Analysis
-
max time kernel
142s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-02-2023 17:40
Static task
static1
Behavioral task
behavioral1
Sample
PO 152421.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO 152421.exe
Resource
win10v2004-20230220-en
General
-
Target
PO 152421.exe
-
Size
501KB
-
MD5
460bdbbe5a6b8bd3f887c8b6fd4128a2
-
SHA1
891099bcbf82de10e1b197d2c42b2044dc0bed46
-
SHA256
58d5286e5694f883d2452a81e5f6e77413292ba388300a6e44dd0f91e217aff1
-
SHA512
b741e4bc33762adc9dee71f7a348ec9e7615bd4631bb73c39e4d69a01e8d469a3eb1aa303c691e2671aa939c223c6fc4a5bc05b2dea23b40f3e5422e2b4b3c6c
-
SSDEEP
12288:/YFfpyLOuydXBmm+vie9mUX1NqRBchWc6P0vMLxJRg0ExsOPn7jhPhl9iqo+/:/YFhyCuCoie9nFNqgL6P0vlLxVP7FT93
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 296 zabwn.exe 1644 zabwn.exe -
Loads dropped DLL 2 IoCs
pid Process 308 PO 152421.exe 296 zabwn.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 296 set thread context of 1644 296 zabwn.exe 29 PID 1644 set thread context of 584 1644 zabwn.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 296 zabwn.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1644 zabwn.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 308 wrote to memory of 296 308 PO 152421.exe 27 PID 308 wrote to memory of 296 308 PO 152421.exe 27 PID 308 wrote to memory of 296 308 PO 152421.exe 27 PID 308 wrote to memory of 296 308 PO 152421.exe 27 PID 296 wrote to memory of 1644 296 zabwn.exe 29 PID 296 wrote to memory of 1644 296 zabwn.exe 29 PID 296 wrote to memory of 1644 296 zabwn.exe 29 PID 296 wrote to memory of 1644 296 zabwn.exe 29 PID 296 wrote to memory of 1644 296 zabwn.exe 29 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 PID 1644 wrote to memory of 584 1644 zabwn.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 152421.exe"C:\Users\Admin\AppData\Local\Temp\PO 152421.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\zabwn.exe"C:\Users\Admin\AppData\Local\Temp\zabwn.exe" C:\Users\Admin\AppData\Local\Temp\mcyherebmfy.ki2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Users\Admin\AppData\Local\Temp\zabwn.exe"C:\Users\Admin\AppData\Local\Temp\zabwn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:584
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460KB
MD58a6178215aecfc693a8c1ed6b603c9ed
SHA148c3dcdd96aaf16f6b23678730659ecffb608800
SHA25679e70faf30babd56571cb125d18aeeb004cd672e7564f982cd266635921a8540
SHA5124615144dd37bcb20e3668ac317d3ef49495fe3d83d237ff85297b638c7231c0021d75ed50bfc195406d886ebd4098efb5a2b4847eceaa8dc1370834657fcc36c
-
Filesize
5KB
MD54f7e253adbf25df53a7a3f74981cf3c0
SHA1a4ac4ee5bfa12232dc7e5eaae5bbbd3be42f9831
SHA256e37eee65e86f850c12436f581065ae185612e30ed4fbe9ae4cf4e9c9d6e65fa0
SHA5127a0839e7daff273466e7a3e411f2aebe2c57ecb80a10246ea091dacda2dc67e30b0c30c93571a6ea870a057f726de1c10845c2307ee121b2d23c9ecf3ae258c6
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0