Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-05-2023 20:08
General
-
Target
RFQ 21032023.exe
-
Size
1.5MB
-
MD5
26d46c2c07d584f1a04280f47182e909
-
SHA1
381ec91ba5c4206be19a10a1cb0d2328a9385d71
-
SHA256
295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186
-
SHA512
3cd2e063ed27a84cfa2513e76a77f6ed8a7987ff42f1e5e9ab9400491b1cfc0b407945ca09ab1a839807ac850a44a0521aa5fa2f9a90c9bd2df1ee0eefc3c8c0
-
SSDEEP
24576:D1fkORzjCc1R7CIPVQ/NcnBZuSAszPeo28pW4NiocXtWLezho6OrHRYfDz:Dabc7nyNgqSHzPj3zDYt8EhuWf
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Drops file in System32 directory 24 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 21 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD598fab8319fb3ca593ddc88e50dd929f0
SHA1d01d8c92b6a8a3302af3dc4305cd4a885289f22f
SHA2561b1212fc864e3d1bf913ca08f16e70ba8ff4416c14f402e446fffb3dc719bd89
SHA512586a7a84bdfe078b447458f2a421fdbc237690ec2eaac1eba28a06f821224f362ebee5f0460f44dab8c37507d06fb972c656cb5ef10c046fc35683b1d360cb82
-
Filesize
1.4MB
MD524394a04040bf575e6f1456c085a5fd3
SHA10c7b97a5d259a1305b3ab07df173eeedae3de7c7
SHA25602f2e23b74c8a2fb0d1f01e4197ea9aabf6d93b501367b66a6898ef0125893c8
SHA51274c8cd165126a888758e5fc6034138ac64c2e56d9ddf1cbe660bc60ab4ed494d1d62d7191dd12ba6549ec0d17cc159e45e9079075ee145e85b9c742361d794b4
-
Filesize
1.5MB
MD55aa6226fd6e3f5fae82ef1333a72055b
SHA1dcdfaacd0d16cc69e23bd678ceb5d4d598024316
SHA256bf21affcab8dfaff93e727aaf331b7744415244ae29e8a7d2b50d5b9fa247f6d
SHA51220a797f2ac198cd52e7946b8045acb1e39f6a33a2e6980489d3324a76d16a70ac81c1ccd616c39d48b46e16cf7beac279e907b490a937e0095ba940d92d35d10
-
Filesize
2.1MB
MD5a0ea7df583cf199f7f11cfda25721b8d
SHA1718d157fdbf6cdaecb305d70f2628ebe260cbf6e
SHA256e8f250f5572be610de5864831da19fbe35527f57d64d2804dc22c34cb4d27ce6
SHA512e6687218d427436ac243a806b10e135b10c09cc6e49617f14dc7023bdc46dcb45e0e6530150fb3030511fec2f619687eed598bb19625fe7a5401465aa6504f42
-
Filesize
1.2MB
MD5f34ae0e8fecfd19c89869fa5e0f4d40d
SHA19d71ca3c6ddceece89d1c6c5f8b961611fd67238
SHA25664295ad25309811b8f0c6564a0d0cbe8a8e341dee9c3e7cabb8c61782b4f7f8c
SHA512762abd9f560597814414f35c9939ba07a9a51ab855862ae9042bf9cd3f20a7c914aed953fca86e63bc13d43db10ef738e7fb78c0ea04b75f8f2238a584d33551
-
Filesize
1.7MB
MD5476ed83873f5a0cd8b14a72852a1a33d
SHA1472dea25d53fa5d4c72fd8980b0ebeddddfc2e6e
SHA256bd28f18127ec70e942262f345ee1cf5b9d7a5f9a200a6e91cb38d9ff026cb37b
SHA51280e50df47cdbc6e3ae880280c26595c7230e1142c1d0d8d02bd677366b5ae1e0f6583e44ece9b1b9272824e18ec2906fc04d47f8925e0eec9bf04e27ecb09eac
-
Filesize
1.3MB
MD5e3cde4aa7dc1d3472c1f5ee00af9a8d4
SHA122b3e9c4e69b166c2c8a92e7b17674a0c8317c25
