Overview

overview

10

Static

static

3

tmpfkfb5hd_.exe

windows7-x64

10

tmpfkfb5hd_.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2023 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmpfkfb5hd_.exe

  • Size

    1.4MB

  • MD5

    348bfc0c42d7254bc63e482c4173fea8

  • SHA1

    ef6a18df4c2d04c6c194c5cd959e714114a402ab

  • SHA256

    66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8

  • SHA512

    ebabb70e503b8631210ce53d89c03275b190823e85fb1591216022c575b271cb981b2c93f63989b0179bfa6fbd807c11d1cafd43d335d2010d35b9ae9f21be43

  • SSDEEP

    24576:+3y9ZjI1Uw2ojP1WQ4C8KJ/Ixl2KVpLNzwOKb3uR/kCrVKoNZXgUFqssP:B9Z0xWQTJ/uAWp53R/k+VdQW6

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 15 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:3448
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1208
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:2728
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4156
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4952
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:60
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1268
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      PID:4468
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:1320
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:4592
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:4080
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:4652
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1644
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:3236
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      PID:3768
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:4836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      2.1MB

      MD5

      be1fe249efbcd08cb69a3bb5ee16b75a

      SHA1

      9e546ee762bb6b0796d3e70418813f93310e80eb

      SHA256

      098aad87cb80124c8add7e985c38abde0f9d45d2eba1cfeb92780383be6ce9b3

      SHA512

      bca0497b29bfd68cf7b006cc040377633a78dc03f86672de7941129a1dba97028e3fa9ef431ae4f5e3a9b775b4e03f6efdec3456fdcc66a7aadd45b16af5ca67

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      1.4MB

      MD5

      a7c3a39fcce45007f12ede313bb08498

      SHA1

      ec31e7d0a15bd50d4cc75ad79514e7bfac4589d7

      SHA256

      3619730026e9bd0a14d42d4571cc23848b6af5c8059c2be8295d05382b13867c

      SHA512

      f9ed9b5d84afeb6399c833040444fcbe54bfbac7ff6835eddb7c487e3fafb238e0efe0ccc253bd8f807bbc614c995808fbe71d75906f53880b98ae3b936c2fa0

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      1.5MB

      MD5

      d0056b950d457cdf1fd9bc4e435783d6

      SHA1

      848f31e2110931771fd0e8e5a0334138993427ba

      SHA256

      50f5adc2c5e6c53ed68f0608bbfd09251d840df959029b24adfda8a017836d6e

      SHA512

      46f68092a865d6b86b1185443c860672ae0d9d9870984eb13696e82041943a10d540d63f61d4d706e2dbc33b3b1a7c0c7ca137f7817e68e69ed2b6a24afda126

      Download Submit

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      Filesize

      2.1MB

      MD5

      4241571bf1c533fe24a3b1a8092b7589

      SHA1

      794bc2012c9a112a2a08317cd5069421d041164b

      SHA256

      85b75316662149a5775081e97de467a445b11317fbea9935205d22216a34d541

      SHA512

      cc601f391ef76ced71e7dbe8129a40bff86b07fa229f71bda9c53f06f3a3953f471fbe6ca6e82d5b15e78862659714c410cbf90240bd368ad3d86440bb2e42da

      Download Submit

    • C:\Windows\SysWOW64\perfhost.exe
      Filesize

      1.2MB

      MD5

      a05619e2ccc12bef4de250b40f98de78

      SHA1

      69b76ad1f31fb7cedb0aa0834a89b742f5d92538

      SHA256

      29243a80e9dfc2af9dba861882b3d3db8dfafbc2f6952ea63eabc61f3bc6ad28

      SHA512

      2d63c2158861130a6255a119d9d86f9e7527f2b24145b61579ee75a5047a01de8d65659736f7738147630ccedbf5e7e616519d324439868d7c820648aca03506

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      1.3MB

      MD5

      ed8f66a46db65b347871e9e06c1047b3

      SHA1

      8420738d0257462dcb28cacfeee20953753efaf1

      SHA256

      3b8f7f5b4706d0abe5a14d57a4e6d7c2654359156b5ed912a3ec00ba869e6c0e

      SHA512

      765d115a3a6a4c69abe57c084bb69a57425344903f4b318f81d96a5cda1ef236222e19c0a84bd55951449a45d887da6fba0d65f4775ba39c25dbc4f4c6bca5b2

