Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2023 06:58
Static task
static1
Behavioral task
behavioral1
Sample
S0LICITUD DE PRESUPUESTO-24-04-23.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
S0LICITUD DE PRESUPUESTO-24-04-23.exe
Resource
win10v2004-20230220-en
General
-
Target
S0LICITUD DE PRESUPUESTO-24-04-23.exe
-
Size
211KB
-
MD5
f4a13d7f220fd8db56fafbdb62828a50
-
SHA1
ed98f720d6481db8d45aba7a3889d9974902d437
-
SHA256
2178c25cf14793aa8845ca8ee9f76d3271c91bc5eb763e97919415f9fb7d5e1d
-
SHA512
0d6cd19ccc47a28491f5cd442a32ec83183cc093835913cf7ca94ac679609ce648c2f15d3a11722d35d2fd5cff943abe7c073639d32e49ea294e88360cd811ac
-
SSDEEP
3072:i748SBjtujuYWofGa2OTeyGuPMZmzsq9Y2YhuhWDNJQZ5hJ8RDMh/CQgutfxvXX4:i7MOuYCduEZ8sq9Y2RWfWMRI9Ocn4
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1776-140-0x0000000000FB0000-0x0000000000FCA000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1932 set thread context of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 4112 set thread context of 1776 4112 Caspol.exe 84 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1776 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4112 Caspol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 1932 wrote to memory of 4112 1932 S0LICITUD DE PRESUPUESTO-24-04-23.exe 83 PID 4112 wrote to memory of 1776 4112 Caspol.exe 84 PID 4112 wrote to memory of 1776 4112 Caspol.exe 84 PID 4112 wrote to memory of 1776 4112 Caspol.exe 84 PID 4112 wrote to memory of 1776 4112 Caspol.exe 84 PID 4112 wrote to memory of 1776 4112 Caspol.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\S0LICITUD DE PRESUPUESTO-24-04-23.exe"C:\Users\Admin\AppData\Local\Temp\S0LICITUD DE PRESUPUESTO-24-04-23.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1776
-
-