Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
26-04-2023 06:15
General
-
Target
tmplhf3940d.exe
-
Size
1.5MB
-
MD5
13dc441ec2f9e3f9aa1f354a4b14d318
-
SHA1
05b62c596ca78745d73514cd5d43434929955863
-
SHA256
6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c
-
SHA512
30f4da77bf1ba35334fc1812a6792bb91396fdc8cc7b918f81c6395a48523079cccc89c7090b5c21c30ab62939fa8663cc695ad7d876f083773f7c85cffc5242
-
SSDEEP
24576:TwMryIYPOfPFxgvnRnc215nETdxUA6p7GDHDCf0uEywBk1EM8Xzd:Md5PsPfgvRv0gA6pYC52lD
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Drops file in System32 directory 24 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD536a2100da641d66e34ecde95d85f4022
SHA14d4f5bb04f2fd379d36a7826314ce47810d7a05b
SHA256c3ef724fb217f94b55e54b9034f483f445585818aefb053ee0bd258a0ac139d9
SHA512029cd8eebc361785e5041ccde47abee78db025ffa02f01da1bcfe43c81f9bd7fbe6edc9549765ed6704b0abcccbbdfbd1aee59dd5aa1201ace8932973d2f0e06
-
Filesize
1.4MB
MD5e05cd50deda2aaa705ce212e96505343
SHA17a4b69de1648125ac99fabb1c8fc2448bd3ebf96
SHA25606037db60520a605e250392af313cd096ea9d3344856a2869522802c268ba175
SHA5127f4d6a2bf8bdbf9a41ff72ec795320c0a8d8c3ffeaabb290fddaaaea484b5a532253b0ee589bcfdb798f0813314ca1d734b5f338ca987551b131187eedfd8e3b
-
Filesize
1.5MB
MD55f4f136b8749033a46cc7a3c4a61e90d
SHA17ce77501ad98167d45a2e747430a7ba673a3a269
SHA256059a5020e99a47327730389c178158ad71e2e9b1938cee9eb4e0c29ec6909cbd
SHA512ac01735ff08ce80b75e7fdc57e12fe2d9a9090e5bdf76184709d58096337f5083a668481aee1f14ab958087b2902e6ee037813e6b0f85ecaaa06d6328577e6f3
-
Filesize
2.1MB
MD5bc32d3ee6703c43ed1cab3f6c7caad25
SHA1387a129f6223d1fca4fb4fb652350458aeb6ec59
SHA256203e50063313751e2ac0a5a4000ec9dc3b0ffcd1d65d9817f8b13fec1b0dd781
SHA512605050c8a88de2ef0ae924d9016c32f4cd8d58b3925ad4c17469f2bf55faa0be4fa2b2fb9ca59134533ab081b9c657316d2e0b4df5af8057d80127ada3d765ca
-
Filesize
1.2MB
MD5adf4999d1db391375adfbff831c8a03f
SHA1d080caf5bda76c3e046d12e84578eb11bc9f4b0b
SHA256d3f0d49fe48130e8a0843bce30239d9ea436a8d67064eb9df22264f1464a9c68
SHA512e5d2118aa5c359680da6848c775518b5212864b042545a7e5bff5b5205e7a4845f2d8ddbaa04728cc5847c951e64c8f7931a8de4bcecb6b019fb4a761041ca8f
-
Filesize
1.7MB
MD551740392a0a13bcfa0d76414a3caa5b3
SHA111d9124832e18cf082038930986cedc11ec31df1
SHA2560991c70d68759952453c50e912de6339fb4edc55c40cc7de5349e0732a8162ae
SHA5129eaff0afa4a8b02c79d1175b2048ddf609581f5d54c6cc2d1ca24fd8231ca9f906cc08307e80a4be2ff39131e99e04f01fa041ea3635103d63dac3dd8331b889
-
Filesize
1.3MB
MD5f001246b8ef253c2927349bbfdad0417
SHA10835870290a80640a6a594a6107e2fbe3d9d1fa0
SHA256ec965c54db1b92747aab898ee5a70ab5431c37c1b53dd274b7557a379572de46
