Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2022 14:28
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and packing list.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Invoice and packing list.exe
Resource
win10v2004-20220812-en
General
-
Target
Invoice and packing list.exe
-
Size
911KB
-
MD5
ac6eeec739e6744155d762c71658ee08
-
SHA1
fd00d02ddebab59c5e1284acfc61489ee65506f6
-
SHA256
d02548b41a1f0e68f77df66f87b5664edb454744be93cc02500ccf083ae61ba3
-
SHA512
0720bf1fe12baa9a5689f5c5806017c82c6fd7acfeb53fe960168d1e3569ec86f7c25c87871b3270dfbf568547a27d425a51f6c1f52f0175b3fc12757cca7f63
-
SSDEEP
24576:I1wzlArxvk6SpZnUdY5hvLD5lRcMegGFVdp6c84OCuD1Xli:IOzCSzodYf5gMeg6docdlyb
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5982631795:AAFe1A7BEPv_6ExMz851LxdOAjr_9gqH8zY/sendMessage?chat_id=5968311109
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3900 set thread context of 3636 3900 Invoice and packing list.exe 87 PID 3636 set thread context of 3080 3636 Invoice and packing list.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 43 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3900 Invoice and packing list.exe 3900 Invoice and packing list.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3900 Invoice and packing list.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3636 Invoice and packing list.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3900 wrote to memory of 3636 3900 Invoice and packing list.exe 87 PID 3636 wrote to memory of 3080 3636 Invoice and packing list.exe 88 PID 3636 wrote to memory of 3080 3636 Invoice and packing list.exe 88 PID 3636 wrote to memory of 3080 3636 Invoice and packing list.exe 88 PID 3636 wrote to memory of 3080 3636 Invoice and packing list.exe 88 PID 3636 wrote to memory of 3080 3636 Invoice and packing list.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3080
-
-