Analysis
-
max time kernel
188s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:23
Static task
static1
Behavioral task
behavioral1
Sample
PEDIDO NOVIEMBRE_29-11-22.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PEDIDO NOVIEMBRE_29-11-22.exe
Resource
win10v2004-20221111-en
General
-
Target
PEDIDO NOVIEMBRE_29-11-22.exe
-
Size
152KB
-
MD5
d0d391c303b24cbd513b9ebae7a6b129
-
SHA1
c157d3d7e445dc82b60c354f8f2e098b55c7f162
-
SHA256
f483db634b30a9f6bc88ff71dbddcf9f7b3fdca4de047386415da681b5e35685
-
SHA512
a490ea7260abd922cfc5b00c3b9b0b59e66ab34bd37a8e77650782b7943b40cbee28f0eb3a1317379fb30accbb6c6af1fc8511a961f243cffa80404fbb3aea48
-
SSDEEP
3072:E3rXF6PQysW7XnXifYO1FL7/52Df/vIAwtkBXf6DVqb:YXFvLWXIHfL7/52Df/ANkBXf6
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2556-142-0x0000000000170000-0x000000000018A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 98 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4076 set thread context of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 3588 set thread context of 2556 3588 Regsvcs.exe 83 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3588 Regsvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 4076 wrote to memory of 3588 4076 PEDIDO NOVIEMBRE_29-11-22.exe 82 PID 3588 wrote to memory of 2556 3588 Regsvcs.exe 83 PID 3588 wrote to memory of 2556 3588 Regsvcs.exe 83 PID 3588 wrote to memory of 2556 3588 Regsvcs.exe 83 PID 3588 wrote to memory of 2556 3588 Regsvcs.exe 83 PID 3588 wrote to memory of 2556 3588 Regsvcs.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PEDIDO NOVIEMBRE_29-11-22.exe"C:\Users\Admin\AppData\Local\Temp\PEDIDO NOVIEMBRE_29-11-22.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2556
-
-