SHA25661fc767d21422e11e0403e14bb75939e95e1c373d099e5cf6386c0d9ffac6493
SHA5127ce889b093ccc66bfe90a6e69379b0a4f831e05cf3a2c11282b76dfd0627cafdaf095a45b7d9535173b677a9334e9b5bbd4f44f09ae16acfa64764b0f598204b
-
Filesize
1.2MB
MD5de77e43adb12f6caed09e905bb1a889a
SHA14c096fe67fc25d3d1623de6fd9c890d8d891cf23
SHA25602c142e4d44e3e8aab0e80aadb5db58d502be97cbcc1b8878425d339c2fa8cac
SHA5122599a4aab299fda4026e0f4ba6c285baee5d08a963df3c43aa7430146996f9c9f7d52c5e402ffda3af24dd265480fb659cc0b3ed146cbd65c68984c8a4ce7829
-
Filesize
1.2MB
MD5dc3a5b28b5905d5ad8f0b4f20dbec578
SHA1ec15654bb06305b0a7c57c1dc87fd22280d4943a
SHA2565a8ac6839305e358922899493b49ddc97e6a2a274ae014140b1d178ec2a85991
SHA512aae620fa489afd0932212755e23c26260d9f054e4bd6dca499a275ec279478b22b607fbcfaf5b738b4de47f2f0bc620ec128808b12833c8e9af278a622607f35
-
Filesize
1.6MB
MD592097aada7ae10b08f17d72d8c1c6732
SHA1d259f4da0a005670b4cad27cf45669f949892e35
SHA256428312af0f25fd90a4741cc364dbe765470d47343f53be891a4dc06197b875ef
SHA512d325fe1e164de43db4e825b40ee195fce9100e8f7db2021907f55eb826fd0462aab9da73fad697fe0039709b8a2c55aa0c7ae79642e29368d83ecd7e66913d15
-
Filesize
1.6MB
MD592097aada7ae10b08f17d72d8c1c6732
SHA1d259f4da0a005670b4cad27cf45669f949892e35
SHA256428312af0f25fd90a4741cc364dbe765470d47343f53be891a4dc06197b875ef
SHA512d325fe1e164de43db4e825b40ee195fce9100e8f7db2021907f55eb826fd0462aab9da73fad697fe0039709b8a2c55aa0c7ae79642e29368d83ecd7e66913d15
-
Filesize
1.3MB
MD5ffd47e81b1768d312c8ecc9166c833b5
SHA150833ee0d6170eeee615695fa574a0d0e7839e9f
SHA25651680bbbdd0bcad11ea5260854bb9f95ee6d7c25a8179513f6a325dbf80d454e
SHA51201e875b25d4b0342857c396f7b9050a1251fca8ac4f45f93ab227dfbd013b5f2a4bce03fc732bf621c4bc1599f733a638b2a06ea71a9f4de65ddf4162fef6085
-
Filesize
1.4MB
MD5a123979a33b3a8962149fd5a9bd0a1a9
SHA155c2d92db3329416e8a0fd6560af7671f9e30e90
SHA256c8d18fa1a512cfaad700cc5dc19cc5311e0441e5f7f553f7ceadfb474c8e0fb6
SHA512d9fb70b5efeb6549f968f25fba64d4c3582e111aeb55fc51e1070807a3e52cb9f2ddb126c60358be93a1c9833dabcb1c9bdbeb498de5377c5b4123a8a57ced3e
-
Filesize
1.8MB
MD5bcb34fccc9a7d90740dbea80ef146ffe
SHA10eecd1b9ff37db0803a989195ba1930f77fd0d05
SHA256e9a3fecac0f36812e88cdd1d571a939c3ab4b8059666292390952f821f3ae46d
SHA5126c527b81b12c3d03b8fe39978dced3a12766b5320508b3a2b1b3de5b4fd08eb4288cf0a6d3f71d2d808ea08255fca17dbac39d6daf2e7e1738b815cae3aaa0f2
-
Filesize
1.4MB
MD51298d779e88fb8ddba6e89ff8640dcb3
SHA17a5108f031b1deaf723c6f644e8f2939a2f98290
SHA256dbd16f0ef289818b9606bf0d51be469174fbb915c5b01b77e728ad34cd16fe10
SHA51253c18090b7842b1ab8a685e11e0175e1c6d294af7202ba3efe03fec98dcddbecb30798e4cc4300ef1c747c5a49d5f18636a792621a518d7c67b28ff845481ffa
