Analysis
-
max time kernel
116s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 18:53
Behavioral task
behavioral1
Sample
268-63-0x0000000000400000-0x0000000000654000-memory.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
268-63-0x0000000000400000-0x0000000000654000-memory.exe
Resource
win10v2004-20230220-en
General
-
Target
268-63-0x0000000000400000-0x0000000000654000-memory.exe
-
Size
2.3MB
-
MD5
92123683d5c88a2dca302f9159cf3234
-
SHA1
4c54d4ebc4c625b7190f6fdb5e3d81ede07d9b4b
-
SHA256
33b998a00933794947cb36f660568b6b5e44327e9d2c1680f17c11a767a1005e
-
SHA512
5c34c30761ae2378c342fb15ce065c5c8937e398ade9a18edfdfc7463fdd8f9c6eef383f1615a09448f105bf304e6bd39569ab5e499d9cf49dc8e8b117ec4f6b
-
SSDEEP
12288:FWnxfgsRL4u/1AlLK6FRY2n8OPKxGvYmB:qxgsRftD0C2nKG
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1240 1996 WerFault.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\268-63-0x0000000000400000-0x0000000000654000-memory.exe"C:\Users\Admin\AppData\Local\Temp\268-63-0x0000000000400000-0x0000000000654000-memory.exe"1⤵PID:1996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 4082⤵
- Program crash
PID:1240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1996 -ip 19961⤵PID:1728
Network
-
Remote address:8.8.8.8:53Request254.33.24.67.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request142.145.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.23.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request132.17.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.8.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
322 B 7
-
260 B 5
-
71 B 125 B 1 1
DNS Request
254.33.24.67.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
142.145.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
254.23.238.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
132.17.126.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
45.8.109.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa