Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2022 14:09

General

  • Target

    Invoice and packing list.exe

  • Size

    512KB

  • MD5

    7c6e72138a75a71d10bcb10eab3e17fc

  • SHA1

    2846f854795ead06fc2f551c101c6047e02c279a

  • SHA256

    61660da7d55fa8074c7d4ed0a26f3ae021321dee8bf5d7651c394bccde2748c7

  • SHA512

    b7d046ce70c4d4e8f044659162baf19656ca82c7585c8028322075912ea86b4e43043aead2d02c54d9d2a7c7004f10ea4e822851d297ac7ee0b741d6a8873820

  • SSDEEP

    12288:qDqx3btvdiCWUJUKsqvIwuycqABZ7jGZZFR3+J+Ei:qWx3ldRWUawbABZOzFZw+Ei

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5982631795:AAFe1A7BEPv_6ExMz851LxdOAjr_9gqH8zY/sendMessage?chat_id=5968311109

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe
      "C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe" C:\Users\Admin\AppData\Local\Temp\aomwuxjay.t
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe
        "C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:1936
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aomwuxjay.t

    Filesize

    5KB

    MD5

    22f4864b905e28e8e55f8b829216afe5

    SHA1

    9984a7ba317032c49d229ff39206ceec1e3bacc9

    SHA256

    58f1f591728775f3c167ed6955edd7074a679020db5331c9b609620597555bd0

    SHA512

    06bac7e75e6bde8368e133237eaa4ef3147c9c2b5dc1117ea95d7a1f073f39dfa0979810074d65f728e4d8b4b446d96f551b8f2929c817807a5304ec94e0d280

  • C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

    Filesize

    101KB

    MD5

    04b559383d304def354e6092f35220ac

    SHA1

    0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

    SHA256

    7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

    SHA512

    48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

  • C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

    Filesize

    101KB

    MD5

    04b559383d304def354e6092f35220ac

    SHA1

    0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

    SHA256

    7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

    SHA512

    48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

  • C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

    Filesize

    101KB

    MD5

    04b559383d304def354e6092f35220ac

    SHA1

    0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

    SHA256

    7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

    SHA512

    48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

  • C:\Users\Admin\AppData\Local\Temp\hsyjoilbdtf.wyt

    Filesize

    456KB

    MD5

    9b3501063583bed6e9b13955b10c9d60

    SHA1

    a4a0aefb36323199f47c729a0573d245d5e79633

    SHA256

    81b1884c6a9d199ce2e561c78327a98caa05b68b7c2de5e700502cf405600d11

    SHA512

    e15317a6c416f775b99bae42a38ebeb8907b4ef48700e0d700176ac55c2a130928ab135fd4fb545d462e1fc0662d0dbba1396cf57f0e921fd7ce703d82202950

  • memory/1936-144-0x0000000000B00000-0x0000000000B66000-memory.dmp

    Filesize

    408KB

  • memory/1936-145-0x00000000052C0000-0x000000000535C000-memory.dmp

    Filesize

    624KB

  • memory/2416-141-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2416-142-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB