Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
182376,PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
182376,PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
182376,PDF.exe
-
Size
107KB
-
MD5
d97e41f8d67fbb966509824bf34191df
-
SHA1
f7475eee9fe28e196d2d65f4803ffe48a3dc2b26
-
SHA256
da1affe84e54055e68af38dc7fda253d538925805b563d7a87686338a7b8d0e6
-
SHA512
1d699ee7f3f537fa3e4ba1510cf19160cf25cbcd1a669bc1316b517f9891bc9fac8cbc332b0d1a6b729c3c1e9a71cd3a3f7331de86d9f633aeac5bbb14921484
-
SSDEEP
1536:gx/tmQiKh0Ovt0Xo++vw/18AyMMK4MIy+ZmVcl:6tD3OXo+mwNJb4MIy+Z8Y
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5583812995:AAFKzjSLC2-pDvMQ8X47-80XjrRiWrDtxA/sendMessage?chat_id=5434600361
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1880-150-0x0000000000DA0000-0x0000000000DBA000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 182376,PDF.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uppqztxhpk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Yvxdtnylkef\\Uppqztxhpk.exe\"" 182376,PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4184 set thread context of 5112 4184 182376,PDF.exe 90 PID 5112 set thread context of 1880 5112 182376,PDF.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4532 powershell.exe 4532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4184 182376,PDF.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 1880 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5112 182376,PDF.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4184 wrote to memory of 4532 4184 182376,PDF.exe 82 PID 4184 wrote to memory of 4532 4184 182376,PDF.exe 82 PID 4184 wrote to memory of 4532 4184 182376,PDF.exe 82 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 4184 wrote to memory of 5112 4184 182376,PDF.exe 90 PID 5112 wrote to memory of 1880 5112 182376,PDF.exe 91 PID 5112 wrote to memory of 1880 5112 182376,PDF.exe 91 PID 5112 wrote to memory of 1880 5112 182376,PDF.exe 91 PID 5112 wrote to memory of 1880 5112 182376,PDF.exe 91 PID 5112 wrote to memory of 1880 5112 182376,PDF.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\182376,PDF.exe"C:\Users\Admin\AppData\Local\Temp\182376,PDF.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\182376,PDF.exeC:\Users\Admin\AppData\Local\Temp\182376,PDF.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1880
-
-