Analysis
-
max time kernel
129s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
e2419d65e2d88ed19b494daaccc05712.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e2419d65e2d88ed19b494daaccc05712.exe
Resource
win10v2004-20220812-en
General
-
Target
e2419d65e2d88ed19b494daaccc05712.exe
-
Size
105KB
-
MD5
e2419d65e2d88ed19b494daaccc05712
-
SHA1
3e3db7a4f0beafa3c41827020b76b20d27cb6767
-
SHA256
8d07cd7ceb888ec77c8f28fc6f3e61791605c4c2cdaad7ff31450cb9c94358fd
-
SHA512
eade4b4d24b17a95cb0f6163ee2c3df5442f3581ca11a68ee831e436c3f2f95e2fadf833d128b03ac40f6bb6d637ed53792c04ee43eedf397301a0ce9d010109
-
SSDEEP
3072:9Cc53RIZ2BtFUQd7JrnQjm7szl7sC7wwn:lIZ25UUQj9zl7I
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5576673774:AAF__hFRh9bcJV72HkFb-9eZR9JNNyuOmFM/sendMessage?chat_id=1194722650
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/memory/1912-77-0x0000000000090000-0x00000000000AA000-memory.dmp family_stormkitty behavioral1/memory/1912-78-0x00000000000A4F6E-mapping.dmp family_stormkitty behavioral1/memory/1912-80-0x0000000000090000-0x00000000000AA000-memory.dmp family_stormkitty behavioral1/memory/1912-82-0x0000000000090000-0x00000000000AA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\google\\chrome.exe\"" e2419d65e2d88ed19b494daaccc05712.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1324 set thread context of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1552 set thread context of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1360 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1324 e2419d65e2d88ed19b494daaccc05712.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1912 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1552 e2419d65e2d88ed19b494daaccc05712.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1324 wrote to memory of 1360 1324 e2419d65e2d88ed19b494daaccc05712.exe 27 PID 1324 wrote to memory of 1360 1324 e2419d65e2d88ed19b494daaccc05712.exe 27 PID 1324 wrote to memory of 1360 1324 e2419d65e2d88ed19b494daaccc05712.exe 27 PID 1324 wrote to memory of 1360 1324 e2419d65e2d88ed19b494daaccc05712.exe 27 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1324 wrote to memory of 1552 1324 e2419d65e2d88ed19b494daaccc05712.exe 29 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 PID 1552 wrote to memory of 1912 1552 e2419d65e2d88ed19b494daaccc05712.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2419d65e2d88ed19b494daaccc05712.exe"C:\Users\Admin\AppData\Local\Temp\e2419d65e2d88ed19b494daaccc05712.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\e2419d65e2d88ed19b494daaccc05712.exeC:\Users\Admin\AppData\Local\Temp\e2419d65e2d88ed19b494daaccc05712.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1912
-
-