Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2022 14:26
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and packing list.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Invoice and packing list.exe
Resource
win10v2004-20220901-en
General
-
Target
Invoice and packing list.exe
-
Size
911KB
-
MD5
ac6eeec739e6744155d762c71658ee08
-
SHA1
fd00d02ddebab59c5e1284acfc61489ee65506f6
-
SHA256
d02548b41a1f0e68f77df66f87b5664edb454744be93cc02500ccf083ae61ba3
-
SHA512
0720bf1fe12baa9a5689f5c5806017c82c6fd7acfeb53fe960168d1e3569ec86f7c25c87871b3270dfbf568547a27d425a51f6c1f52f0175b3fc12757cca7f63
-
SSDEEP
24576:I1wzlArxvk6SpZnUdY5hvLD5lRcMegGFVdp6c84OCuD1Xli:IOzCSzodYf5gMeg6docdlyb
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5982631795:AAFe1A7BEPv_6ExMz851LxdOAjr_9gqH8zY/sendMessage?chat_id=5968311109
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3044 set thread context of 3856 3044 Invoice and packing list.exe 88 PID 3856 set thread context of 824 3856 Invoice and packing list.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3044 Invoice and packing list.exe 3044 Invoice and packing list.exe 3044 Invoice and packing list.exe 3044 Invoice and packing list.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3044 Invoice and packing list.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3856 Invoice and packing list.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1928 3044 Invoice and packing list.exe 87 PID 3044 wrote to memory of 1928 3044 Invoice and packing list.exe 87 PID 3044 wrote to memory of 1928 3044 Invoice and packing list.exe 87 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3044 wrote to memory of 3856 3044 Invoice and packing list.exe 88 PID 3856 wrote to memory of 824 3856 Invoice and packing list.exe 89 PID 3856 wrote to memory of 824 3856 Invoice and packing list.exe 89 PID 3856 wrote to memory of 824 3856 Invoice and packing list.exe 89 PID 3856 wrote to memory of 824 3856 Invoice and packing list.exe 89 PID 3856 wrote to memory of 824 3856 Invoice and packing list.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"2⤵PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:824
-
-