Overview

overview

10

Static

static

3

tmplhf3940d.exe

windows7-x64

10

tmplhf3940d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    203s
  • max time network
    570s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2023 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmplhf3940d.exe

  • Size

    1.5MB

  • MD5

    13dc441ec2f9e3f9aa1f354a4b14d318

  • SHA1

    05b62c596ca78745d73514cd5d43434929955863

  • SHA256

    6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c

  • SHA512

    30f4da77bf1ba35334fc1812a6792bb91396fdc8cc7b918f81c6395a48523079cccc89c7090b5c21c30ab62939fa8663cc695ad7d876f083773f7c85cffc5242

  • SSDEEP

    24576:TwMryIYPOfPFxgvnRnc215nETdxUA6p7GDHDCf0uEywBk1EM8Xzd:Md5PsPfgvRv0gA6pYC52lD

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 14 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
    "C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
      "C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"
      2⤵
        PID:5028
      • C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
        "C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:2712
    • C:\Windows\System32\alg.exe
      C:\Windows\System32\alg.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1440
    • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      1⤵
      • Executes dropped EXE
      PID:4092
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
      1⤵
        PID:2344
      • C:\Windows\system32\fxssvc.exe
        C:\Windows\system32\fxssvc.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:2256
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:2328
      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:652
      • C:\Windows\System32\msdtc.exe
        C:\Windows\System32\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:1120
      • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
        "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
        1⤵
        • Executes dropped EXE
        PID:1412
      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        1⤵
        • Executes dropped EXE
        PID:4536
      • C:\Windows\SysWow64\perfhost.exe
        C:\Windows\SysWow64\perfhost.exe
        1⤵
        • Executes dropped EXE
        PID:4952
      • C:\Windows\system32\locator.exe
        C:\Windows\system32\locator.exe
        1⤵
        • Executes dropped EXE
        PID:888
      • C:\Windows\System32\SensorDataService.exe
        C:\Windows\System32\SensorDataService.exe
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3192
      • C:\Windows\System32\snmptrap.exe
        C:\Windows\System32\snmptrap.exe
        1⤵
        • Executes dropped EXE
        PID:4836
      • C:\Windows\system32\spectrum.exe
        C:\Windows\system32\spectrum.exe
        1⤵
        • Executes dropped EXE
        PID:1496

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
        Filesize

        2.1MB

        MD5

        bfb67838184ba36335e7c53cc49e7e59

        SHA1

        520a820485b3077483fef7d86032040d9e577e46

        SHA256

        b6a0a621b444818908878044a119e71f4d6a6d2b2e816928bf7ea6a516d2c5fb

        SHA512

        65a822f7f80275fccffd5aad884af90a1f6cb8b5626296bc7efb1b2716dc78f3ca8ff9f3b89cf689912ed5c55c7ad07ab09a6cfc1a25ba3d2254cebb54cb0ada

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        1.4MB

        MD5

        42e3435770957bfa67b4b291ce09b8bd

        SHA1

        a3136fd2818f2e98213c3863e6ca52533027cbbf

        SHA256

        6a292ef1ab75c669e7541788e8125524b52b1b2c370c18cfef27002983b4ecd8

        SHA512

        ccc5f7153b4d3b298790b02619418598d06355f7dcab932b839a3305638b043403250c3a5b93f48aa2b2594468eced9e3494169b3943738ac5bdbff91b4be9c8

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
        Filesize

        1.5MB

        MD5

        25a96874fae92ba565fe330499565679

        SHA1

        21337f85dcc5b201e6e0ba6c0183a621405102be

        SHA256

        13a08881b0255db630391d848dc717e482e989d4129d79e8ad2b588d6f923924

        SHA512

        1f4cd14752b082a375ee70b34c6fb4859cc5508cd33a230caa51bcc7bdf5d648996a47435fb23522499077980547f0c830fe43adfb83a0077c396734f56f940f

        Download Submit

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        e976e538b18118d0a4c9d76e5b70d658

        SHA1

        afc34e2c8fe27985d78ea0fab8b21be9cf48e0d7

        SHA256

        33b14736384bf460758ae15213398f8aa0fbd2b9dcb7a66118cc1c41cc4eb39c

        SHA512

        9de6118eae36d51be2c4a76cd509799f6b8f4a7e59b45fb7821e6f6b69b7084b71f33f1d549fe6db8d5269f0fcb82fb0d26e228bd923af942e5281455a148239