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.2MB

      MD5

      7e83a75dfb4c1600ec49bac2f51df220

      SHA1

      b64becd6af46568ad78f6954aa1bd3cf14e3172f

      SHA256

      ca416efd03a5f276bdfdac2592a80d6eaaf15300b552ae6f603e156845330363

      SHA512

      b35197fe7fce8b177021ffa9a76cadc6ee82dc960f28b62100780cac8997a45ecc319999e22f39955df6ff3b55586a7d0dc7264bc64791d7ca1a93f04f2db33b

      Download Submit

    • C:\Windows\System32\Locator.exe
      Filesize

      1.2MB

      MD5

      fe1b41f8d33223ddbcf15ca337a92ef3

      SHA1

      df9cd65e5f342ec8401c49988524692de23da3df

      SHA256

      55af2d16409a1cf4e463ff3cbf29e69f895b59a22cf56037bb72077b7c8f223e

      SHA512

      64b5734b0b4468f2b35570d0900eb02727fc60770c8169e10dceb728a7316965b66dc7d327825a602db440293123132ac2b6516a7c8b8900f1a3f724b979fa0e

      Download Submit

    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      Filesize

      1.6MB

      MD5

      5ef8d1a03993450a76cb41a99635b412

      SHA1

      49754c86a827073711874143ed495dbe904fe20d

      SHA256

      6afbb5bcae2d5ea9895691126785cfbde74bdb98910d2b64951e0496557fdfc5

      SHA512

      3f30f220d645a8c43039278019f56f8b09f264c0bef5e970a361dda8fc07ea739ce154e12def36c1dcdebc7e0d7d6c8aa747b814fffd9d6005a5e537ee21f2ce

      Download Submit

    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      Filesize

      1.6MB

      MD5

      5ef8d1a03993450a76cb41a99635b412

      SHA1

      49754c86a827073711874143ed495dbe904fe20d

      SHA256

      6afbb5bcae2d5ea9895691126785cfbde74bdb98910d2b64951e0496557fdfc5

      SHA512

      3f30f220d645a8c43039278019f56f8b09f264c0bef5e970a361dda8fc07ea739ce154e12def36c1dcdebc7e0d7d6c8aa747b814fffd9d6005a5e537ee21f2ce

      Download Submit

    • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
      Filesize

      1.3MB

      MD5

      21b1f96ca6d19652b057be1a9206d944

      SHA1

      c61260572352db98ebedc5539b6e257be3f0983b

      SHA256

      55c2c55e96e0f18b30949754bc17f22bc567451004b2d22583cd6af9b55420c6

      SHA512

      075b96e6b99815dcd60340809dac41d37ad10cddc22f18a6f57c49ed872227489b94f89b98c86dd2f619880493a3d27e8f7446e4ea1c8bb300d1b1d27af81d3f

      Download Submit

    • C:\Windows\System32\SensorDataService.exe
      Filesize

      1.8MB

      MD5

      c18c8422e90c489bfea114350242eb8a

      SHA1

      9ffe66e7edb21a30340e1a1df4b1ea0b510e14e5

      SHA256

      e01bb5aa4f3a864d94d59e5a1c36a8cd3b5387cc5628abb3980a181a5e39a3f6

      SHA512

      ac146a0d0bb033c05997463d130509a59c21fdc584b60ad07733af30f4fd7ff348cbc0714bd247b840ad692b03be7039c2490fcfe02a82ee3d228a6638314780

      Download Submit

    • C:\Windows\System32\Spectrum.exe
      Filesize

      1.4MB

      MD5

      ccfe54e3f9ddfd558c9cbcc4baef28e9

      SHA1

      624fbae96350a6507af1a1be3c1d23b4bb45a00b

      SHA256

      040c4ad409cb6927760805185667f39dbbcb745eb9898222304116a374cfad93

      SHA512

      ca0345406be591545283d984fd1e9cff43117b3284cb57c7a24627bb6169ca394b19b7cac1406bf7bd7889f9cbbcb4525d8b6b72af024d0c3a9e6acf594e8f7a

