Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 10:22
Static task
static1
Behavioral task
behavioral1
Sample
Quotation Required.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Quotation Required.exe
Resource
win10v2004-20230220-en
General
-
Target
Quotation Required.exe
-
Size
501KB
-
MD5
c6479e3bcb864d87e5d93ff06ed15c60
-
SHA1
af08bbfe61178ee821e85b1f09be975b732387aa
-
SHA256
9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40
-
SHA512
c5f4b4638b76b963fe8b731a08c43f67d5a8c512262755f78eca27feea5004e348e85a913926f8afe73accefa6a680bba37207adb37880100cd2f8ff6509b1b6
-
SSDEEP
12288:/YmibSNNCgbjT5hg1s5PiA8C58tpxxqVTEp1B:/YmQoz5hgSN8tpxAVEp1B
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 4348 lhiecmmdg.exe 4100 lhiecmmdg.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4348 set thread context of 4100 4348 lhiecmmdg.exe 87 PID 4100 set thread context of 3132 4100 lhiecmmdg.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4348 lhiecmmdg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4100 lhiecmmdg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1692 wrote to memory of 4348 1692 Quotation Required.exe 85 PID 1692 wrote to memory of 4348 1692 Quotation Required.exe 85 PID 1692 wrote to memory of 4348 1692 Quotation Required.exe 85 PID 4348 wrote to memory of 4100 4348 lhiecmmdg.exe 87 PID 4348 wrote to memory of 4100 4348 lhiecmmdg.exe 87 PID 4348 wrote to memory of 4100 4348 lhiecmmdg.exe 87 PID 4348 wrote to memory of 4100 4348 lhiecmmdg.exe 87 PID 4100 wrote to memory of 3132 4100 lhiecmmdg.exe 88 PID 4100 wrote to memory of 3132 4100 lhiecmmdg.exe 88 PID 4100 wrote to memory of 3132 4100 lhiecmmdg.exe 88 PID 4100 wrote to memory of 3132 4100 lhiecmmdg.exe 88 PID 4100 wrote to memory of 3132 4100 lhiecmmdg.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe"C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe" C:\Users\Admin\AppData\Local\Temp\ovcnaiorxn.d2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3132
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5208f168a8a01e2d071375e09c084dc5a
SHA1e04b395d08bfad73c65997e24f4fb951a7837d61
SHA2560ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b
SHA51210f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc
-
Filesize
54KB
MD5208f168a8a01e2d071375e09c084dc5a
SHA1e04b395d08bfad73c65997e24f4fb951a7837d61
SHA2560ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b
SHA51210f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc
-
Filesize
54KB
MD5208f168a8a01e2d071375e09c084dc5a
SHA1e04b395d08bfad73c65997e24f4fb951a7837d61
SHA2560ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b
SHA51210f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc
-
Filesize
5KB
MD5162e0c2bbbccab38c10728759e5c96b7
SHA10f45df923464f98cc5f655af51f31f30646e164b
SHA2568213a9356d16fc8d08625217bf8f5a95168bacf3dc1c0413820533f8a2aff10c
SHA5120820e5ee0c3c2dacc596a8101a362ed53037c9560dc8b76d09db1798651cb1b09136e5438fb176cefb6fa81358bb3973a4ad05a2b61622453f5ed58beb17da20
-
Filesize
460KB
MD5df3d012d61af20771fd15c9b906051fa
SHA12cd498b119af9cac981fd2a12e55224b8481f1ac
SHA256a5c41dc9d73516047db56803ce3837afb830f990d01dd497494e24215a5597ac
SHA512d27e5ad78d500d2300800a0b0d9302dd0dfeb367f2d1f983645c440950795fe883acab1c5056ddfc35e08d4ddf1f008ee3cc718e914a0e6b03d21fb475b09bc2