Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 06:45
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
FACTURA.exe
Resource
win10v2004-20220901-en
General
-
Target
FACTURA.exe
-
Size
164KB
-
MD5
ed569d6f146f9101293b60dee2e726f6
-
SHA1
24a5c1579b090e1f8c9a5ff128f9545542fa8a69
-
SHA256
7cde481029d0f331c932ffb79f04c8113ab6d5b36bbd4cc18f4c54b086910b58
-
SHA512
36820914cd1605f058a97ecaf2ce5af808648a533abcbb3d5d567f9fc4978d6acc056d28eb629299785b6064481b74f760744c6d8acefb05d8ddb8de3edea974
-
SSDEEP
3072:DGpmGTuaBefnv1TkuFDMyDGdV0j/uwmyJ+aXE/8brg0TKC0gDm6:qLuaQfv1TkuFDMyD6V0zusJRklI
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/804-141-0x0000000000900000-0x000000000091A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4564 set thread context of 3036 4564 FACTURA.exe 84 PID 3036 set thread context of 804 3036 Caspol.exe 85 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 804 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3036 Caspol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 4564 wrote to memory of 3036 4564 FACTURA.exe 84 PID 3036 wrote to memory of 804 3036 Caspol.exe 85 PID 3036 wrote to memory of 804 3036 Caspol.exe 85 PID 3036 wrote to memory of 804 3036 Caspol.exe 85 PID 3036 wrote to memory of 804 3036 Caspol.exe 85 PID 3036 wrote to memory of 804 3036 Caspol.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:804
-
-