Analysis
-
max time kernel
126s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 20:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20220901-en
General
-
Target
RFQ.exe
-
Size
717KB
-
MD5
adfe5763366becc479e84b0b1269c8cc
-
SHA1
baf4764638d384e5075d453fad14ac0fd85f7790
-
SHA256
0c2ab8c24c4c1d47f3c1417e5e0fd327336e9a88203e414b94b66e81fa45c316
-
SHA512
e20e62e8cc91b5c713950eef6a9164e649ea1e7c946a600c2e0ef472ee9face6cf675a3636a25a19d5dd8ef93e9b5dbb925584e9d2ed694af37deabad89b5c48
-
SSDEEP
12288:YoqTTjquLI9jf5NsYdjsEjHnTB3IaBrB04sGNn/lBij2l0/eGRYpyuD8Iy/Je/XG:YoqD7kFRNxdjsEjzB37B04sGNn/lBijT
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/memory/1500-78-0x00000000000D0000-0x00000000000EA000-memory.dmp family_stormkitty behavioral1/memory/1500-79-0x00000000000E4F6E-mapping.dmp family_stormkitty behavioral1/memory/1500-81-0x00000000000D0000-0x00000000000EA000-memory.dmp family_stormkitty behavioral1/memory/1500-83-0x00000000000D0000-0x00000000000EA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1808 set thread context of 1744 1808 RFQ.exe 32 PID 1744 set thread context of 1500 1744 RFQ.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1808 RFQ.exe 2020 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1744 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1808 RFQ.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 1500 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1744 RFQ.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1808 wrote to memory of 2020 1808 RFQ.exe 27 PID 1808 wrote to memory of 2020 1808 RFQ.exe 27 PID 1808 wrote to memory of 2020 1808 RFQ.exe 27 PID 1808 wrote to memory of 2020 1808 RFQ.exe 27 PID 1808 wrote to memory of 1360 1808 RFQ.exe 29 PID 1808 wrote to memory of 1360 1808 RFQ.exe 29 PID 1808 wrote to memory of 1360 1808 RFQ.exe 29 PID 1808 wrote to memory of 1360 1808 RFQ.exe 29 PID 1808 wrote to memory of 588 1808 RFQ.exe 31 PID 1808 wrote to memory of 588 1808 RFQ.exe 31 PID 1808 wrote to memory of 588 1808 RFQ.exe 31 PID 1808 wrote to memory of 588 1808 RFQ.exe 31 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1808 wrote to memory of 1744 1808 RFQ.exe 32 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 PID 1744 wrote to memory of 1500 1744 RFQ.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nUlGuWTjq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nUlGuWTjq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp"2⤵
- Creates scheduled task(s)
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵PID:588
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fb1a514eccfc8dd04e837acd63db95f0
SHA1023e9352f6d691c2e96fbe61ff7e71deb9876a3b
SHA256df64dffe413c9f749fc30826f79a3a034eec101e3638202d488322f6deba0dac
SHA51217dc0b3d469d38b85cac2381069d4f1a420f486410c4f2d0ddabb2188f3b667b07ea02d6df738b8ac9814bd0c3f7b7be19cda51029afbb3559761be194e04b70