Analysis
-
max time kernel
146s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 17:40
Static task
static1
Behavioral task
behavioral1
Sample
PO 152421.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO 152421.exe
Resource
win10v2004-20230220-en
General
-
Target
PO 152421.exe
-
Size
501KB
-
MD5
460bdbbe5a6b8bd3f887c8b6fd4128a2
-
SHA1
891099bcbf82de10e1b197d2c42b2044dc0bed46
-
SHA256
58d5286e5694f883d2452a81e5f6e77413292ba388300a6e44dd0f91e217aff1
-
SHA512
b741e4bc33762adc9dee71f7a348ec9e7615bd4631bb73c39e4d69a01e8d469a3eb1aa303c691e2671aa939c223c6fc4a5bc05b2dea23b40f3e5422e2b4b3c6c
-
SSDEEP
12288:/YFfpyLOuydXBmm+vie9mUX1NqRBchWc6P0vMLxJRg0ExsOPn7jhPhl9iqo+/:/YFhyCuCoie9nFNqgL6P0vlLxVP7FT93
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 4752 zabwn.exe 4608 zabwn.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4752 set thread context of 4608 4752 zabwn.exe 85 PID 4608 set thread context of 4980 4608 zabwn.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4752 zabwn.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4608 zabwn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4752 4968 PO 152421.exe 83 PID 4968 wrote to memory of 4752 4968 PO 152421.exe 83 PID 4968 wrote to memory of 4752 4968 PO 152421.exe 83 PID 4752 wrote to memory of 4608 4752 zabwn.exe 85 PID 4752 wrote to memory of 4608 4752 zabwn.exe 85 PID 4752 wrote to memory of 4608 4752 zabwn.exe 85 PID 4752 wrote to memory of 4608 4752 zabwn.exe 85 PID 4608 wrote to memory of 4980 4608 zabwn.exe 86 PID 4608 wrote to memory of 4980 4608 zabwn.exe 86 PID 4608 wrote to memory of 4980 4608 zabwn.exe 86 PID 4608 wrote to memory of 4980 4608 zabwn.exe 86 PID 4608 wrote to memory of 4980 4608 zabwn.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 152421.exe"C:\Users\Admin\AppData\Local\Temp\PO 152421.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\zabwn.exe"C:\Users\Admin\AppData\Local\Temp\zabwn.exe" C:\Users\Admin\AppData\Local\Temp\mcyherebmfy.ki2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\zabwn.exe"C:\Users\Admin\AppData\Local\Temp\zabwn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4980
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460KB
MD58a6178215aecfc693a8c1ed6b603c9ed
SHA148c3dcdd96aaf16f6b23678730659ecffb608800
SHA25679e70faf30babd56571cb125d18aeeb004cd672e7564f982cd266635921a8540
SHA5124615144dd37bcb20e3668ac317d3ef49495fe3d83d237ff85297b638c7231c0021d75ed50bfc195406d886ebd4098efb5a2b4847eceaa8dc1370834657fcc36c
-
Filesize
5KB
MD54f7e253adbf25df53a7a3f74981cf3c0
SHA1a4ac4ee5bfa12232dc7e5eaae5bbbd3be42f9831
SHA256e37eee65e86f850c12436f581065ae185612e30ed4fbe9ae4cf4e9c9d6e65fa0
SHA5127a0839e7daff273466e7a3e411f2aebe2c57ecb80a10246ea091dacda2dc67e30b0c30c93571a6ea870a057f726de1c10845c2307ee121b2d23c9ecf3ae258c6
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0
-
Filesize
54KB
MD562b62b17b3e2090607d52c9fb1fd304a
SHA19b52577f421ed09935b71b8d4dee2b38276f6b64
SHA256e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b
SHA512a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0