Overview

overview

10

Static

static

1664899251...df.exe

windows7-x64

10

1664899251...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2022 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1664899251557_MLCAL100300189.00.pdf.exe

  • Size

    418KB

  • MD5

    07483641fb9e47b6381039d8806aabc8

  • SHA1

    7f992d4eeae9bb1dc8936a833298bfd7ee870ffb

  • SHA256

    e3f0cf7effaf970e55ce7b44afa66607f8126403523b609849339d551011480f

  • SHA512

    8b3a201a85600c8cea9404515dd0be09fb2b41d952f5c795b36166cbfb20deef01c0d91c0da31a1a3f2a554d5e045160450a4965147824ac0244d602d4bd78cf

  • SSDEEP

    6144:KYa6AExBLoJvdNJDGcNc7rsJ1RqonlSpiHUtMj:KYC8LodlGcNc781RpSpdOj

Score
10/10
blustealerstormkittycollectionpersistencestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1664899251557_MLCAL100300189.00.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\1664899251557_MLCAL100300189.00.pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
      "C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe" C:\Users\Admin\AppData\Local\Temp\agvcsd.xia
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
        "C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\agvcsd.xia
    Filesize

    8KB

    MD5

    90c2a3c3487e5dadeb270ce3f5c8a01c

    SHA1

    edc2d5e2b26cbabeeb8d69e8c4501f503c6e58fc

    SHA256

    7e9e63b244d5699e8217c274718ca57874a82d9bf64211a9c2029b0841270a95

    SHA512

    2d40b47980caafeb01b85d7182e4ee606d86c160fc32c13ae5f9775d323807ec3605fa600d3e82a35952d66e95cb4161be148e96cd6bf6bdd7e87be5a51bdd88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kjwcrxgzt.b
    Filesize

    156KB

    MD5

    354f5a89f5197083616340a0064cf264

    SHA1

    a05ea1cb9ea0141408cf76d3672c09c4662284d4

    SHA256

    b24d24bc0071cdcec4f3ff52a4cdebc812f450927b5c9fcc7c596957e4b167bb

    SHA512

    dea51923004426dad19cefe6b52c4f3927634f2a93dc9ab1ab1154bba8269df25b953ebdbd03afe01b4d4a8d61e46295ddaf980b246578a4ad461c8a3a44b6fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
    Filesize

    63KB

    MD5

    dddd982b03cb1e42cda0fc1bc0bc9f4c

    SHA1

    fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

    SHA256

    1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

    SHA512

    af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
    Filesize

    63KB

    MD5

    dddd982b03cb1e42cda0fc1bc0bc9f4c

    SHA1

    fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

    SHA256

    1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

    SHA512

    af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mxuoquv.exe
    Filesize

    63KB

    MD5

    dddd982b03cb1e42cda0fc1bc0bc9f4c

    SHA1

    fe25abd82ae5c9bd0db39eb780b32236de5ac0dd

    SHA256

    1931caa80bc281f650739ac6c3f545d578ae839cc38890d4cd0da1484d694a5a

    SHA512

    af7b7e70c9a497a26b3cd2a136f21e98866fe56edf83baf5641df154c62a5ebf0453814ec2ed3c26a19d763d4d46c80eb45df13dc8fd8bbef4f1746e4d79b1ad

    Download Submit

  • memory/868-136-0x00000000009E0000-0x00000000009E3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2616-143-0x0000000000DE0000-0x0000000000DFA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2616-144-0x00000000056C0000-0x0000000005726000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2616-146-0x0000000006030000-0x00000000060CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3748-145-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3748-147-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download