-
Filesize
1.5MB
MD52cb8767f61bd0a5e450bf5bf191f0332
SHA1352c3987a208a680108907a204f2d1becc55e0f9
SHA256efbbab5b05da84bb8f7e9f0ef7c4b0af7b5fb415dc07ca4d719db357bb45c4fd
SHA512a4a322061411f86fe1d8f60dc47c5574d3a9c6b220a466a9d90de31365c32ca0149a9e36ff661d7981a5521b7b9e6e2c549ef9a7137b6324d4888097aaff55a9
-
Filesize
2.0MB
MD5fee16c5d0ef5406636b54e8e6175c25e
SHA11413381587f47ec8f081d284f07d8b92d191b28c
SHA256d855dc5e3988e2d04983c1c09b64fc065f834031239b8cc8a0bc6b58dfd47671
SHA51278d08a7717156cfca8fb2316de2ae99334ade39fcadc2214b16b7080396fcc5fc209bc65ef665ec6e32ac3f858e00a5307330949b6e1939a8919f41d373ec9ec
-
Filesize
1.3MB
MD548fd1c2b0ebac9a69f7529d6b16ade23
SHA14139d0311d9fe0b1b8f472db1a1ae37c512a7771
SHA25601dd180137ac82c11f764fdfc9059da27959521a12a4782beb88da323879195f
SHA51248a55db42574f9ea6cdf3889bdeaec8bde964e84bf4571dd0804c70098e0669fc252113d6068cf8bb22b8ee655583a0939e6eed4b864e395e940c82a7e638a3f
-
Filesize
1.4MB
MD5686f26d642441c6f02c99983b3b8ea07
SHA12f6a4d3ef5927d39d23ac7e0dae0b321a1e84ba1
SHA2568cba5d656713c8f46822bfb047de7e038301c7933835fdae040ec9ae256099ab
SHA51274095ee4daffafc800ff2f1e0f232b6bc17f28a2d94eeae473477cbaeb9f71886047fd7218a85b135e261e82070fcf03e20e80525e766da1585c8b95ba538642
-
Filesize
1.2MB
MD590a72157e03a02e67008fe778401cd4b
SHA10cc908d4c1469ab18299974132b1bc11ee8c27bf
SHA256bc66d2c560f8c9b5f22f4a97c66959239beb582f81630bb156b990e22539e817
SHA512be02f45e73630293877b1df84b5ea1ecddf76511a994a10d227541b3499f0ad9b713e250f976ca426d7c7f43846661e4136c869f5ff364a6130c4fd44248b185
-
Filesize
1.3MB
MD5f239dd6e55b339c0ad1005310b569feb
SHA1d6e784d31c0e7d4e1a42c889dd3de1d5ff6d3cc3
SHA256af3583a4c322978c797bb92c9421befbd660e5d539c44e459c555d5fe9e43ab2
SHA5124c45a8c6f4114b2659c66787bc745de8f6782e838d614b90c2a1b641bda848f4b192a800ebaace86c61b1820b496d20d5d6125351042a6de2cb04daa932378e6
-
Filesize
1.4MB
MD57bddd58d73da6a1d9bd586b0e7d752f8
SHA1e623b663d688995c9b9c47fc11a84beecd2a6829
SHA2563d5863000162c52f731b75b08b294dd9212b0a74d0ff22128a07e7887e65bc83
SHA5121b6f5f86db1bd9b6692b8338f8aa1a7c95787e0deb3a4a45e29299137536dfe5a9dc6b3ffaa21d8898ee40eaa2a2dcebd4cc897978c2c25549fda4b787d52504
-
Filesize
2.1MB
MD5a42f63309921ff022e7bb883f985bf00
SHA1da5909add3a14f29cde564f7c3f7fe7d391249ac
SHA2563e4cb2fdb1e4ad5de4174d832f15b3471418e0bcbee736fad4f6eebf0c9b5291
SHA51299a5b4d89dc26fca3deff0e309a574128ffed4927664f3c86ec402c421129d714cc778b5454eb5851de8b509dbe133093e314e74bbf01116ef09930d0639310d
-
Filesize
2.2MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
1.9MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
1.5MB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
384KB