Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
4b28d8e218f5dfe20541b32fca297074.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4b28d8e218f5dfe20541b32fca297074.exe
Resource
win10v2004-20220812-en
General
-
Target
4b28d8e218f5dfe20541b32fca297074.exe
-
Size
881KB
-
MD5
4b28d8e218f5dfe20541b32fca297074
-
SHA1
a5b715011f2bd3229e3acf3d88131a61043eba1a
-
SHA256
ecd2c1eb9e0c374746d9148a15db8deb551d46d3c45bd075e7928b1f3210f4bc
-
SHA512
04fac1bf2cb45ea967ddf9e5cf34fc1582b094fd0d0423ba6f56e889fb9e58b6b85f848201855446f540de19b8665fef1bc5d5f07face17955682cbcad4707ac
-
SSDEEP
12288:rMXcyHcfKPLcYdXQawrPI2F2QVokACzkRj8U8oxfEunphMnX:QNcfMLciXQlrR2QukACgRHM
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/428-145-0x0000000001370000-0x000000000138A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4928 set thread context of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4620 set thread context of 428 4620 4b28d8e218f5dfe20541b32fca297074.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 428 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4620 4b28d8e218f5dfe20541b32fca297074.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4928 wrote to memory of 4620 4928 4b28d8e218f5dfe20541b32fca297074.exe 93 PID 4620 wrote to memory of 428 4620 4b28d8e218f5dfe20541b32fca297074.exe 94 PID 4620 wrote to memory of 428 4620 4b28d8e218f5dfe20541b32fca297074.exe 94 PID 4620 wrote to memory of 428 4620 4b28d8e218f5dfe20541b32fca297074.exe 94 PID 4620 wrote to memory of 428 4620 4b28d8e218f5dfe20541b32fca297074.exe 94 PID 4620 wrote to memory of 428 4620 4b28d8e218f5dfe20541b32fca297074.exe 94 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b28d8e218f5dfe20541b32fca297074.exe"C:\Users\Admin\AppData\Local\Temp\4b28d8e218f5dfe20541b32fca297074.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\4b28d8e218f5dfe20541b32fca297074.exe"C:\Users\Admin\AppData\Local\Temp\4b28d8e218f5dfe20541b32fca297074.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:428
-
-