Analysis
-
max time kernel
138s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-03-2023 11:31
Static task
static1
Behavioral task
behavioral1
Sample
Pago pendiente 01-05-2023.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Pago pendiente 01-05-2023.exe
Resource
win10v2004-20230220-en
General
-
Target
Pago pendiente 01-05-2023.exe
-
Size
892KB
-
MD5
63c05e9cefd9e149912798971d3bac59
-
SHA1
2647d01bad450859a0237da0cf8c577afea02f28
-
SHA256
4213052d1b9d7daa7ca2d2e17eded80218602122bd697c72adbb88139d60ce7d
-
SHA512
865adeccbbea012401713ef6315b3bed3b1eff6f35d5d2bda984bd3545dd0696bc0b1e272ba94fd92374bad4224962dc779938be07166a7abee78d4752a0ad29
-
SSDEEP
24576:kudWVLuCLQA+hhbaRVqLHiRMKiyMKrMEC1+lGuCf:/dvYLgHiRMKiyMKbC1+Iu0
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 5 IoCs
resource yara_rule behavioral1/memory/1296-69-0x00000000000D0000-0x00000000000EA000-memory.dmp family_stormkitty behavioral1/memory/1296-71-0x00000000000D0000-0x00000000000EA000-memory.dmp family_stormkitty behavioral1/memory/1296-73-0x00000000000D0000-0x00000000000EA000-memory.dmp family_stormkitty behavioral1/memory/1296-74-0x0000000004E60000-0x0000000004EA0000-memory.dmp family_stormkitty behavioral1/memory/1296-76-0x0000000004E60000-0x0000000004EA0000-memory.dmp family_stormkitty -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/1236-54-0x0000000001080000-0x0000000001160000-memory.dmp net_reactor -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1236 set thread context of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 2004 set thread context of 1296 2004 caspol.exe 27 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1296 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2004 caspol.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 1236 wrote to memory of 2004 1236 Pago pendiente 01-05-2023.exe 26 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 PID 2004 wrote to memory of 1296 2004 caspol.exe 27 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pago pendiente 01-05-2023.exe"C:\Users\Admin\AppData\Local\Temp\Pago pendiente 01-05-2023.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1296
-
-