Analysis
-
max time kernel
141s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-02-2023 01:55
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Request For Quotation.exe
Resource
win10v2004-20230220-en
General
-
Target
Request For Quotation.exe
-
Size
502KB
-
MD5
e6759016429ab2d38c9a9497325c5746
-
SHA1
8d4a9bd427e937d523968d57f8bced231189624e
-
SHA256
20919ab5a667f7a8ef3d7d1e614f3e448bf875a066ac56c257e2e07878f6e336
-
SHA512
f266a3958d48efc6a9b105c62eb0cfd8d30e810b3f247e065b9b62a0f62f70642b1964a7d570f22f16a64cd1430cfa25c3de53201282773b1bd0b5ef352485b1
-
SSDEEP
12288:vYqsd1RU0HAn7av42cnY/jVFIegYLTvEOLhPMuOBmO:vYqsd1DZ42ci7lLTsOBMucmO
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 2 IoCs
pid Process 924 kxlbzxzqy.exe 564 kxlbzxzqy.exe -
Loads dropped DLL 3 IoCs
pid Process 1320 Request For Quotation.exe 1320 Request For Quotation.exe 924 kxlbzxzqy.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 924 set thread context of 564 924 kxlbzxzqy.exe 30 PID 564 set thread context of 616 564 kxlbzxzqy.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 924 kxlbzxzqy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 564 kxlbzxzqy.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1320 wrote to memory of 924 1320 Request For Quotation.exe 28 PID 1320 wrote to memory of 924 1320 Request For Quotation.exe 28 PID 1320 wrote to memory of 924 1320 Request For Quotation.exe 28 PID 1320 wrote to memory of 924 1320 Request For Quotation.exe 28 PID 924 wrote to memory of 564 924 kxlbzxzqy.exe 30 PID 924 wrote to memory of 564 924 kxlbzxzqy.exe 30 PID 924 wrote to memory of 564 924 kxlbzxzqy.exe 30 PID 924 wrote to memory of 564 924 kxlbzxzqy.exe 30 PID 924 wrote to memory of 564 924 kxlbzxzqy.exe 30 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 PID 564 wrote to memory of 616 564 kxlbzxzqy.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe"C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe" C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe"C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe4⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:616
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460KB
MD5561fea480390545e3b30dc7825feb4eb
SHA1a14aecc241e739b0cbc29f1fe33efa5dd743c009
SHA256623769af74fd75af0a5ee02f4421fe9284644d537ad8ede8f590876978748bfd
SHA51279a2c1b8bf51bf8dfa794f58c70b307afbf830dce9d4578b7d7be91b4732055c2afd503bbb67fa14ec30a8c3b68b5811f5e84e116a0d958ade2450dd34f880cb
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539
-
Filesize
5KB
MD5f89ec267e9fe8ef34e14ed2c3b23bf91
SHA1d5dae45ea626ce7e951feb4c28d0c904864b1116
SHA2569e33d6fca153afccda3b06f40d46c7885efccc02cd73a4f651d755d7e2c1ff59
SHA512da96363bc51b344ebd07c8e3c739b2b41382f56e4efeb030a1f01f572ca74bc7dd703f7157482df39167a5d6a90f47473c9b6365110aa997a1d53d47e6b5d312
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539
-
Filesize
57KB
MD5198a54e108c86535030a7d6cd8710ab3
SHA139ec3083766e950fdac8637b83794f92a6df189e
SHA25629a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29
SHA5129ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539