Analysis
-
max time kernel
36s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-12-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe
Resource
win10v2004-20220901-en
General
-
Target
4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe
-
Size
567KB
-
MD5
671f6fa2476117ebabadfbbabe5a4009
-
SHA1
92269b2ad71e7cac4eff7dc810f2989b93ac74b0
-
SHA256
4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52
-
SHA512
0c0d8177803158ccceca3526405f40e4e29af5ed049dda12818d97357b3cee63f8bd804cdf2df346c1022069c6960b7b596ed2f55e23264dfd790bdc3d75eac0
-
SSDEEP
12288:VYIFRHhMwBPAsS6l6y1HcjhgEbXFRcEHvhI52:VzFRBosSSFNaXFRc0hQ2
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 1284 qwrabc.exe 304 qwrabc.exe -
Loads dropped DLL 2 IoCs
pid Process 1348 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe 1284 qwrabc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1284 set thread context of 304 1284 qwrabc.exe 27 PID 304 set thread context of 736 304 qwrabc.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1284 qwrabc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 304 qwrabc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1284 1348 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe 26 PID 1348 wrote to memory of 1284 1348 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe 26 PID 1348 wrote to memory of 1284 1348 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe 26 PID 1348 wrote to memory of 1284 1348 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe 26 PID 1284 wrote to memory of 304 1284 qwrabc.exe 27 PID 1284 wrote to memory of 304 1284 qwrabc.exe 27 PID 1284 wrote to memory of 304 1284 qwrabc.exe 27 PID 1284 wrote to memory of 304 1284 qwrabc.exe 27 PID 1284 wrote to memory of 304 1284 qwrabc.exe 27 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 PID 304 wrote to memory of 736 304 qwrabc.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe"C:\Users\Admin\AppData\Local\Temp\4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\qwrabc.exe"C:\Users\Admin\AppData\Local\Temp\qwrabc.exe" C:\Users\Admin\AppData\Local\Temp\yjsfxmkgy.x2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\qwrabc.exe"C:\Users\Admin\AppData\Local\Temp\qwrabc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:736
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD50c5c58df08bf4a4516deceafb61ca2ed
SHA110b18a4bb2316d18fae0fdd4bc4960c88bbedc93
SHA256e4b031a3721695239d64dc1b1e72862e1b9bc9ad1f0a4182928613b508a35d3f
SHA51220c232eb76e2e64b1d1d77b33f4ecdc6e6d3fc617e4294a5bda03379f25518324dcd2f1a84bbb630a5329236413da378eb8442506489161d482c14b8b62365cb
-
Filesize
287KB
MD52ac8d8ce8356af1211b2868ef515c5a0
SHA1e61ffdd49107d2308fcfe171b0dee35a73d90749
SHA256d55ae8288242d1f5b21ce9b4d5e0f09b19ee790839c867fa72b08fb04b73ef06
SHA512814e81d4bf1ea2f62b0311bbf255850a149f2055286811adb9a06a2a3b0e897b8e61ad07fe39027de562010136a73cb3a90cd1629aa1aa47ffc3aff70fb754c2
-
Filesize
287KB
MD52ac8d8ce8356af1211b2868ef515c5a0
SHA1e61ffdd49107d2308fcfe171b0dee35a73d90749
SHA256d55ae8288242d1f5b21ce9b4d5e0f09b19ee790839c867fa72b08fb04b73ef06
SHA512814e81d4bf1ea2f62b0311bbf255850a149f2055286811adb9a06a2a3b0e897b8e61ad07fe39027de562010136a73cb3a90cd1629aa1aa47ffc3aff70fb754c2
-
Filesize
287KB
MD52ac8d8ce8356af1211b2868ef515c5a0
SHA1e61ffdd49107d2308fcfe171b0dee35a73d90749
SHA256d55ae8288242d1f5b21ce9b4d5e0f09b19ee790839c867fa72b08fb04b73ef06
SHA512814e81d4bf1ea2f62b0311bbf255850a149f2055286811adb9a06a2a3b0e897b8e61ad07fe39027de562010136a73cb3a90cd1629aa1aa47ffc3aff70fb754c2
-
Filesize
5KB
MD566c8b481dfdab8ccb000ca62c7c48e03
SHA184331fb4da47575060b7e447eca3b0d0169cbd72
SHA2568fb3e9eb0e628e52f2a3796bb38b3f3474f9e63eda29c90954320e2db3d6cca7
SHA51202fd802781f23d20597edabf569091fe65570b0d65f87451bbac07f9a0d57886b14b409834fc9891f503773a771497be22a6886dbd3aa8217ce382be1e037bbd
-
Filesize
287KB
MD52ac8d8ce8356af1211b2868ef515c5a0
SHA1e61ffdd49107d2308fcfe171b0dee35a73d90749
SHA256d55ae8288242d1f5b21ce9b4d5e0f09b19ee790839c867fa72b08fb04b73ef06
SHA512814e81d4bf1ea2f62b0311bbf255850a149f2055286811adb9a06a2a3b0e897b8e61ad07fe39027de562010136a73cb3a90cd1629aa1aa47ffc3aff70fb754c2
-
Filesize
287KB
MD52ac8d8ce8356af1211b2868ef515c5a0
SHA1e61ffdd49107d2308fcfe171b0dee35a73d90749
SHA256d55ae8288242d1f5b21ce9b4d5e0f09b19ee790839c867fa72b08fb04b73ef06
SHA512814e81d4bf1ea2f62b0311bbf255850a149f2055286811adb9a06a2a3b0e897b8e61ad07fe39027de562010136a73cb3a90cd1629aa1aa47ffc3aff70fb754c2