Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and packing list.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Invoice and packing list.exe
Resource
win10v2004-20220812-en
General
-
Target
Invoice and packing list.exe
-
Size
512KB
-
MD5
7c6e72138a75a71d10bcb10eab3e17fc
-
SHA1
2846f854795ead06fc2f551c101c6047e02c279a
-
SHA256
61660da7d55fa8074c7d4ed0a26f3ae021321dee8bf5d7651c394bccde2748c7
-
SHA512
b7d046ce70c4d4e8f044659162baf19656ca82c7585c8028322075912ea86b4e43043aead2d02c54d9d2a7c7004f10ea4e822851d297ac7ee0b741d6a8873820
-
SSDEEP
12288:qDqx3btvdiCWUJUKsqvIwuycqABZ7jGZZFR3+J+Ei:qWx3ldRWUawbABZOzFZw+Ei
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5982631795:AAFe1A7BEPv_6ExMz851LxdOAjr_9gqH8zY/sendMessage?chat_id=5968311109
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 2380 fkjqvzwtc.exe 2416 fkjqvzwtc.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CCFDBC36-1021-4DA4-9CB4-6B6B69327ADF}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{67C02D32-EB2C-49CC-B050-E9F4A5B4901D}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2380 set thread context of 2416 2380 fkjqvzwtc.exe 76 PID 2416 set thread context of 1936 2416 fkjqvzwtc.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2380 fkjqvzwtc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2416 fkjqvzwtc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2380 2228 Invoice and packing list.exe 75 PID 2228 wrote to memory of 2380 2228 Invoice and packing list.exe 75 PID 2228 wrote to memory of 2380 2228 Invoice and packing list.exe 75 PID 2380 wrote to memory of 2416 2380 fkjqvzwtc.exe 76 PID 2380 wrote to memory of 2416 2380 fkjqvzwtc.exe 76 PID 2380 wrote to memory of 2416 2380 fkjqvzwtc.exe 76 PID 2380 wrote to memory of 2416 2380 fkjqvzwtc.exe 76 PID 2416 wrote to memory of 1936 2416 fkjqvzwtc.exe 77 PID 2416 wrote to memory of 1936 2416 fkjqvzwtc.exe 77 PID 2416 wrote to memory of 1936 2416 fkjqvzwtc.exe 77 PID 2416 wrote to memory of 1936 2416 fkjqvzwtc.exe 77 PID 2416 wrote to memory of 1936 2416 fkjqvzwtc.exe 77 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe"C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe" C:\Users\Admin\AppData\Local\Temp\aomwuxjay.t2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe"C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1936
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD522f4864b905e28e8e55f8b829216afe5
SHA19984a7ba317032c49d229ff39206ceec1e3bacc9
SHA25658f1f591728775f3c167ed6955edd7074a679020db5331c9b609620597555bd0
SHA51206bac7e75e6bde8368e133237eaa4ef3147c9c2b5dc1117ea95d7a1f073f39dfa0979810074d65f728e4d8b4b446d96f551b8f2929c817807a5304ec94e0d280
-
Filesize
101KB
MD504b559383d304def354e6092f35220ac
SHA10c89ecc9550e8b015c25a4201b1b86a9ed1d1e85
SHA2567c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf
SHA51248ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9
-
Filesize
101KB
MD504b559383d304def354e6092f35220ac
SHA10c89ecc9550e8b015c25a4201b1b86a9ed1d1e85
SHA2567c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf
SHA51248ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9
-
Filesize
101KB
MD504b559383d304def354e6092f35220ac
SHA10c89ecc9550e8b015c25a4201b1b86a9ed1d1e85
SHA2567c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf
SHA51248ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9
-
Filesize
456KB
MD59b3501063583bed6e9b13955b10c9d60
SHA1a4a0aefb36323199f47c729a0573d245d5e79633
SHA25681b1884c6a9d199ce2e561c78327a98caa05b68b7c2de5e700502cf405600d11
SHA512e15317a6c416f775b99bae42a38ebeb8907b4ef48700e0d700176ac55c2a130928ab135fd4fb545d462e1fc0662d0dbba1396cf57f0e921fd7ce703d82202950