        Download Submit

      • C:\Windows\SysWOW64\perfhost.exe
        Filesize

        1.2MB

        MD5

        49a491fab941e820a347e2b107af42ad

        SHA1

        81277eb1782d1749eed230f1db92f34ab2351085

        SHA256

        e073ac098ca713691b83a0d38e802585a4c4d5e91e8315609e1351cd58d2f327

        SHA512

        3524062177bf10e93b684834e94fa00894b93c6a921472cc31f2ce6d6fa8f18aa53fd2b268ce9f55d40f7281ad06367a0c3ea03984eca3d9f4bc9c7c89f9a86b

        Download Submit

      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        Filesize

        1.3MB

        MD5

        bdc754bc527d699d24ef81ac12027cff

        SHA1

        b87735c0203abc9e20c016a73aec07f1cdc9cd2a

        SHA256

        e1da2bec8eefc246df93a6cb8e2690ab659ad516a92ce9a3d4e27eadb47ee9bd

        SHA512

        1a23f59b6f07af2790c5f8281c5e2177f42ba447316570ccb3e6cab445c60d5deb17f32a8a66e2456a88ad6e7f7cc7d69a283e68bcb68a4fa0bc5a29cd5addca

        Download Submit

      • C:\Windows\System32\FXSSVC.exe
        Filesize

        1.2MB

        MD5

        0450350651cd6047ddcc90a8796a53ae

        SHA1

        64326d6c5ea13723fb897434cb350c5f5877b9b6

        SHA256

        8a0d44a7895255abb047f6f929eb742a45f5962b0055a7401a5d295362f0617e

        SHA512

        13945d934144b1a626bb60a32f90caec1c642c1ac55a84c03ca40482897ac1070a7d8da894e892074095e5ef2933ce74ca30c642ecba002ac15c02f09663dc19

        Download Submit

      • C:\Windows\System32\Locator.exe
        Filesize

        1.2MB

        MD5

        1216417971c31b8ae93bed905700a9b7

        SHA1

        e411369a82d025411c6aa94286bf0513830ed0ec

        SHA256

        ea910825a88dbe57b9ae6eedf1d9d1cab91970c331d3a52e0b0d4b9e1e96c509

        SHA512

        019a1bad94bc2c93719b7db38d16b660cb0fe46cc44d05bdb75b711cbb0bd0e416f3a038b2894e98ca014dafbea074468fbca3a62bbe978635a5b01cf2fb1fcc

        Download Submit

      • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
        Filesize

        1.3MB

        MD5

        c34a0c53a439ac48c966a6dc2b8c2512

        SHA1

        16c435783417b24bb4ce0a513ac916076748cf0c

        SHA256

        4534d6eeee6ded33792ef3ffbc7ff1c843d9c19dc6e6c9aa760d8f5f3d86a91b

        SHA512

        dd2baf86bf7ef1a7c7a2ca95dc2d48b1c991f5fbe887d9b0029b1e8ecc5529399155e8523c0fbb4d8fb3c06e9e2a2b561b8510eef99c96a8e59f808e79382d76

        Download Submit

      • C:\Windows\System32\SensorDataService.exe
        Filesize

        1.8MB

        MD5

        f9405ed6a7db647a71cbf0713fce7a72

        SHA1

        a3b5ad5dabbf520b9e4fd8ebc076df6ec1e686f4

        SHA256

        a3375fafda67beb68023f5f6e9db72700d7a9afc8887e46ea21b831b4566ca55

        SHA512

        157fa148513ffc559788029128a6736b7457d70eb4dcd4a44f1a37ad72d146fa135b484482f2c6881e829e9fd52bd91b08f00230c1a4b7f4a2e44d445ded0f7c

        Download Submit

      • C:\Windows\System32\Spectrum.exe
        Filesize

        1.4MB

        MD5

        0fcc0ff7221848576399a54893ca11ee

        SHA1

        8b00e003c3c7ca68d005d9add966a581c0e9257e

        SHA256

        03c721c67930479ff1489530075a58b04f698901f221a64379466de5160e4cac

        SHA512

        46613e08fa245c3d5a0cad41c01f887278b97988deb9fbb60da59a21a69f435feb37d8e9872616523174a29436ec09d0b2b7f48621511a9ebb3f72ce51af9bfc

