Analysis
-
max time kernel
190s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 10:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe
-
Size
22KB
-
MD5
1310646bc42b16eb07ffe30fe7ffc2cc
-
SHA1
9b24e599bfdb6ea1f31594400b155daba1e33c5f
-
SHA256
8a07f89b4dee439c3440a9aea91436c3d73f0e07504a0b841b9ac56cb423aca0
-
SHA512
b2ebbb5a836c3ea5c00ba84272b9463d30eded1e955eace75b15f4f1431c5f421b64b40d6cc568ab417358a83fa5c5a0fa4592c33a19c195f69f64764cb017ca
-
SSDEEP
384:ftxafuqsQniJnOUYjxJhT7KSENddXLH51NnnjLYbjmjI:fdoKnXLH51NnnkyjI
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1956-144-0x0000000000B40000-0x0000000000B5A000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5068 palmic.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5068 set thread context of 428 5068 palmic.exe 81 PID 428 set thread context of 1956 428 Caspol.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4844 SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe Token: SeDebugPrivilege 5068 palmic.exe Token: SeDebugPrivilege 1956 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 428 Caspol.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4844 wrote to memory of 5068 4844 SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe 80 PID 4844 wrote to memory of 5068 4844 SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe 80 PID 4844 wrote to memory of 5068 4844 SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe 80 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 5068 wrote to memory of 428 5068 palmic.exe 81 PID 428 wrote to memory of 1956 428 Caspol.exe 82 PID 428 wrote to memory of 1956 428 Caspol.exe 82 PID 428 wrote to memory of 1956 428 Caspol.exe 82 PID 428 wrote to memory of 1956 428 Caspol.exe 82 PID 428 wrote to memory of 1956 428 Caspol.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.DSJ.gen.Eldorado.11406.11467.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\ProgramData\palmic.exe"C:\ProgramData\palmic.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1956
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5ec56a21c8ee1d373f5e892cc19a14441
SHA1e2834f9bfe32bb1a6b4fbb4cff128e8dcdece15b
SHA2563129b84bf731a2348ea99a5d7e03c9b52993963a88607ad149b13b7cba499f19
SHA512b78ca39248267de920b270323134d354cabee4fc434f1ba216669d504ffdc5e2b7cd45d54e48f457cfc9afb4cc1a52d91a0523fa7899ea8f36324668c0bd5532
-
Filesize
66KB
MD5ec56a21c8ee1d373f5e892cc19a14441
SHA1e2834f9bfe32bb1a6b4fbb4cff128e8dcdece15b
SHA2563129b84bf731a2348ea99a5d7e03c9b52993963a88607ad149b13b7cba499f19
SHA512b78ca39248267de920b270323134d354cabee4fc434f1ba216669d504ffdc5e2b7cd45d54e48f457cfc9afb4cc1a52d91a0523fa7899ea8f36324668c0bd5532