Analysis
-
max time kernel
69s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed2.44634.20056.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Packed2.44634.20056.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Trojan.Packed2.44634.20056.exe
-
Size
1.2MB
-
MD5
7f7ef456450f254a7bbb162af495a3d2
-
SHA1
b957c8cc73f9cc83cf1519a628b2f8382d52befc
-
SHA256
02a4055e2fce4b14d2a07f2625c2329309c01dea5499294405ca78e1d800bd78
-
SHA512
a481c5de7cf000d30f6a28d4f8d6712295d6de062f64722ff264b423ae37d55dafba35676d63ed4ee68e465c1ce39082e4e48ad960f31a072d6c77f94bd731c6
-
SSDEEP
24576:wM+L74mBfNUstzoh04C14jT7cIxSFD075acQrFclsFVTJWR22n8W5enV3mmb3r8n:f+ejTBC05lQrF6sFVTJkj8W5enV3mOI
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1628 set thread context of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 692 set thread context of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 1628 wrote to memory of 692 1628 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 28 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 PID 692 wrote to memory of 1320 692 SecuriteInfo.com.Trojan.Packed2.44634.20056.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1320
-
-