Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 21:04
Static task
static1
Behavioral task
behavioral1
Sample
fatura64390089,pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fatura64390089,pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
fatura64390089,pdf.exe
-
Size
407KB
-
MD5
c05d621f037ac3934058043187adec75
-
SHA1
be6482abbdf88b6462293f4058f00c9b5d8de995
-
SHA256
dbbd97938b7195d695adbf9d86f4a0efe9b044aaf3da437e02f187ec6323a177
-
SHA512
8d3db7aacecc65ce982ee4f0168d52d3059b5c94a8307bcff6b5c7a6b628020682e090bd909c18b6991c1a94adea7af39c83bc850747d34b65898eff73fc0091
-
SSDEEP
12288:gYEP7r9r/+ppppppppppppppppppppppppppppp0YGspBGc52epgqIM4l5q4/:gYE1MGsnGAQPn
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1388-143-0x0000000001020000-0x000000000103A000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
Processes:
ffdkbznenn.exeffdkbznenn.exepid process 3344 ffdkbznenn.exe 2216 ffdkbznenn.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ffdkbznenn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aupp = "C:\\Users\\Admin\\AppData\\Roaming\\xvfemejxi\\rqxm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ffdkbznenn.exe\" C:\\Users\\Admin\\AppData\\Local\\" ffdkbznenn.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ffdkbznenn.exeffdkbznenn.exedescription pid process target process PID 3344 set thread context of 2216 3344 ffdkbznenn.exe ffdkbznenn.exe PID 2216 set thread context of 1388 2216 ffdkbznenn.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ffdkbznenn.exepid process 2216 ffdkbznenn.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ffdkbznenn.exepid process 3344 ffdkbznenn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1388 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ffdkbznenn.exepid process 2216 ffdkbznenn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fatura64390089,pdf.exeffdkbznenn.exeffdkbznenn.exedescription pid process target process PID 4832 wrote to memory of 3344 4832 fatura64390089,pdf.exe ffdkbznenn.exe PID 4832 wrote to memory of 3344 4832 fatura64390089,pdf.exe ffdkbznenn.exe PID 4832 wrote to memory of 3344 4832 fatura64390089,pdf.exe ffdkbznenn.exe PID 3344 wrote to memory of 2216 3344 ffdkbznenn.exe ffdkbznenn.exe PID 3344 wrote to memory of 2216 3344 ffdkbznenn.exe ffdkbznenn.exe PID 3344 wrote to memory of 2216 3344 ffdkbznenn.exe ffdkbznenn.exe PID 3344 wrote to memory of 2216 3344 ffdkbznenn.exe ffdkbznenn.exe PID 2216 wrote to memory of 1388 2216 ffdkbznenn.exe AppLaunch.exe PID 2216 wrote to memory of 1388 2216 ffdkbznenn.exe AppLaunch.exe PID 2216 wrote to memory of 1388 2216 ffdkbznenn.exe AppLaunch.exe PID 2216 wrote to memory of 1388 2216 ffdkbznenn.exe AppLaunch.exe PID 2216 wrote to memory of 1388 2216 ffdkbznenn.exe AppLaunch.exe -
outlook_office_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura64390089,pdf.exe"C:\Users\Admin\AppData\Local\Temp\fatura64390089,pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe"C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe" C:\Users\Admin\AppData\Local\Temp\iiijlwhsvt.hcv2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe"C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exeFilesize
53KB
MD5292f15361b1c917862f22d5f86e83e2e
SHA1e12efc100d01f52e3dc53d2172602e2e86a5671b
SHA2560e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490
SHA512a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44
-
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exeFilesize
53KB
MD5292f15361b1c917862f22d5f86e83e2e
SHA1e12efc100d01f52e3dc53d2172602e2e86a5671b
SHA2560e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490
SHA512a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44
-
C:\Users\Admin\AppData\Local\Temp\ffdkbznenn.exeFilesize
53KB
MD5292f15361b1c917862f22d5f86e83e2e
SHA1e12efc100d01f52e3dc53d2172602e2e86a5671b
SHA2560e605b21230a7fda50f970a5cc9dde223854a75d9d5e5f2a33963f84810f2490
SHA512a8311c10337eeec3253699c53ccebd846fe3a14e136de2e8300398e946d0f6e0bf08a83df510e24fb1488e6a81dc43b26c40643cc4ec7eb180e104ae0c465b44
-
C:\Users\Admin\AppData\Local\Temp\iiijlwhsvt.hcvFilesize
7KB
MD557dc842d381d9d79fbc3ec8f3ebde260
SHA1bc816ee4cb338e9486a2446d0f40d34ac7f017c4
SHA256570080568f2d6becd79e7e76fb7499ee4924ad2b103b9cb037195cfbbaf52fed
SHA51215ad3cc80f79825d00617d5fe1214a6cc8513d0d7a4714e5f7ba3c6a70960759b446d1d2ff456d1cedc779f93586d406123db3a77e782d3d199aa8d6b27ffe68
-
C:\Users\Admin\AppData\Local\Temp\oabtivtl.sFilesize
164KB
MD50ad27cb8fc43f58b4e8cef4931c5a5fd
SHA14a8f8c0e7070ffd8614174e1c6b19087ab2e5764
SHA256bb858577716f072849106950e08834c35efd87de9e7d9b00e0082810e31ec202
SHA5124338db180c0385206ab8b7b0e5473fdecc6a7599fc22b338c105adb73b2e72d328d89d2fbaf874d22135dd8ca98b4b1759e3a2d3cba312e0b7bdcf8e4f06698b
-
memory/1388-142-0x0000000000000000-mapping.dmp
-
memory/1388-143-0x0000000001020000-0x000000000103A000-memory.dmpFilesize
104KB
-
memory/1388-144-0x00000000055C0000-0x0000000005626000-memory.dmpFilesize
408KB
-
memory/1388-145-0x0000000006090000-0x000000000612C000-memory.dmpFilesize
624KB
-
memory/2216-137-0x0000000000000000-mapping.dmp
-
memory/2216-141-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2216-146-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3344-132-0x0000000000000000-mapping.dmp