Analysis
-
max time kernel
57s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-12-2022 14:26
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and packing list.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Invoice and packing list.exe
Resource
win10v2004-20220901-en
General
-
Target
Invoice and packing list.exe
-
Size
911KB
-
MD5
ac6eeec739e6744155d762c71658ee08
-
SHA1
fd00d02ddebab59c5e1284acfc61489ee65506f6
-
SHA256
d02548b41a1f0e68f77df66f87b5664edb454744be93cc02500ccf083ae61ba3
-
SHA512
0720bf1fe12baa9a5689f5c5806017c82c6fd7acfeb53fe960168d1e3569ec86f7c25c87871b3270dfbf568547a27d425a51f6c1f52f0175b3fc12757cca7f63
-
SSDEEP
24576:I1wzlArxvk6SpZnUdY5hvLD5lRcMegGFVdp6c84OCuD1Xli:IOzCSzodYf5gMeg6docdlyb
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5982631795:AAFe1A7BEPv_6ExMz851LxdOAjr_9gqH8zY/sendMessage?chat_id=5968311109
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 940 set thread context of 1068 940 Invoice and packing list.exe 29 PID 1068 set thread context of 1896 1068 Invoice and packing list.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 940 Invoice and packing list.exe 940 Invoice and packing list.exe 940 Invoice and packing list.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 940 Invoice and packing list.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1068 Invoice and packing list.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 940 wrote to memory of 568 940 Invoice and packing list.exe 28 PID 940 wrote to memory of 568 940 Invoice and packing list.exe 28 PID 940 wrote to memory of 568 940 Invoice and packing list.exe 28 PID 940 wrote to memory of 568 940 Invoice and packing list.exe 28 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 940 wrote to memory of 1068 940 Invoice and packing list.exe 29 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 PID 1068 wrote to memory of 1896 1068 Invoice and packing list.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"2⤵PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1896
-
-