Overview

overview

10

Static

static

1

PO7313 2023-02.exe

windows7-x64

10

PO7313 2023-02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2023 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO7313 2023-02.exe

  • Size

    597KB

  • MD5

    1a496bebdf47aaee63127ad8e0f2c038

  • SHA1

    0b4c18d15e7e03fdc58f942236591d01db2a0e15

  • SHA256

    8b43fb960fbec0fcdc81a4e12892204c6dc80156258e92995f2a7ece5da3c5b3

  • SHA512

    534c1b75d3d581ca07c831ddec2639559f63a4f532b8fa97126f23cbf49dc5b58184a7f0027182b8aed3cb4c028ed334860f15164aa092656289435d3e9acb6d

  • SSDEEP

    12288:/Ytho+cYQo+uRRAkbIWsRQ219z0EnDWg9/YG6B5ZdZOkiM:/Yt4YQoRqkV2Eg9h6JdV

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO7313 2023-02.exe
    "C:\Users\Admin\AppData\Local\Temp\PO7313 2023-02.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Users\Admin\AppData\Local\Temp\euhbi.exe
      "C:\Users\Admin\AppData\Local\Temp\euhbi.exe" C:\Users\Admin\AppData\Local\Temp\fvrclwc.l
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\euhbi.exe
        "C:\Users\Admin\AppData\Local\Temp\euhbi.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:3596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\euhbi.exe
    Filesize

    297KB

    MD5

    c936b4f432c1b9814d77d8717758db4a

    SHA1

    ad63ad2a3a5fa271121c9345b31075128ef395fd

    SHA256

    690e07388b7f6aff8f276c7c44001a5aea4cae4c7918619b7a759d8fd25fc169

    SHA512

    490fd2aa529ccdccde2c476e7dd4aaae601a19d32740795c28cffff029d2d4fb7454ed94c154dfebbb76aad38949dee49e1cdb4148cbbc331238b2a7e83dfc34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\euhbi.exe
    Filesize

    297KB

    MD5

    c936b4f432c1b9814d77d8717758db4a

    SHA1

    ad63ad2a3a5fa271121c9345b31075128ef395fd

    SHA256

    690e07388b7f6aff8f276c7c44001a5aea4cae4c7918619b7a759d8fd25fc169

    SHA512

    490fd2aa529ccdccde2c476e7dd4aaae601a19d32740795c28cffff029d2d4fb7454ed94c154dfebbb76aad38949dee49e1cdb4148cbbc331238b2a7e83dfc34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\euhbi.exe
    Filesize

    297KB

    MD5

    c936b4f432c1b9814d77d8717758db4a

    SHA1

    ad63ad2a3a5fa271121c9345b31075128ef395fd

    SHA256

    690e07388b7f6aff8f276c7c44001a5aea4cae4c7918619b7a759d8fd25fc169

    SHA512

    490fd2aa529ccdccde2c476e7dd4aaae601a19d32740795c28cffff029d2d4fb7454ed94c154dfebbb76aad38949dee49e1cdb4148cbbc331238b2a7e83dfc34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fvrclwc.l
    Filesize

    5KB

    MD5

    f3abfac467d7df3fe80d9244f4a3792f

    SHA1

    ad15978267e72f579cf5dbba1c61f739f929228d

    SHA256

    b57f33a6d276b635dafcf1164f62f45542e5d14bc68b11cd3cb01cd4f463b5f5

    SHA512

    97b1243f5b10abb8e9123baaa798362761902f48ed920b1469a8679cf746240899459bc4fd2dfd3c61a208e366ea4bf12f8f734b1c38e583429abefddb8ec6bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\olntt.qha
    Filesize

    460KB

    MD5

    cbbfb2f927b0fabeb1307dad8c24cbe3

    SHA1

    6292ff8cd7b8fce506e851f2e0571013b1bc032b

    SHA256

    3733fc350665f2e65be9832630829fd62950558c4eb0f6193be5a8718d7e523d

    SHA512

    997f9f342a14302717ec74ce97fbac60e7c2371641ccad5698dd1540df537ce35d07330d4daf1c17c7dcf8df4803dfa89f0f3277b1760df28fdfdbaba187536d

    Download Submit

  • memory/3464-152-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-167-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-174-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-173-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-151-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-141-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-164-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-165-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-166-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-144-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-168-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-169-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-170-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-171-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3464-172-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3596-149-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3596-148-0x0000000000520000-0x0000000000586000-memory.dmp

    Filesize

    408KB

    Download