Overview

overview

10

Static

static

PROFORMA.EXE.exe

windows7-x64

3

PROFORMA.EXE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2022 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROFORMA.EXE.exe

  • Size

    1.3MB

  • MD5

    fc5ab0fbd99f07685a8dc7701627f214

  • SHA1

    e80e5a3d1450748736f035a7ee7856a4aacfeed9

  • SHA256

    797ed9f4cabf70bcf98dbc50235bfacd785ca91a747febc965c92465a3d53283

  • SHA512

    9f02188f31952a888f52c498d5ef23b1f35098e37d56cf65c26be5f91d2acf48315c8f5fa378bb5e7045e6a68e63812762beeca5736aba2099fb2a9983704e90

  • SSDEEP

    24576:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussjTkuAHGe:VAm0THYewFdj

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe
    "C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WXtEQNGzoNewfR.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4476
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WXtEQNGzoNewfR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3596
    • C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe
      "C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"
      2⤵
        PID:4800
      • C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe
        "C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"
        2⤵
          PID:1488
        • C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe
          "C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"
          2⤵
            PID:5036
          • C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe
            "C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4400
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              3⤵
              • Accesses Microsoft Outlook profiles
              • outlook_office_path
              • outlook_win_path
              PID:3044

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpB6A.tmp
          Filesize

          1KB

          MD5

          32dc15045f2baa94dac3e06656369d98

          SHA1

          66e627cff8fb4917ec8a8cdf19dff5949ee29c9f

          SHA256

          0aac50863fb4528a7276041978b129edbcbf63f88397319d64593ff26276525f

          SHA512

          18209621ceefcfd42025e8bbcb5105ce83b029efe37ffe1c7d33c228973796d4a8ffd19f220c89340631cd5da05a33ffec251a50a32daf41e8fb541591b64d85

          Download Submit

        • memory/3044-160-0x0000000000D00000-0x0000000000D66000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4400-168-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4400-154-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4400-151-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4400-147-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4476-149-0x0000000005A50000-0x0000000005A72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4476-150-0x0000000006160000-0x00000000061C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4476-167-0x0000000007FA0000-0x0000000007FA8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4476-142-0x0000000005B30000-0x0000000006158000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4476-140-0x0000000005350000-0x0000000005386000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4476-166-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4476-162-0x0000000007C80000-0x0000000007C9A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4476-165-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4476-164-0x0000000007F00000-0x0000000007F96000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4476-155-0x0000000006980000-0x000000000699E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4476-156-0x0000000006F40000-0x0000000006F72000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4476-157-0x0000000071A80000-0x0000000071ACC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4476-158-0x0000000006F20000-0x0000000006F3E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4476-161-0x00000000082C0000-0x000000000893A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4476-163-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4632-132-0x00000000003A0000-0x00000000004FA000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4632-134-0x0000000004E70000-0x0000000004F02000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4632-135-0x0000000004F20000-0x0000000004F2A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4632-136-0x000000000BB20000-0x000000000BBBC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4632-137-0x000000000BE00000-0x000000000BE66000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4632-133-0x00000000054F0000-0x0000000005A94000-memory.dmp

          Filesize

          5.6MB

          Download