Analysis
-
max time kernel
172s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 20:28
Static task
static1
Behavioral task
behavioral1
Sample
28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe
Resource
win10v2004-20220812-en
General
-
Target
28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe
-
Size
856KB
-
MD5
e3c3961c460143a9ecf527e1821b89cc
-
SHA1
db1b4f8b3383eee78296cc69d3d101a2a23012ca
-
SHA256
28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5
-
SHA512
a439568155ebf0e85eee3104fe98e9001141f8a8e5178b7e011c5c24554b8eb8f2a734c60b68bea05bf9170fa3001a081a93233de2d2f5414e1b1f4e607c59c9
-
SSDEEP
12288:yPLQR/4veFNM4rKd3zIEEqBSP3JJxP7xINKJhJf3wZh:g+4vevrXH7P3vxP7xINOP
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2428-145-0x0000000000BE0000-0x0000000000BFA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4740 set thread context of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 1224 set thread context of 2428 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2428 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 4740 wrote to memory of 1224 4740 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 91 PID 1224 wrote to memory of 2428 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 92 PID 1224 wrote to memory of 2428 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 92 PID 1224 wrote to memory of 2428 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 92 PID 1224 wrote to memory of 2428 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 92 PID 1224 wrote to memory of 2428 1224 28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe"C:\Users\Admin\AppData\Local\Temp\28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe"C:\Users\Admin\AppData\Local\Temp\28be1b525319b02993d31a3d45330e8924f40b4ebeb8696a89bcd3333bea26d5.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2428
-
-