Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 15:44
Static task
static1
Behavioral task
behavioral1
Sample
af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe
Resource
win10v2004-20220901-en
General
-
Target
af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe
-
Size
644KB
-
MD5
2291920ad0a80650cba8a6d8e62fca40
-
SHA1
f2f42f00f1c9337636f9615e0eebd38d86b46f14
-
SHA256
af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103
-
SHA512
2c793123997b31f7ae8b94d4ffbb8d8e2fffbbd35da0f8f0b6f5e1c326a71cd0e4431c276ff2fc470f2f77d57343259f6b07036a2c6a0319958416ae53470245
-
SSDEEP
12288:D+cPxGu+EjNjdUeJ2IZWAtb5xgtk5Atl3vF9uMW9e3fdn:HGzExjOejXxYkKdN9ck1n
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3148-141-0x0000000000F50000-0x0000000000F6A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3404 set thread context of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 4336 set thread context of 3148 4336 aspnet_compiler.exe 89 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3148 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4336 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 3404 wrote to memory of 4336 3404 af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe 88 PID 4336 wrote to memory of 3148 4336 aspnet_compiler.exe 89 PID 4336 wrote to memory of 3148 4336 aspnet_compiler.exe 89 PID 4336 wrote to memory of 3148 4336 aspnet_compiler.exe 89 PID 4336 wrote to memory of 3148 4336 aspnet_compiler.exe 89 PID 4336 wrote to memory of 3148 4336 aspnet_compiler.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe"C:\Users\Admin\AppData\Local\Temp\af0c49cd5e2b41f27d460deb736e47c58009be3fcef52c8720926a0a6bdfc103.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3148
-
-