Overview

overview

10

Static

static

3

PO_39100.exe

windows7-x64

10

PO_39100.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    246s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2023 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_39100.exe

  • Size

    1.5MB

  • MD5

    13dc441ec2f9e3f9aa1f354a4b14d318

  • SHA1

    05b62c596ca78745d73514cd5d43434929955863

  • SHA256

    6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c

  • SHA512

    30f4da77bf1ba35334fc1812a6792bb91396fdc8cc7b918f81c6395a48523079cccc89c7090b5c21c30ab62939fa8663cc695ad7d876f083773f7c85cffc5242

  • SSDEEP

    24576:TwMryIYPOfPFxgvnRnc215nETdxUA6p7GDHDCf0uEywBk1EM8Xzd:Md5PsPfgvRv0gA6pYC52lD

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO_39100.exe
    "C:\Users\Admin\AppData\Local\Temp\PO_39100.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\PO_39100.exe
      "C:\Users\Admin\AppData\Local\Temp\PO_39100.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1760
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1960
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:912
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1400

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    Filesize

    1.3MB

    MD5

    53b6bea93d5e4e1a93c4dfe4a5706d8f

    SHA1

    80d6e91242f3e91f3b78497d7f56652547d0e4c3

    SHA256

    b9e60140cdbdab0acae26c9859ab141e729213682655c36ff522b8714760828a

    SHA512

    8999725cff43f3a31c2c3d2473c182d4ee3e491379cae30d81fabd2d5993f28447961bddf117a061486237d2a57a91aac34441e4af68a7cf8651c529b7e1d4bf

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    Filesize

    1.3MB

    MD5

    224b1c38a76359c2fa803d076a53e46d

    SHA1

    a6a7665ae9ddcbbf5b0b71129d7e0e071b6a5c8b

    SHA256

    609e41aeafc844f8f837f3de903f06e5377d11fb87c2187538d87e2eac720527

    SHA512

    f8827f732594bfb347339c32a90b5a31159ca493558affd4375a3240faa82fa125d48f09ff349ec969b5a9de6c950d78e53ac578ef6247242a81781fa471fec7

    Download Submit

  • C:\Windows\System32\alg.exe
    Filesize

    1.3MB

    MD5

    bcf320105a5dcace76eff1aa996e0689

    SHA1

    a9594047dffc285379276f2b28514468aeb530c7

    SHA256

    7f72217e47e1a864e45059a9145c2d361fbbb4d3e2f5d7a71ff2f2c3aea8db7b

    SHA512

    e74f02f15d9e081ef42d711f06514cc138c54443e82f32f971488effe906ab965c356aacdeff00556881d1ae00a72b7ba93631777d11d09496e76b13ff72c06d

    Download Submit

  • \Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    Filesize

    1.3MB

    MD5

    53b6bea93d5e4e1a93c4dfe4a5706d8f

    SHA1

    80d6e91242f3e91f3b78497d7f56652547d0e4c3

    SHA256

    b9e60140cdbdab0acae26c9859ab141e729213682655c36ff522b8714760828a

    SHA512

    8999725cff43f3a31c2c3d2473c182d4ee3e491379cae30d81fabd2d5993f28447961bddf117a061486237d2a57a91aac34441e4af68a7cf8651c529b7e1d4bf

    Download Submit

  • \Windows\System32\alg.exe
    Filesize

    1.3MB

    MD5

    bcf320105a5dcace76eff1aa996e0689

    SHA1

    a9594047dffc285379276f2b28514468aeb530c7

    SHA256

    7f72217e47e1a864e45059a9145c2d361fbbb4d3e2f5d7a71ff2f2c3aea8db7b

    SHA512

    e74f02f15d9e081ef42d711f06514cc138c54443e82f32f971488effe906ab965c356aacdeff00556881d1ae00a72b7ba93631777d11d09496e76b13ff72c06d

    Download Submit

  • memory/912-105-0x0000000140000000-0x00000001401F4000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/912-114-0x0000000140000000-0x00000001401F4000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1400-109-0x0000000010000000-0x00000000101F6000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1716-57-0x0000000004ED0000-0x0000000004F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1716-56-0x0000000000250000-0x0000000000262000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1716-59-0x0000000005C30000-0x0000000005D68000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1716-55-0x0000000004ED0000-0x0000000004F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1716-54-0x00000000009F0000-0x0000000000B78000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1716-58-0x0000000000560000-0x000000000056C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1716-60-0x000000000A3F0000-0x000000000A5A0000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1760-102-0x0000000004CA0000-0x0000000004D5C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1760-101-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-99-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-95-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-96-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1760-97-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1960-107-0x0000000100000000-0x00000001001FB000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1960-84-0x0000000100000000-0x00000001001FB000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1960-85-0x0000000000780000-0x00000000007E0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1960-91-0x0000000000780000-0x00000000007E0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2044-62-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-81-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-80-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-74-0x0000000000190000-0x00000000001F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2044-69-0x0000000000190000-0x00000000001F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2044-68-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-66-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-63-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2044-61-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

    Download