Analysis
-
max time kernel
66s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
573b0103956eb1c9f12e2a2adcc77846.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
573b0103956eb1c9f12e2a2adcc77846.exe
Resource
win10v2004-20220901-en
General
-
Target
573b0103956eb1c9f12e2a2adcc77846.exe
-
Size
852KB
-
MD5
573b0103956eb1c9f12e2a2adcc77846
-
SHA1
50e9fd321b9b1f39b6430b01941562ba924e40c0
-
SHA256
6c912191a6853ca9717c37053a4ab7014d6980e48d846a8c777e7ee056cf4a56
-
SHA512
ab26ac29ae7135cd6dcc5e95e6f9af290fadad9ab9afc87af60f38615a210a1a1d908d34e8796fe18108847b02cb51c1f6eb8f886237d1b0c8838edb5f4f9ef4
-
SSDEEP
24576:OVwhMBsRpeiKuSbWY7XM970ZNmapxyJoyLJnM:OVw+XUSqH970Zwa1S
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1088 set thread context of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 940 set thread context of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 940 573b0103956eb1c9f12e2a2adcc77846.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 1088 wrote to memory of 940 1088 573b0103956eb1c9f12e2a2adcc77846.exe 27 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 PID 940 wrote to memory of 2032 940 573b0103956eb1c9f12e2a2adcc77846.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2032
-
-