Analysis
-
max time kernel
148s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
GFSBHDHDHDHHD.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GFSBHDHDHDHHD.exe
Resource
win10v2004-20220812-en
General
-
Target
GFSBHDHDHDHHD.exe
-
Size
140KB
-
MD5
35c0717be78278ae5819daea4df7b636
-
SHA1
77162cdbbb1b8ff5c1cfa8b151f65c3dc3bf0ce0
-
SHA256
541dcecae2d6ac17d9af5291b3d05cca35631c72279759b8b44c98d54416454f
-
SHA512
d9826b94d7af1eb792958abb479d55665f3722f298879a104a44a76af0c8531e383f7184d51a1c281b577248800bccd273dc0d50573f39dd78e9fcf03b5dc66c
-
SSDEEP
3072:M6Iq60Sma/wfKbm3+AHrJuVTBychy4M+3CZG5kKPyA:Uma/wib++0rJuVochyxE
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/memory/1456-72-0x00000000000A4F6E-mapping.dmp family_stormkitty behavioral1/memory/1456-71-0x0000000000090000-0x00000000000AA000-memory.dmp family_stormkitty behavioral1/memory/1456-74-0x0000000000090000-0x00000000000AA000-memory.dmp family_stormkitty behavioral1/memory/1456-76-0x0000000000090000-0x00000000000AA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 752 set thread context of 2040 752 GFSBHDHDHDHHD.exe 27 PID 2040 set thread context of 1456 2040 Caspol.exe 28 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1456 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2040 Caspol.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 752 wrote to memory of 2040 752 GFSBHDHDHDHHD.exe 27 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 PID 2040 wrote to memory of 1456 2040 Caspol.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GFSBHDHDHDHHD.exe"C:\Users\Admin\AppData\Local\Temp\GFSBHDHDHDHHD.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1456
-
-