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      1.3MB

      MD5

      69053900aacc664a29d165730a797ba9

      SHA1

      05cf0d021c327eaacfd9b84862aa2cbb04b2f2be

      SHA256

      eacd7af066206513a641839b1d65bb6b986de60c60640b618525f63633c44463

      SHA512

      a922a6175006304f204aa8bc65c86b2fbff3442feff390ff0d5cc7a4952095b94397642eb5acdacb75b8ce054bb59dc4ef6daad98da3e88dd799455450137cb1

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      1.4MB

      MD5

      4d25152dbf789ae9730498781d42b7ad

      SHA1

      63269cdecf36e4cbc89d2d3ee3a6993717c8a85a

      SHA256

      41ade0962888048aaabdcacb311f5edcf6636e3be294dbc7dfa89466c25c3352

      SHA512

      f9c0f23513d3aa9e5c906b1b433aeb931413c849b2bbf51675c56c43bdf1bda1301c7a55220feaa9854a821af5826c54ecbf933474a52f1d7fdd328e0defb3ef

      Download Submit

    • C:\Windows\System32\snmptrap.exe
      Filesize

      1.2MB

      MD5

      caaf85852b27c75b6f3be67e4eb945ba

      SHA1

      71acc24be2dc1674f56418dbf73d9eab43bd1cc1

      SHA256

      ed2388449ee08fa1f3f581a62796cdaa482f89431bc38552e0363b72737b34a7

      SHA512

      b11bb7734c58f6c3087cf8e2826612c98ed71ffbf5d40804af402d6a1876dd9b01e8418fbd3562dec154b7452bb7a9cb20c3cc148d4a79cf0ac8941934a44a7f

      Download Submit

    • memory/60-229-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/60-215-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/60-213-0x0000000000190000-0x00000000001F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/60-207-0x0000000000190000-0x00000000001F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/464-143-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/464-140-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/464-228-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/464-150-0x0000000003340000-0x00000000033A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/464-145-0x0000000003340000-0x00000000033A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/464-144-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1208-166-0x0000000140000000-0x0000000140201000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1208-157-0x0000000000560000-0x00000000005C0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1208-163-0x0000000000560000-0x00000000005C0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1268-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1268-235-0x0000000140000000-0x0000000140221000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1268-233-0x0000000000C00000-0x0000000000C60000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1268-227-0x0000000140000000-0x0000000140221000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1268-225-0x0000000000C00000-0x0000000000C60000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1320-256-0x0000000140000000-0x0000000140226000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1644-293-0x0000000140000000-0x00000001401D7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1644-329-0x0000000140000000-0x00000001401D7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2728-178-0x0000000140000000-0x0000000140200000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2728-176-0x0000000000650000-0x00000000006B0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2728-170-0x0000000000650000-0x00000000006B0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3212-139-0x0000000001340000-0x00000000013DC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3212-135-0x0000000005570000-0x0000000005602000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3212-134-0x0000000005B20000-0x00000000060C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3212-136-0x00000000054D0000-0x00000000054DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3212-137-0x00000000054B0000-0x00000000054C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3212-138-0x00000000054B0000-0x00000000054C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3212-133-0x00000000009B0000-0x0000000000B28000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3236-312-0x0000000140000000-0x00000001401ED000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3448-182-0x0000000000F00000-0x0000000000F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3664-195-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3664-181-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3664-183-0x0000000000E50000-0x0000000000EB0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3664-189-0x0000000000E50000-0x0000000000EB0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3664-192-0x0000000000E50000-0x0000000000EB0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3768-322-0x0000000140000000-0x0000000140169000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4080-326-0x0000000000400000-0x00000000005EE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4080-270-0x0000000000400000-0x00000000005EE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4468-243-0x0000000140000000-0x0000000140210000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4468-238-0x00000000006E0000-0x0000000000740000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4468-237-0x0000000140000000-0x0000000140210000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4592-268-0x0000000140000000-0x0000000140202000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4652-291-0x0000000140000000-0x00000001401EC000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4836-334-0x0000000140000000-0x0000000140259000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4952-196-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4952-203-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4952-230-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4952-216-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download