SHA512510b32ec4ae813166953dcd73778640e9771fb8d8ff6347313fc9df03f3e5cffd844f3c896e0870fb0c179fedd826f98cf6f58a9e62d8e757fc1d28e39f43b14
-
Filesize
1.2MB
MD5d61110019597a954198b91959d73d7d8
SHA14cdfee3d185bd189cb374c634346989ab26082fa
SHA256a2a53b902f6e59da464791f77302bdcd5c5bc837ed445ef390c53897da1c1b30
SHA512be90b716a78c6c00d60efc2bd010b6b0ce7868666674d36619e862c234388b1ec886ccc6a0fc11ac3b21aa49a144f13a5414f740615366c2af26740a03953b2f
-
Filesize
1.2MB
MD52194b239c3d270bf35cd724592f7f0fc
SHA1c49becd51c17e06bae3b76a4c0786cadf1b1629a
SHA2568c3911149ac9d1d46d98b62854e259a25e14880963aa86934833e96ac8094ca7
SHA512ec2dd0f7c7f7b599a996529f26597a32cd936ee5bb8db0b88f7ec00972fb3bffda560cc380df1fcd62f1ce1acd104b31648f40d6c1768c434d485c55501c2a09
-
Filesize
1.6MB
MD5423e6505c158c6c319ded77e1a472c8f
SHA1ea1d688656cf798475b3b3cc5901a9bfe13dc522
SHA2567deb54d2262d1c05f46f3693653f0de2f3eb648020652e9195a22007d3267c7d
SHA5124c0b83882b5cd9670ddd0ec9a0fe272b00a0add099d6319300b0ba945d98756f8927eb14334e41a8b8661cdc109f16a1db2656a91688ffaf34091b12e4ee6454
-
Filesize
1.6MB
MD5423e6505c158c6c319ded77e1a472c8f
SHA1ea1d688656cf798475b3b3cc5901a9bfe13dc522
SHA2567deb54d2262d1c05f46f3693653f0de2f3eb648020652e9195a22007d3267c7d
SHA5124c0b83882b5cd9670ddd0ec9a0fe272b00a0add099d6319300b0ba945d98756f8927eb14334e41a8b8661cdc109f16a1db2656a91688ffaf34091b12e4ee6454
-
Filesize
1.3MB
MD527468780c635e7bf2416b63f89769645
SHA1d99c27d2b2ad64b5244b759464d964ba349b6254
SHA2569e34741ac23ed15c83494a0f747b319a0a9c2ad08b425acb5857522d29177c73
SHA512a4ac812e219a5c41b326c3b93f30769973ffea6df65048659f856f0f76180800ba3cc369afa2a53507d88b82cbc16616e31039973feb8240c707ea1e4f953754
-
Filesize
1.4MB
MD5d38a076356d0c63fac5eb03f8e390537
SHA14191daeb040ad40360fecf7402273c085a131163
SHA2569d1969abd48fe2c059f425e34235e0d30ead80644feef1a8077cffab8375489b
SHA5120fca3176ce7e7eb3dce8cc2b7ee17d9e8a84094d0aefb6149771a8088a18a0749fa6a56cd6547c3fbd70d21b976263d0bc7fd5d810d8858c2a319d06260e9541
-
Filesize
1.8MB
MD505bb3a74934ec436c38aa1893d819d98
SHA1176f5eb796384a578505ea25427021deafef4c01
SHA256a188334819bef5795a0b7ec22d169f5727bcd59a50e955129c4896242b7ff011
SHA512b1e3c7b0ca8c7866d0c5a44692a411a30fc727da75a40415fab683e5d9d6d6862a5bc562b524b819d816c5b34bd282880bf474b05d64f349256e80401aaa5faa
-
Filesize
1.4MB
MD551de03a78b47f950268040526ed3f6a0
SHA1961c24e7531f5cbd7ff12e149facf5e24959ec44
SHA2568c58f9092f811046a101a34634ff06c411c51bb47e3ad1f1b54e27ca076ba171
SHA512fd8ea25a334ebdcd2c7dd1485a006ac0b568c191cf3986cc29e817d8d2b7d8f50eace25c1cc0a31f4dc4f72d2e28a31996c62ace86bcd4e34afd479e55d190a7
-
Filesize
1.5MB
MD51835197c98786e38d798c1d27036e602
SHA1fed8be37a2a292dd62af27bb5de1247114b51201
SHA2561ae077a25d232481dcc59b9a8c0a8addf60be65ecdae754bdccbaeb86328b91a
