Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-04-2023 23:30
Static task
static1
Behavioral task
behavioral1
Sample
blueberry_obfuscator-VM.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
blueberry_obfuscator-VM.exe
Resource
win10v2004-20230220-en
General
-
Target
blueberry_obfuscator-VM.exe
-
Size
5.3MB
-
MD5
bfe2c9a81002c0b3f51e80d28166f11c
-
SHA1
49800d024d3773c4050f3ca5ac7bb79a2322334c
-
SHA256
2b462a8fa08088d8a738b3e9fdad71b1655c44e5497c1cb212e514f536a780ab
-
SHA512
3148ffbe478ac1294e61bb62688b8c938e4658df97abb1ce1271db50541b76e87d0f542e6660123db3520730de99914bd6ba44093e637e43a1436dbb06cc9db0
-
SSDEEP
98304:28zYBgkTRCyjAM0bRKLIYh74b6iGeUwjDRQOOAxY4Yj89PXAAZbJPnyl258RjPsL:28zYBgkTRCyjAM0bRKLIYh74b6iGeUwd
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Support DLL 2 IoCs
resource yara_rule behavioral1/files/0x000a000000013a47-57.dat elysiumstealer_dll behavioral1/memory/1524-59-0x0000000004560000-0x00000000045A0000-memory.dmp elysiumstealer_dll -
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/1524-60-0x00000000064C0000-0x00000000066D6000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
pid Process 1524 blueberry_obfuscator-VM.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 728 1524 WerFault.exe 26 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS blueberry_obfuscator-VM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer blueberry_obfuscator-VM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion blueberry_obfuscator-VM.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1524 blueberry_obfuscator-VM.exe 1524 blueberry_obfuscator-VM.exe 1524 blueberry_obfuscator-VM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1524 blueberry_obfuscator-VM.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1524 wrote to memory of 728 1524 blueberry_obfuscator-VM.exe 27 PID 1524 wrote to memory of 728 1524 blueberry_obfuscator-VM.exe 27 PID 1524 wrote to memory of 728 1524 blueberry_obfuscator-VM.exe 27 PID 1524 wrote to memory of 728 1524 blueberry_obfuscator-VM.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe"C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 14962⤵
- Program crash
PID:728
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD594173de2e35aa8d621fc1c4f54b2a082
SHA1fbb2266ee47f88462560f0370edb329554cd5869
SHA2567e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798