Analysis Overview
SHA256
2b462a8fa08088d8a738b3e9fdad71b1655c44e5497c1cb212e514f536a780ab
Threat Level: Known bad
The file blueberry_obfuscator-VM.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
ElysiumStealer
ElysiumStealer Support DLL
AgentTesla payload
Loads dropped DLL
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-12 23:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-12 23:30
Reported
2023-04-12 23:34
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
AgentTesla
ElysiumStealer
ElysiumStealer Support DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1524 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1524 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1524 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1524 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe
"C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1496
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.21.57.106:443 | keyauth.win | tcp |
Files
memory/1524-54-0x00000000000F0000-0x0000000000642000-memory.dmp
memory/1524-55-0x00000000023D0000-0x00000000023E4000-memory.dmp
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll
| MD5 | 94173de2e35aa8d621fc1c4f54b2a082 |
| SHA1 | fbb2266ee47f88462560f0370edb329554cd5869 |
| SHA256 | 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f |
| SHA512 | cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798 |
memory/1524-59-0x0000000004560000-0x00000000045A0000-memory.dmp
memory/1524-60-0x00000000064C0000-0x00000000066D6000-memory.dmp
memory/1524-61-0x00000000066E0000-0x000000000682E000-memory.dmp
memory/1524-62-0x0000000005710000-0x0000000005724000-memory.dmp
memory/1524-63-0x0000000004560000-0x00000000045A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-12 23:30
Reported
2023-04-12 23:35
Platform
win10v2004-20230220-en
Max time kernel
210s
Max time network
179s
Command Line
Signatures
ElysiumStealer
ElysiumStealer Support DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe
"C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 95.101.74.139:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 139.74.101.95.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 188.114.96.0:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | api.msn.com | tcp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
Files
memory/4276-133-0x0000000000D70000-0x00000000012C2000-memory.dmp
memory/4276-134-0x0000000005D30000-0x0000000005D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll
| MD5 | 94173de2e35aa8d621fc1c4f54b2a082 |
| SHA1 | fbb2266ee47f88462560f0370edb329554cd5869 |
| SHA256 | 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f |
| SHA512 | cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798 |
memory/4276-139-0x0000000006740000-0x0000000006CE4000-memory.dmp
memory/4276-140-0x0000000005F20000-0x0000000005FB2000-memory.dmp
memory/4276-141-0x0000000005EB0000-0x0000000005EC2000-memory.dmp
memory/4276-142-0x00000000071F0000-0x000000000722C000-memory.dmp
memory/4276-143-0x0000000007330000-0x000000000733A000-memory.dmp
memory/4276-144-0x0000000005D30000-0x0000000005D40000-memory.dmp
memory/4276-145-0x0000000005D30000-0x0000000005D40000-memory.dmp
memory/4276-146-0x0000000005D30000-0x0000000005D40000-memory.dmp