Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 09:11
Static task
static1
Behavioral task
behavioral1
Sample
Quotation Required.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Quotation Required.exe
Resource
win10v2004-20230220-en
General
-
Target
Quotation Required.exe
-
Size
501KB
-
MD5
c6479e3bcb864d87e5d93ff06ed15c60
-
SHA1
af08bbfe61178ee821e85b1f09be975b732387aa
-
SHA256
9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40
-
SHA512
c5f4b4638b76b963fe8b731a08c43f67d5a8c512262755f78eca27feea5004e348e85a913926f8afe73accefa6a680bba37207adb37880100cd2f8ff6509b1b6
-
SSDEEP
12288:/YmibSNNCgbjT5hg1s5PiA8C58tpxxqVTEp1B:/YmQoz5hgSN8tpxAVEp1B
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 4796 lhiecmmdg.exe 3368 lhiecmmdg.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4796 set thread context of 3368 4796 lhiecmmdg.exe 83 PID 3368 set thread context of 3580 3368 lhiecmmdg.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4796 lhiecmmdg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3368 lhiecmmdg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3840 wrote to memory of 4796 3840 Quotation Required.exe 81 PID 3840 wrote to memory of 4796 3840 Quotation Required.exe 81 PID 3840 wrote to memory of 4796 3840 Quotation Required.exe 81 PID 4796 wrote to memory of 3368 4796 lhiecmmdg.exe 83 PID 4796 wrote to memory of 3368 4796 lhiecmmdg.exe 83 PID 4796 wrote to memory of 3368 4796 lhiecmmdg.exe 83 PID 4796 wrote to memory of 3368 4796 lhiecmmdg.exe 83 PID 3368 wrote to memory of 3580 3368 lhiecmmdg.exe 84 PID 3368 wrote to memory of 3580 3368 lhiecmmdg.exe 84 PID 3368 wrote to memory of 3580 3368 lhiecmmdg.exe 84 PID 3368 wrote to memory of 3580 3368 lhiecmmdg.exe 84 PID 3368 wrote to memory of 3580 3368 lhiecmmdg.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe"C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe" C:\Users\Admin\AppData\Local\Temp\ovcnaiorxn.d2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3580
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5208f168a8a01e2d071375e09c084dc5a
SHA1e04b395d08bfad73c65997e24f4fb951a7837d61
SHA2560ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b
SHA51210f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc
-
Filesize
54KB
MD5208f168a8a01e2d071375e09c084dc5a
SHA1e04b395d08bfad73c65997e24f4fb951a7837d61
SHA2560ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b
SHA51210f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc
-
Filesize
54KB
MD5208f168a8a01e2d071375e09c084dc5a
SHA1e04b395d08bfad73c65997e24f4fb951a7837d61
SHA2560ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b
SHA51210f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc
-
Filesize
5KB
MD5162e0c2bbbccab38c10728759e5c96b7
SHA10f45df923464f98cc5f655af51f31f30646e164b
SHA2568213a9356d16fc8d08625217bf8f5a95168bacf3dc1c0413820533f8a2aff10c
SHA5120820e5ee0c3c2dacc596a8101a362ed53037c9560dc8b76d09db1798651cb1b09136e5438fb176cefb6fa81358bb3973a4ad05a2b61622453f5ed58beb17da20
-
Filesize
460KB
MD5df3d012d61af20771fd15c9b906051fa
SHA12cd498b119af9cac981fd2a12e55224b8481f1ac
SHA256a5c41dc9d73516047db56803ce3837afb830f990d01dd497494e24215a5597ac
SHA512d27e5ad78d500d2300800a0b0d9302dd0dfeb367f2d1f983645c440950795fe883acab1c5056ddfc35e08d4ddf1f008ee3cc718e914a0e6b03d21fb475b09bc2