Overview

overview

10

Static

static

SecuriteIn...21.exe

windows7-x64

10

SecuriteIn...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2022 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe

  • Size

    1.4MB

  • MD5

    8d654f7f3951c4493f602eaeec06a66d

  • SHA1

    b2dbbc4d06d197325efa9c780a881e5dc5055c8e

  • SHA256

    23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207

  • SHA512

    73a16f93ca5e6e521e6863df0eb361e37b2701a9178908235c6088c63f662384e315f0c31727552feb10f6739056cce9aa20d13cb6f68655a4404b0e78da785e

  • SSDEEP

    24576:NkU0xyXgeNY7E12oi4cWAlGmEFr0ulZlh6alRsn/ju1LNajXYo3aOtY:fXgeNYM3NVAAb0slh/sUBajD3

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5755930650:AAElY45_nxTVkERZWnAInWKh0Sygx_xge0E/sendMessage?chat_id=1293496579

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\onVgEhgtvkJAns.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4788
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\onVgEhgtvkJAns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FF2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3068
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe"
      2⤵
        PID:1444
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe"
        2⤵
          PID:3476
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:688
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            3⤵
            • Accesses Microsoft Outlook profiles
            • outlook_office_path
            • outlook_win_path
            PID:1380

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp5FF2.tmp
        Filesize

        1KB

        MD5

        78fa6c6486e71b7dbfe2dd0329fb1f27

        SHA1

        1ae9214398c1d98bb38bfe3d5d9d3bd60cc1a925

        SHA256

        49b2acd555bafef61cfbd6810ef754838e247ed7c91a89b07f140721aa1a9664

        SHA512

        b6755532e15930d21a1c0bb9de5bb9e764cb9597ff7028e4046140813cd2dedc547a20004c7e6579ee08f5fc84a793e92a7775220b3e1a2a61c4f69427ac3ce4

        Download Submit

      • memory/688-149-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/688-164-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/688-146-0x0000000000400000-0x000000000046E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/1380-166-0x0000000000E10000-0x0000000000E76000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2168-132-0x0000000000FA0000-0x0000000001108000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2168-137-0x000000000BDA0000-0x000000000BE06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2168-136-0x00000000092D0000-0x000000000936C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2168-135-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2168-134-0x0000000005B20000-0x0000000005BB2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2168-133-0x00000000060D0000-0x0000000006674000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4788-140-0x0000000005210000-0x0000000005246000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4788-150-0x0000000006100000-0x0000000006166000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4788-153-0x00000000067F0000-0x000000000680E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4788-154-0x0000000006DB0000-0x0000000006DE2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4788-155-0x0000000070600000-0x000000007064C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4788-156-0x0000000006D90000-0x0000000006DAE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4788-157-0x0000000008140000-0x00000000087BA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4788-158-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4788-159-0x0000000007B60000-0x0000000007B6A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4788-160-0x0000000007D70000-0x0000000007E06000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4788-161-0x0000000007D20000-0x0000000007D2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4788-162-0x0000000007E30000-0x0000000007E4A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4788-163-0x0000000007E10000-0x0000000007E18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4788-148-0x0000000005830000-0x0000000005852000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4788-142-0x00000000058A0000-0x0000000005EC8000-memory.dmp

        Filesize

        6.2MB

        Download