Overview

overview

10

Static

static

3

Quote 1345 rev.3.exe

windows7-x64

10

Quote 1345 rev.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2023 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote 1345 rev.3.exe

  • Size

    1.5MB

  • MD5

    e2b30c0c90faeeb878ed21be152d2dc1

  • SHA1

    b64e8bbd7d23f9585a7ff9b24a61a7ab119f1769

  • SHA256

    90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f

  • SHA512

    7126633aeaeaa91f08d5c0dce6129bfb7501287cad6ac106f1c64c2ab0cb010d3b870680047ea3e9dffdb3bfccab2a9d2a11f8057dd302dfaf140b34022bd74f

  • SSDEEP

    24576:PnQ3GQdfKrh2G8uraReOgX1yFQ+5irxTCQJ5xvCwUXZMnKfJIxzN5b2K:P9QdIuWed+sKK+CQ5CwMZMnx0

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 4 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
      "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
      2⤵
        PID:4488
      • C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
        "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:4260
    • C:\Windows\System32\alg.exe
      C:\Windows\System32\alg.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:3896
    • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      1⤵
      • Executes dropped EXE
      PID:3964
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
      1⤵
        PID:4680
      • C:\Windows\system32\fxssvc.exe
        C:\Windows\system32\fxssvc.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:3944

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        2a0f4c1a128722d09b95040a5b454312

        SHA1

        1a2f4c87b28f1d9123f5209620645f56ecd2cd5f

        SHA256

        c0160d622959f90bbf76a2060ca22a1880cb51fe9fc292c61ae7ca26f3fd9738

        SHA512

        276dbb0f8796d502ef0d386da10fb1dcba8abb53e5bdf99a6ba3f36bc722a7882844f4068d87c926a8ff3e70b900b6e53d387d7a3e5469adf8fde1386ca397b5

        Download Submit

      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        Filesize

        1.3MB

        MD5

        5f3dd2823602bf685e2ee2a2a9db54c0

        SHA1

        84c88fcfbab6dcfd431a024f271d579d59fb16c0

        SHA256

        edaacef76def0a4745a2be82e9a0697db1a8e0a84764ffb93b53fb52238cd207

        SHA512

        8301a47fda3e15430a6c86b0350bede2221039fe6f865785f9e47c08ffecfc841bc2de12d9ed03c3f9e6a476eaea6238835f5cdff7dec1ce039dceb2876adc18

        Download Submit

      • C:\Windows\System32\FXSSVC.exe
        Filesize

        1.2MB

        MD5

        a948f70d92cf4b4dcf720d04cf7e0a4b

        SHA1

        a65120dcd8192a20429f461377421d028607c29f

        SHA256

        8be465ea52fdac14bdc41d637ebd656532d15b375b50da37562a308e1abc5deb

        SHA512

        9657ccbcae299866b63a2b5ed028eac3f8b379abff7e43d60489af593adb2752ae673a105063e6ab6ffa3fda535591df385aee735fd46dc5de68e66ae179a702

        Download Submit

      • C:\Windows\System32\alg.exe
        Filesize

        1.3MB

        MD5

        bf579c017f843a2f8b25e4fb27f826a2

        SHA1

        11849567b6ea3c5ab5dfb0bc025414e2509ba679

        SHA256

        c2e6c8678f547e8d5bc63f39652e8a4a299973c668e74ccedf7b526231486bac

        SHA512

        a0462b1f0596372128cc873d4523dbada17e495924ad76a0a0fa15bd53596ada6d3afdb6e4b170e914e22a1f50fc8d1fcc62d43c523c1f3d29d0ea0a7bc75a65

        Download Submit

      • memory/3896-157-0x00000000006F0000-0x0000000000750000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3896-162-0x0000000140000000-0x0000000140201000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3896-194-0x0000000140000000-0x0000000140201000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3896-164-0x00000000006F0000-0x0000000000750000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3944-200-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3944-201-0x0000000000E00000-0x0000000000E60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3944-207-0x0000000000E00000-0x0000000000E60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3964-170-0x0000000000660000-0x00000000006C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3964-176-0x0000000000660000-0x00000000006C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3964-180-0x0000000140000000-0x0000000140200000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4252-184-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4252-195-0x00000000004F0000-0x0000000000550000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4252-197-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4252-186-0x00000000004F0000-0x0000000000550000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4252-192-0x00000000004F0000-0x0000000000550000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4260-178-0x00000000001E0000-0x0000000000246000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4260-182-0x0000000004B40000-0x0000000004B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-149-0x00000000014F0000-0x0000000001556000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4572-144-0x00000000014F0000-0x0000000001556000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4572-143-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4572-140-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4572-181-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4572-153-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4744-139-0x0000000007DE0000-0x0000000007E7C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4744-138-0x0000000005370000-0x0000000005380000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-133-0x0000000000830000-0x00000000009B4000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4744-137-0x0000000005370000-0x0000000005380000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-136-0x0000000006180000-0x000000000618A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4744-135-0x00000000053E0000-0x0000000005472000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4744-134-0x0000000005990000-0x0000000005F34000-memory.dmp

        Filesize

        5.6MB

        Download