Analysis Overview
SHA256
d85f8012ae2bd3aa07e73fc7967891eec06562d90968a0f8589eac232bc8d014
Threat Level: Known bad
The file 6762bbcbc3e23a6006e8dbe978b8b85d.bin was found to be: Known bad.
Malicious Activity Summary
BluStealer
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-22 01:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-22 01:28
Reported
2023-04-22 01:31
Platform
win7-20230220-en
Max time kernel
65s
Max time network
33s
Command Line
Signatures
BluStealer
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1968 set thread context of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe |
| PID 320 set thread context of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe
"C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe"
C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe
"C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Network
Files
memory/1968-54-0x0000000000E60000-0x0000000000F3C000-memory.dmp
memory/1968-55-0x0000000004E80000-0x0000000004EC0000-memory.dmp
memory/1968-56-0x0000000000540000-0x0000000000554000-memory.dmp
memory/1968-57-0x0000000004E80000-0x0000000004EC0000-memory.dmp
memory/1968-58-0x0000000000640000-0x000000000064C000-memory.dmp
memory/1968-59-0x0000000006140000-0x00000000061EC000-memory.dmp
memory/1968-60-0x0000000004880000-0x00000000048F6000-memory.dmp
memory/320-61-0x0000000000400000-0x000000000046E000-memory.dmp
memory/320-62-0x0000000000400000-0x000000000046E000-memory.dmp
memory/320-63-0x0000000000400000-0x000000000046E000-memory.dmp
memory/320-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/320-66-0x0000000000400000-0x000000000046E000-memory.dmp
memory/320-68-0x0000000000400000-0x000000000046E000-memory.dmp
memory/320-71-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1672-72-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/1672-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1672-74-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/1672-76-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/1672-78-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/1672-79-0x00000000044F0000-0x00000000045AC000-memory.dmp
memory/320-80-0x0000000000400000-0x000000000046E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-22 01:28
Reported
2023-04-22 01:31
Platform
win10v2004-20230220-en
Max time kernel
144s
Max time network
145s
Command Line
Signatures
BluStealer
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3776 set thread context of 4040 | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe |
| PID 4040 set thread context of 4320 | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe
"C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe"
C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe
"C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe"
C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe
"C:\Users\Admin\AppData\Local\Temp\7042b9a81eaf1ddd3de522f40e80a915e0e44c6843320013daaa8ee2a842a9e2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 13.89.179.10:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/3776-133-0x0000000000E00000-0x0000000000EDC000-memory.dmp
memory/3776-134-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/3776-135-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/3776-136-0x0000000003440000-0x0000000003450000-memory.dmp
memory/3776-137-0x0000000003430000-0x000000000343A000-memory.dmp
memory/3776-138-0x0000000003440000-0x0000000003450000-memory.dmp
memory/3776-139-0x0000000008A90000-0x0000000008B2C000-memory.dmp
memory/4040-140-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4040-143-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4320-146-0x0000000000D00000-0x0000000000D66000-memory.dmp
memory/4040-148-0x0000000000400000-0x000000000046E000-memory.dmp