Overview

overview

10

Static

static

1

PAYMENT SW...PY.exe

windows7-x64

10

PAYMENT SW...PY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT SWIFT COPY.exe

  • Size

    1.1MB

  • MD5

    ec7c37ae9c0377f3240a274290c9c214

  • SHA1

    432915cb9e9e860a84e142719bf0e82392c69a6a

  • SHA256

    5c11c170ecb5809594f68e860f910f6d004e356d067be232c3c856c9ed78459f

  • SHA512

    326f282eb2a8c6f79de6f7019fc7d16be88345467301bc1d28c36f5c7094ac38ec206dc068d24c8bcecd0cb02e39af1d5070f839f9518f0e8e149ac5c5c0c576

  • SSDEEP

    24576:KZUu39V1vMSb4gz1o5Ti81zSdyrjLDjFPR6KrXmTDa:yltsSkW1o5Tiouy/z6KrXmX

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5916787654:AAEJEadEk6VSBHL82vTGRS9aaNuh-zG53Rg/sendMessage?chat_id=5483672364

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QrErGuxRXcieO.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QrErGuxRXcieO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1424
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6A77.tmp
    Filesize

    1KB

    MD5

    2a79895251b20ea9d39816515e33f7e2

    SHA1

    c90a0e68ca990660ce55c9d1dbbce003433469e2

    SHA256

    00dec0f9fb81e3f647e4a9c76f2bee37d551a6a0d88731ae88f5242c61c9d987

    SHA512

    0fed6c1afa020af7563a07e9e85b57e1d363d6b06b33366b30289fe6e759705c51edbc86eef2934d1fac11b6cda989a5187453e1e05caa580b0ffaf34af14325

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SLXEAJ09D3X2F31WJA0A.temp
    Filesize

    7KB

    MD5

    6344ec654712c76f5317e984ba71b685

    SHA1

    85f5381d31e751798fabae5c9d69e836876acd18

    SHA256

    2498eeacf7fef3a37f403aac389f07039907fcad516319d102d1228effb225f1

    SHA512

    cd07a6d6be2d85273f8f04b48d9b41ad2b8a5db6cc99f9f5375bd0131183108bc44f8f297a61c60ad45d0e8e6906cf116b7cd30dc531bb640883dc67af6740ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    6344ec654712c76f5317e984ba71b685

    SHA1

    85f5381d31e751798fabae5c9d69e836876acd18

    SHA256

    2498eeacf7fef3a37f403aac389f07039907fcad516319d102d1228effb225f1

    SHA512

    cd07a6d6be2d85273f8f04b48d9b41ad2b8a5db6cc99f9f5375bd0131183108bc44f8f297a61c60ad45d0e8e6906cf116b7cd30dc531bb640883dc67af6740ae

    Download Submit

  • memory/320-82-0x0000000001CD0000-0x0000000001D10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/904-55-0x0000000004CC0000-0x0000000004D00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/904-56-0x0000000000730000-0x0000000000750000-memory.dmp

    Filesize

    128KB

    Download

  • memory/904-57-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/904-58-0x0000000007ED0000-0x0000000007FBC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/904-71-0x0000000008240000-0x00000000082B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/904-54-0x0000000000C10000-0x0000000000D24000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1032-83-0x0000000002720000-0x0000000002760000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1676-85-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1676-86-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1676-92-0x00000000009A0000-0x0000000000A5C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1676-91-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1676-89-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1676-87-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2024-74-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2024-72-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2024-84-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2024-73-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2024-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-79-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2024-77-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2024-93-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download