Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 10:40
Static task
static1
Behavioral task
behavioral1
Sample
fatura64383,pdf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fatura64383,pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
fatura64383,pdf.exe
-
Size
298KB
-
MD5
c3d62fd39dd8b743b5fc0d6464f064d1
-
SHA1
88f30196adc87c47712679d07720131495da16dc
-
SHA256
98c1d9168df53dd9c2da28bfafb7af7a417719ab2fed404a3bacc7aeea3d5872
-
SHA512
a9a7aec144659e7ddbc318a563e29374f0621840a0600debd0003ee454bb24907d9cc976f9dcb45f58d1018d1610439cb867219330c6139d7b7dddf6b7ea9088
-
SSDEEP
3072:gfY/TU9fE9PEtuTgSECqpObc00brGmx1TJOz0Id+icyJvFap3UAoewa0ux59Dkrd:2Ya69gSECqpOY02iQJOS4ptHpvS1xO
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2480-142-0x00000000001D0000-0x00000000001EA000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 4252 ehnqqas.exe 4384 ehnqqas.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4252 set thread context of 4384 4252 ehnqqas.exe 83 PID 4384 set thread context of 2480 4384 ehnqqas.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4252 ehnqqas.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2480 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4384 ehnqqas.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3444 wrote to memory of 4252 3444 fatura64383,pdf.exe 81 PID 3444 wrote to memory of 4252 3444 fatura64383,pdf.exe 81 PID 3444 wrote to memory of 4252 3444 fatura64383,pdf.exe 81 PID 4252 wrote to memory of 4384 4252 ehnqqas.exe 83 PID 4252 wrote to memory of 4384 4252 ehnqqas.exe 83 PID 4252 wrote to memory of 4384 4252 ehnqqas.exe 83 PID 4252 wrote to memory of 4384 4252 ehnqqas.exe 83 PID 4384 wrote to memory of 2480 4384 ehnqqas.exe 86 PID 4384 wrote to memory of 2480 4384 ehnqqas.exe 86 PID 4384 wrote to memory of 2480 4384 ehnqqas.exe 86 PID 4384 wrote to memory of 2480 4384 ehnqqas.exe 86 PID 4384 wrote to memory of 2480 4384 ehnqqas.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura64383,pdf.exe"C:\Users\Admin\AppData\Local\Temp\fatura64383,pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\ehnqqas.exe"C:\Users\Admin\AppData\Local\Temp\ehnqqas.exe" C:\Users\Admin\AppData\Local\Temp\xpwakfp.f2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\ehnqqas.exe"C:\Users\Admin\AppData\Local\Temp\ehnqqas.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2480
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5ce57672797011490cc6180f83733d6a4
SHA172f784dcded7352850f9ae1da852781466a4d912
SHA25632eb0a68a3df821ec8ae2c9416ae7694db5c14961cc333a46a677477cfc598dd
SHA512ded01c4bf1b144ca4a8d4ed229778944a1f8357efea1f8a0bab8223d4da43bc3137254f294f85ed267c738bac946f036670d20c9fbab8d9ba48d464038257af2
-
Filesize
83KB
MD5ce57672797011490cc6180f83733d6a4
SHA172f784dcded7352850f9ae1da852781466a4d912
SHA25632eb0a68a3df821ec8ae2c9416ae7694db5c14961cc333a46a677477cfc598dd
SHA512ded01c4bf1b144ca4a8d4ed229778944a1f8357efea1f8a0bab8223d4da43bc3137254f294f85ed267c738bac946f036670d20c9fbab8d9ba48d464038257af2
-
Filesize
83KB
MD5ce57672797011490cc6180f83733d6a4
SHA172f784dcded7352850f9ae1da852781466a4d912
SHA25632eb0a68a3df821ec8ae2c9416ae7694db5c14961cc333a46a677477cfc598dd
SHA512ded01c4bf1b144ca4a8d4ed229778944a1f8357efea1f8a0bab8223d4da43bc3137254f294f85ed267c738bac946f036670d20c9fbab8d9ba48d464038257af2
-
Filesize
156KB
MD59d005362c2b002f57d200e83ebc5fe9c
SHA150072a9936f9d42691a6c6fdc82552be2b743974
SHA256cbc940e42e956f031b3a09da605fd8ed5e5d8967f0a69114f4e08655837e7b07
SHA512ed55b472651bac294a21d9fa3173cdb4bf77b77c26f29cc63b483895bbe5788536d5a46d35f3af4c4400714bdc14af48197583308121923acce988b536d369f2
-
Filesize
6KB
MD54ca2a013fb77d398da0c4c180837d578
SHA14f7d1977bfb6f3137135a4227e788e154379973b
SHA2563b41d65f3ac7f2091c227a3d59152edf03bb7562e322dbd8ce1ffbe255e40f57
SHA512ebfe9ee07e428c113f05ed8a1752c2f931686aa7ce0cc458cafa2bcda1e000723be850b92e7c34587d6c8cc246d735048fc9e7fa34558470a9a6bd73f683c6df