Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2023 22:44
Static task
static1
Behavioral task
behavioral1
Sample
0FERTA_Y.EXE.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0FERTA_Y.EXE.exe
Resource
win10v2004-20230220-en
General
-
Target
0FERTA_Y.EXE.exe
-
Size
202KB
-
MD5
a9419910dc159e785f4f7d060b99703d
-
SHA1
164c8c53881f9e65d19233c6b9eed1d0231e7cfb
-
SHA256
56fe514e3ea3eda0569cf8b79741fe9ed9b391fe06f07b33d847ccdd7fda18ae
-
SHA512
f8dad0c0825aab81f9ad4ca4d138b7e653181b3c4d9ad8162f99568ea55168b82265097afa8be8afc23ad571547647b32bf49f0247fbe14b67269e8144b80358
-
SSDEEP
6144:tH6xBmSbrrTTCgb9/z2qBop/Nkt9Tdz/6R36:tAWgbdgp/NktrWR
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3204-142-0x0000000004E40000-0x0000000004EA6000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/3204-141-0x00000000005A0000-0x00000000005BA000-memory.dmp family_stormkitty -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1992-133-0x000001D496240000-0x000001D496278000-memory.dmp net_reactor -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1992 set thread context of 4576 1992 0FERTA_Y.EXE.exe 85 PID 4576 set thread context of 3204 4576 Caspol.exe 86 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3204 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4576 Caspol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 1992 wrote to memory of 4576 1992 0FERTA_Y.EXE.exe 85 PID 4576 wrote to memory of 3204 4576 Caspol.exe 86 PID 4576 wrote to memory of 3204 4576 Caspol.exe 86 PID 4576 wrote to memory of 3204 4576 Caspol.exe 86 PID 4576 wrote to memory of 3204 4576 Caspol.exe 86 PID 4576 wrote to memory of 3204 4576 Caspol.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0FERTA_Y.EXE.exe"C:\Users\Admin\AppData\Local\Temp\0FERTA_Y.EXE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3204
-
-