SHA512f1fc22b6314c23511422015e30b20fd1e6f0412e0a7429a05f54f3252106e1fa973b4bb6bf4a8da08de428ef1b645cb581cd3f6955f9ce13fe1566102f1a9338
-
Filesize
2.0MB
MD5cf08340b47821f84a2c04015c37d2566
SHA15103a3b590d9c37d8c1bdf30fa6c11c49d19faf2
SHA2567362bbc3d65786b6e390c58e45aac87a6ed3892924903a4b2a41a2b703a7da2a
SHA512d3b60e7fb8b7212627338fe7b32d5542537da9e3b1e3ebebe51f4b7ec1b6957919153d318b5ff222efd635d98a99a74ea63edf61c0f9191d19d9a188e5a2e527
-
Filesize
1.3MB
MD511a2001ce6ac2960399098f1384b5c65
SHA18fa10bdabadb51016bdfef4bc75b1f0ae7146b99
SHA2567468e8d53bde7ffd5182a88bf65e8b96af8861e9b90592fb23d1c0bfa53c7ad7
SHA512a6dcdc61fa619d69a8ea3316f27b1c97545ba1618167168924715fadaa2eb5c39382eec49aab9b250a16345f9fd509d6170da97eb9013b0db8aa36a41eceb048
-
Filesize
1.4MB
MD5c0822fda503e09211dcfd4ce858a58d7
SHA143cbc073b913463ba3305ed30d2cccb2500b8c4f
SHA2566a511cad9438cc1eb5864768eff5a539c8026b206cd8f25d7b58aa11c19de906
SHA51283ac126b29c2094f6d226d41323867cf5ceedf2ecca327dc6606a370b9532d5f891a5733e211cf99889b472614dee3ff36a6a849733b11fa7b755933a7e272a2
-
Filesize
1.2MB
MD54dcb9d4145fc5173b27555a7ccbb43f1
SHA18bf83ec6ce1a029de18219e7393561f3827c7f2e
SHA2567268e242a3b0239f0f78e4debbeb0da4ab98452dc953548cb5b8440527f548be
SHA512c6fe6808b7de8ced1fb1819908a0cea3a9c61d1b722a292ac065cd45175d0229cbf690d9aa7ce43b0f3dbd98afb8eb4fbdfd6f5bb338fb78850da32f3ca43e9c
-
Filesize
1.3MB
MD5f42f5fb13d10c79f8b649a3fa8b1eec2
SHA1c1440bd5a8d69e2b582763e41c54c68df19cb6c1
SHA256edfcbf9e620512082abb6c14fa7223c443bb9e5a1b11d3e66defd39d53119054
SHA512200ef400e324ce1fdaf93887b1b91401453db4eb76150589f87fd2eb93cccf9b32489e368bba71cafe785bd46714bb0a39aba0b599d7ee078e00d75f4d14a983
-
Filesize
1.4MB
MD506c99ce795aa76b65c18ad0bdfae41aa
SHA1cf388c66bc9c0dfcbdc08ae05a1977087a403d6c
SHA256b36f8ce19cf6ccc38ddc1cb139d0a253b1086792e93c306dc3d2c6c65cb44282
SHA5121875339091d100bea36800f0a73ebd45388ed9c002019ccff7701f5584a9f800001cd6d3e011e4ace041265264f6964dae2bac56dded4ed2f1cd15a2c766a755
-
Filesize
2.1MB
MD5b70040e57951e8283120a47044743982
SHA15ba298807b215cabd1bc8838ada8ba0b607d04d5
SHA2562c90c26b24bdbfd86e759e028d608a716878928996272b6d128653d3ed8ea7e0
SHA51291ba21980ab8f72b933a591bbd01aa4294c44e0fc88195559a51f5c7cd96b30d1e6d8c4d646f75a2bd1040f777373e291057d9a37d1c302554d56e830821299a
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
408KB
-
Filesize
1.9MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
2.3MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.0MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
2.3MB
-
Filesize
5.6MB
-
Filesize
2.3MB
-
Filesize
584KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.2MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
2.0MB