 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 PID 1936 wrote to memory of 872 1936 Dekont.PDF.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuYxLKsycrfSBi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuYxLKsycrfSBi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAEB7.tmp"2⤵
- Creates scheduled task(s)
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:872
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df5b9e5d095db2b0c1e8ab07218dd6ff
SHA1d85b421f6d489d7a34faee2b57f6586bff8e77fc
SHA256b8189c4e4fa9bf5fcd452382cdc4bdc5046ae22238bab0263f8434a53b04a9e4
SHA51241e355cda46b8630d82c6df5b36e797fbf1612f870c921cdc15ea06669231863b3c1f5359823bdb9887ef53da2206b3121aefa5cb86c298a380eb6867068aa95