Analysis
-
max time kernel
63s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Order Request.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Order Request.exe
Resource
win10v2004-20220812-en
General
-
Target
Order Request.exe
-
Size
1.0MB
-
MD5
0751cb9453ccc6d6576c8e6583e8e8df
-
SHA1
c78f7efa2c57394097eca6c222f52dc6c5169515
-
SHA256
6f6927018a479ebbb860f5010a88d14ddaa2c64756e06ba9f0326ca15462b4e4
-
SHA512
ca93c74695ffc078236a868dfa8fdbaeec4af0cf3075377390aa6533c0fc4944aa0ac62fbe20cc7e2eaba1581cfbc48adcdac554ccefb4ce700dd4f803f7a35a
-
SSDEEP
24576:vZqB/XCxqrTElFByv3DCYlWSGHsGoR4Dq:GX5nE+3DCYlWSGMJ4+
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1460 set thread context of 1344 1460 Order Request.exe 28 PID 1344 set thread context of 1120 1344 Order Request.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1460 Order Request.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1460 Order Request.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1344 Order Request.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1460 wrote to memory of 828 1460 Order Request.exe 27 PID 1460 wrote to memory of 828 1460 Order Request.exe 27 PID 1460 wrote to memory of 828 1460 Order Request.exe 27 PID 1460 wrote to memory of 828 1460 Order Request.exe 27 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1460 wrote to memory of 1344 1460 Order Request.exe 28 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 PID 1344 wrote to memory of 1120 1344 Order Request.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Request.exe"C:\Users\Admin\AppData\Local\Temp\Order Request.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\Order Request.exe"C:\Users\Admin\AppData\Local\Temp\Order Request.exe"2⤵PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\Order Request.exe"C:\Users\Admin\AppData\Local\Temp\Order Request.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1120
-
-