Analysis
-
max time kernel
22s -
max time network
23s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
20-12-2022 23:15
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA.exe
Resource
win10-20220812-en
General
-
Target
FACTURA.exe
-
Size
164KB
-
MD5
ed569d6f146f9101293b60dee2e726f6
-
SHA1
24a5c1579b090e1f8c9a5ff128f9545542fa8a69
-
SHA256
7cde481029d0f331c932ffb79f04c8113ab6d5b36bbd4cc18f4c54b086910b58
-
SHA512
36820914cd1605f058a97ecaf2ce5af808648a533abcbb3d5d567f9fc4978d6acc056d28eb629299785b6064481b74f760744c6d8acefb05d8ddb8de3edea974
-
SSDEEP
3072:DGpmGTuaBefnv1TkuFDMyDGdV0j/uwmyJ+aXE/8brg0TKC0gDm6:qLuaQfv1TkuFDMyD6V0zusJRklI
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/memory/4144-161-0x00000000009E0000-0x00000000009FA000-memory.dmp family_stormkitty behavioral1/memory/4144-162-0x00000000009F4F6E-mapping.dmp family_stormkitty -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5004 set thread context of 1924 5004 FACTURA.exe 66 PID 1924 set thread context of 4144 1924 Caspol.exe 67 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4144 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1924 Caspol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 5004 wrote to memory of 1924 5004 FACTURA.exe 66 PID 1924 wrote to memory of 4144 1924 Caspol.exe 67 PID 1924 wrote to memory of 4144 1924 Caspol.exe 67 PID 1924 wrote to memory of 4144 1924 Caspol.exe 67 PID 1924 wrote to memory of 4144 1924 Caspol.exe 67 PID 1924 wrote to memory of 4144 1924 Caspol.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-