Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe
-
Size
1.4MB
-
MD5
8d654f7f3951c4493f602eaeec06a66d
-
SHA1
b2dbbc4d06d197325efa9c780a881e5dc5055c8e
-
SHA256
23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207
-
SHA512
73a16f93ca5e6e521e6863df0eb361e37b2701a9178908235c6088c63f662384e315f0c31727552feb10f6739056cce9aa20d13cb6f68655a4404b0e78da785e
-
SSDEEP
24576:NkU0xyXgeNY7E12oi4cWAlGmEFr0ulZlh6alRsn/ju1LNajXYo3aOtY:fXgeNYM3NVAAb0slh/sUBajD3
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5755930650:AAElY45_nxTVkERZWnAInWKh0Sygx_xge0E/sendMessage?chat_id=1293496579
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3992 set thread context of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 4944 set thread context of 624 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4680 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4652 powershell.exe 4652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4652 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3992 wrote to memory of 4652 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 91 PID 3992 wrote to memory of 4652 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 91 PID 3992 wrote to memory of 4652 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 91 PID 3992 wrote to memory of 4680 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 93 PID 3992 wrote to memory of 4680 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 93 PID 3992 wrote to memory of 4680 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 93 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 3992 wrote to memory of 4944 3992 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 95 PID 4944 wrote to memory of 624 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 96 PID 4944 wrote to memory of 624 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 96 PID 4944 wrote to memory of 624 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 96 PID 4944 wrote to memory of 624 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 96 PID 4944 wrote to memory of 624 4944 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\onVgEhgtvkJAns.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\onVgEhgtvkJAns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26B2.tmp"2⤵
- Creates scheduled task(s)
PID:4680
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d94283d1e40882ac3d207378c507a898
SHA1de7d8f0cbf072398fdfa21d5447625ca34164a7f
SHA256277355973ed550bbd686fa6a837e1baedcdf160e92657705d465aa18170a6081
SHA512a6f1d3fe1492817ac553b7842a4ae4978da4050600d3541075ed2e52055b36886010cac933f6dd1c51d7ce106a65434129b8c8b89569c96ec1309547d5a97380