Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
24/04/2023, 06:58 UTC
General
-
Target
S0LICITUD DE PRESUPUESTO-24-04-23.exe
-
Size
211KB
-
MD5
f4a13d7f220fd8db56fafbdb62828a50
-
SHA1
ed98f720d6481db8d45aba7a3889d9974902d437
-
SHA256
2178c25cf14793aa8845ca8ee9f76d3271c91bc5eb763e97919415f9fb7d5e1d
-
SHA512
0d6cd19ccc47a28491f5cd442a32ec83183cc093835913cf7ca94ac679609ce648c2f15d3a11722d35d2fd5cff943abe7c073639d32e49ea294e88360cd811ac
-
SSDEEP
3072:i748SBjtujuYWofGa2OTeyGuPMZmzsq9Y2YhuhWDNJQZ5hJ8RDMh/CQgutfxvXX4:i7MOuYCduEZ8sq9Y2RWfWMRI9Ocn4
Score
10/10
Malware Config
Extracted
Family
blustealer
C2
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\S0LICITUD DE PRESUPUESTO-24-04-23.exe"C:\Users\Admin\AppData\Local\Temp\S0LICITUD DE PRESUPUESTO-24-04-23.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
-
DNS104.219.191.52.in-addr.arpaRemote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse -
DNSicanhazip.comRemote address:8.8.8.8:53Requesticanhazip.comIN AResponseicanhazip.comIN A104.18.115.97icanhazip.comIN A104.18.114.97
-
GEThttp://icanhazip.com/Remote address:104.18.115.97:80RequestGET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Mon, 24 Apr 2023 06:59:06 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=ItaysSpmWaHLK7kAwdwqR8R3zfRU0ihaOxzVjrc6TjA-1682319546-0-AdioU2xMPriKcNE9pcGemSvUjdseqXWnBtvAnoVDwEE/ftK6YVtEKGAgAYMlhViafD/cOBtWiD/XPe8AfmhL/eE=; path=/; expires=Mon, 24-Apr-23 07:29:06 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 7bcc762bfed9b8a3-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNS97.115.18.104.in-addr.arpaRemote address:8.8.8.8:53Request97.115.18.104.in-addr.arpaIN PTRResponse
-
DNS95.221.229.192.in-addr.arpaRemote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
DNS123.108.74.40.in-addr.arpaRemote address:8.8.8.8:53Request123.108.74.40.in-addr.arpaIN PTRResponse
-
DNS228.249.119.40.in-addr.arpaRemote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
DNS171.39.242.20.in-addr.arpaRemote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
DNS171.39.242.20.in-addr.arpaRemote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
DNS2.36.159.162.in-addr.arpaRemote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
DNS0.77.109.52.in-addr.arpaRemote address:8.8.8.8:53Request0.77.109.52.in-addr.arpaIN PTRResponse
-
DNS157.123.68.40.in-addr.arpaRemote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
104.18.115.97:80http://icanhazip.com/http
HTTP Request
GET http://icanhazip.com/HTTP Response
200 -
93.184.220.29:80
-
20.54.89.15:443 -
93.184.221.240:80
-
93.184.221.240:80
-
173.223.113.164:443 -
173.223.113.131:80
-
204.79.197.203:80
-
8.8.8.8:53104.219.191.52.in-addr.arpadns
DNS Request
104.219.191.52.in-addr.arpa
-
8.8.8.8:53icanhazip.comdns
DNS Request
icanhazip.com
DNS Response
104.18.115.97104.18.114.97
-
8.8.8.8:5397.115.18.104.in-addr.arpadns
DNS Request
97.115.18.104.in-addr.arpa
-
8.8.8.8:5395.221.229.192.in-addr.arpadns
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53123.108.74.40.in-addr.arpadns
DNS Request
123.108.74.40.in-addr.arpa
-
8.8.8.8:53228.249.119.40.in-addr.arpadns
DNS Request
228.249.119.40.in-addr.arpa
-
8.8.8.8:53171.39.242.20.in-addr.arpadns
DNS Request
171.39.242.20.in-addr.arpa
-
8.8.8.8:53171.39.242.20.in-addr.arpadns
DNS Request
171.39.242.20.in-addr.arpa
-
8.8.8.8:532.36.159.162.in-addr.arpadns
DNS Request
2.36.159.162.in-addr.arpa
-
8.8.8.8:530.77.109.52.in-addr.arpadns
DNS Request
0.77.109.52.in-addr.arpa
-
8.8.8.8:53157.123.68.40.in-addr.arpadns
DNS Request
157.123.68.40.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
624KB