Analysis
-
max time kernel
150s -
max time network
69s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
15-11-2022 06:53
Static task
static1
Behavioral task
behavioral1
Sample
e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe
Resource
win10-20220901-en
General
-
Target
e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe
-
Size
178KB
-
MD5
4c70eb5f963f1f34e85c715ad58bb063
-
SHA1
819265e5c7fd3620bf3ad5c369a03cf9943a08a2
-
SHA256
e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af
-
SHA512
85a9bec38ee3754f0b79c242cadf76f2e47b0adfcf7ae2349a98f99ef610db9fec6a33ad79ffeb53966d7f83b17694219f54e77f5d28be7e7843622be59643fc
-
SSDEEP
3072:1/lOLu9UAiTABwneV62r2w+E9gw8GNz2Lx0+mUXfkWwJa:1dOy9UAiTABMe82IEGCN6Zfk
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/memory/3060-214-0x0000000005144F6E-mapping.dmp family_stormkitty behavioral1/memory/3060-250-0x0000000005130000-0x000000000514A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4740 set thread context of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 2504 set thread context of 3060 2504 regsvcs.exe 67 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3060 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2504 regsvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 4740 wrote to memory of 2504 4740 e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe 51 PID 2504 wrote to memory of 3060 2504 regsvcs.exe 67 PID 2504 wrote to memory of 3060 2504 regsvcs.exe 67 PID 2504 wrote to memory of 3060 2504 regsvcs.exe 67 PID 2504 wrote to memory of 3060 2504 regsvcs.exe 67 PID 2504 wrote to memory of 3060 2504 regsvcs.exe 67 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe"C:\Users\Admin\AppData\Local\Temp\e04cc67c75ffcb323f8136e7b09e75c376d548d02410172aecc3ad6c5a5164af.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3060
-
-