        Download Submit

      • C:\Windows\System32\alg.exe
        Filesize

        1.3MB

        MD5

        6f893b998c46300b3f741635eb0f93cb

        SHA1

        22fb13752811d811621b2fcc14aac3fa937088e3

        SHA256

        a94b43326c8e2cf4233bec58b81586ac30e014823db4d6aeb54bcb042b9b155d

        SHA512

        3781d657cba738a5abb799c98f3940ad8372089ad2970ac56fdd63bd9e3cabf2c1accfa8c2e267f500528d75b76629eb0766608a112c363510a56f65d8b77714

        Download Submit

      • C:\Windows\System32\msdtc.exe
        Filesize

        1.4MB

        MD5

        6fced6377f76c96bf2d5bafc81a67614

        SHA1

        4420ce905d899b06a2de57e2585b71ba1bcd9446

        SHA256

        10608a459dc48f6b01c835d001ffb6ba8d566fbf7bfb9dc642f92d91bdfe7035

        SHA512

        3ac687921bb84abec42c37a3983d6b13b4eb6182cad083c8c1b9078f5f9ab43ffa4d4dfc1e2657531f8dc54a3651a2cbea1349304fc7a1d857cec4099a7678b6

        Download Submit

      • C:\Windows\System32\snmptrap.exe
        Filesize

        1.2MB

        MD5

        c184b5bc314d66bb821a8e7b8962d001

        SHA1

        853c32c64e1118c639036bea4b349a529bc2c6bc

        SHA256

        6090ed48d86f85d3a16a63fd5e915d1db4671058cf3c317b4cf740b86a6a7c56

        SHA512

        fe6ba93335ed2e31176fa74a02905bd13f6382abd47c4a1f45bcc2cde74b2503887628efbc7b4fbfd065c7b9ae055601d26e79620633c1b48e442ad9f92897f4

        Download Submit

      • memory/652-230-0x0000000000C00000-0x0000000000C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/652-233-0x0000000140000000-0x0000000140221000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/652-227-0x0000000000C00000-0x0000000000C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/652-221-0x0000000000C00000-0x0000000000C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/888-306-0x0000000140000000-0x00000001401EC000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1120-244-0x0000000000D30000-0x0000000000D90000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1120-252-0x0000000140000000-0x0000000140210000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1412-265-0x0000000140000000-0x0000000140226000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1440-163-0x0000000000690000-0x00000000006F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1440-157-0x0000000000690000-0x00000000006F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1440-167-0x0000000140000000-0x0000000140201000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1496-328-0x0000000140000000-0x0000000140169000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2212-143-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2212-149-0x00000000028D0000-0x0000000002936000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2212-155-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2212-140-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2212-144-0x00000000028D0000-0x0000000002936000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2212-207-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2256-193-0x00000000008E0000-0x0000000000940000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2256-208-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2256-203-0x00000000008E0000-0x0000000000940000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2256-200-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2328-210-0x0000000140000000-0x000000014022B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2328-211-0x0000000000190000-0x00000000001F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2328-217-0x0000000000190000-0x00000000001F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2328-254-0x0000000140000000-0x000000014022B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2712-180-0x0000000000620000-0x0000000000686000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2712-197-0x0000000004C30000-0x0000000004C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-309-0x0000000140000000-0x00000001401D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3740-133-0x00000000008C0000-0x0000000000A48000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3740-135-0x0000000005400000-0x0000000005492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3740-134-0x0000000005AD0000-0x0000000006074000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3740-136-0x00000000053B0000-0x00000000053C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3740-137-0x00000000053F0000-0x00000000053FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3740-138-0x00000000053B0000-0x00000000053C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3740-139-0x00000000012A0000-0x000000000133C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4092-179-0x0000000140000000-0x0000000140200000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4092-176-0x0000000000670000-0x00000000006D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4092-170-0x0000000000670000-0x00000000006D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4468-192-0x00000000009C0000-0x0000000000A20000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4468-196-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4468-188-0x00000000009C0000-0x0000000000A20000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4468-182-0x00000000009C0000-0x0000000000A20000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4536-279-0x0000000140000000-0x0000000140202000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4836-325-0x0000000140000000-0x00000001401ED000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4952-290-0x0000000000400000-0x00000000005EE000-memory.dmp

        Filesize

        1.9MB

        Download