Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
573b0103956eb1c9f12e2a2adcc77846.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
573b0103956eb1c9f12e2a2adcc77846.exe
Resource
win10v2004-20220901-en
General
-
Target
573b0103956eb1c9f12e2a2adcc77846.exe
-
Size
852KB
-
MD5
573b0103956eb1c9f12e2a2adcc77846
-
SHA1
50e9fd321b9b1f39b6430b01941562ba924e40c0
-
SHA256
6c912191a6853ca9717c37053a4ab7014d6980e48d846a8c777e7ee056cf4a56
-
SHA512
ab26ac29ae7135cd6dcc5e95e6f9af290fadad9ab9afc87af60f38615a210a1a1d908d34e8796fe18108847b02cb51c1f6eb8f886237d1b0c8838edb5f4f9ef4
-
SSDEEP
24576:OVwhMBsRpeiKuSbWY7XM970ZNmapxyJoyLJnM:OVw+XUSqH970Zwa1S
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4864 set thread context of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 956 set thread context of 3464 956 573b0103956eb1c9f12e2a2adcc77846.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 42 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 956 573b0103956eb1c9f12e2a2adcc77846.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 4864 wrote to memory of 956 4864 573b0103956eb1c9f12e2a2adcc77846.exe 91 PID 956 wrote to memory of 3464 956 573b0103956eb1c9f12e2a2adcc77846.exe 92 PID 956 wrote to memory of 3464 956 573b0103956eb1c9f12e2a2adcc77846.exe 92 PID 956 wrote to memory of 3464 956 573b0103956eb1c9f12e2a2adcc77846.exe 92 PID 956 wrote to memory of 3464 956 573b0103956eb1c9f12e2a2adcc77846.exe 92 PID 956 wrote to memory of 3464 956 573b0103956eb1c9f12e2a2adcc77846.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"C:\Users\Admin\AppData\Local\Temp\573b0103956eb1c9f12e2a2adcc77846.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3464
-
-