Analysis
-
max time kernel
150s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe
-
Size
185KB
-
MD5
9511a74b28e3fecc899c07231fa8af5d
-
SHA1
65f642a4bd81f5f5355bf82fc79f8df2f291a144
-
SHA256
2cd01ed98525d509bfa350ef7e618a0342b0a4b1214adfe5d9b89696ab645d49
-
SHA512
a6836225ecd0d54c2916f50f10d8e94326244ca62094082a457092c04edc874b91e055814654df8f137735a52db7ad0a077f629b24bca34784a8708b065ad89a
-
SSDEEP
1536:pcKHPHdUGOsVUch/1ZjhGIBOrPaOYdSkjiRNqOP3G:LHDSch/71hEbaFSkjiRrP2
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2816-141-0x0000000000990000-0x00000000009AA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4952 set thread context of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 2092 set thread context of 2816 2092 aspnet_compiler.exe 82 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe Token: SeDebugPrivilege 2816 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2092 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 4952 wrote to memory of 2092 4952 SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe 81 PID 2092 wrote to memory of 2816 2092 aspnet_compiler.exe 82 PID 2092 wrote to memory of 2816 2092 aspnet_compiler.exe 82 PID 2092 wrote to memory of 2816 2092 aspnet_compiler.exe 82 PID 2092 wrote to memory of 2816 2092 aspnet_compiler.exe 82 PID 2092 wrote to memory of 2816 2092 aspnet_compiler.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoaderNET.447.20530.9920.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2816
-
-