Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05-05-2023 21:00
General
-
Target
tmpjmcuumo.exe
-
Size
1.5MB
-
MD5
39810b7912907fc879004874df0e9e9e
-
SHA1
f2e51d5e9f644058a8ff4d64458e2914ddf2a364
-
SHA256
bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
-
SHA512
abd49e8623428a399f665e2157522b6d285cb6c1f77c043eb22038df2ebbfbb21f3823c08dd781be5df043f1ab9b514990ab890bc80086cf33860aa6f4e75b5d
-
SSDEEP
24576:molqfbt8n/WmtqmZfq/ppZge1+qWMZukXfRtgyCrWw:sxgWm8m+Zj+qbZuq
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Drops file in System32 directory 24 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmpjmcuumo.exe"C:\Users\Admin\AppData\Local\Temp\tmpjmcuumo.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpjmcuumo.exe"C:\Users\Admin\AppData\Local\Temp\tmpjmcuumo.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpjmcuumo.exe"C:\Users\Admin\AppData\Local\Temp\tmpjmcuumo.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b88dd04c8fc5aa5dfd955f6800dbdac4
SHA1cfb1dc8ee97df999391f980d8269a7e8b7562b22
SHA25604114283e40ce1e3ee3a76042102e64a36d1cd29e26d47d0a4fa0ae381672516
SHA512af3ac592c5f566d9ffb21325f5634324164206ee4b84c02ecc0106ba32acbf54e3b93e902e8c766a91dc32c1cd8e32676d92473d846169a6c6edcfb6062b4259
-
Filesize
1.4MB
MD535bbb7c4ee375850889556fef124e787
SHA1148864a94c6b9c739488665480fb44b47bc14968
SHA256c5933cf83a418f644f7abfc10b1118f4d8a0ead4a2a06387ba7061e8df8caee5
SHA5128a0011dedd98720729a84aa8f4ea55f862b287ac6254638edeb65fd33f4655f2685ee889cf8e5a8a86b1ee506656ebc085f11966fba5578b8229fd692d26e465
-
Filesize
1.5MB
MD56681b22e220647e1ad6805f352c51634
SHA1873ce85904290fdfb241e59ffff1834ee6514e7d
SHA256e0c397493c158818825f7da4f1ee96ffb412296bb30ceb128fe68f6f11867c30
SHA512478c3c99f251f1617453e190eb92f755708ffa278f80a6c02dcc6a3d21edeb4732cddc30a39f5483bad62c78ca10c922e00144d22200f0356029e0f92077f0fd
-
Filesize
2.1MB
MD560fd775033ca343d03fb5e8b8c2630a4
SHA146dc0a88b79afb5b6b6751c939a13de19c99817e
SHA2569930aff03ac5d76e72b2906600a447839b5f06d507716522549adeb500336105
SHA512af8be011f9923ee4736aec98ac7830ccab44920774c05b88ea67ffea5eb62c5935bcfd75b6aecd1fd1a83279e893ecbbe02d9477e112463c4a6478226460f6c8
-
Filesize
1.2MB
MD544ace3551c06a71704b52b2e9313149d
SHA192a4ee09d5282c9159c9bff459406bd04a147c2a
SHA2560713a8c2f8165fdb2ab1569c1ea8ae6d644e9f8a6202165121b53514d5a6cd48
SHA5126d7d93ab9b93b13e8d5473b8c6358be63667758dfbd49f1d218417e90331037b4ae1c8bcca4f4fd0ab801757deb36d090dddd05eec553538058e595a53a6de6f
-
Filesize
1.7MB
MD5c78e02754e2470e6e89aad5b3be439d5
SHA16109f56fec3ec3fbcc0c72451fed4e756a942f9f
SHA256fef1ebd35e81906b56f33da8f75c73a60fb55619af49c11d27e6f5ae4e8ef7e2
SHA51290a079e110e97e3bb88d51924041cb1c4925132e5e93b3aab297c1d110f610bd994dc553fa3cf07bc3fde07b9a079ca97b49b9c0c147b6b7b4fdb0c66a91d0e1
-
Filesize
1.3MB
MD5a0520d28694e173a3328c4972da9ea13
SHA1dd489ecea3fc2a716c6e78664632d116eac3dfaa
SHA2563123e5d9af10a1107d303b492324f3d626bccce08dc3bccfbf31e3919f63098c
SHA512ad5f023004e0c57ce8a23756430b8cd6c9f7158c921e78f6fa460a4996b988dac9d94205c42fc85474f6217f525ab94e155e01e898707a11383b3e8203ef3e89
-
Filesize
1.2MB
MD541a80dd17b66f28f56266c0ffc250080
SHA1bee410eb7b0b9089d4defbc1a13df298e463f067
SHA2563e1e589552660e8bf0b00f8c99ee0dc692ed21c90467ffd089f90d0c064d54f3
SHA512c56983d5502ec5b1b8ccce616edc4745c2f1962445d042366a2630f355ca6084cd56a67cad566213b84a06b5b70c20171e2932bd04b860ff306bc010d25d964a
-
Filesize
1.2MB
MD556de302be52472f140705a27c5d8d91e
SHA1e61a10b1b931b40324d5421ca792f6c7f89a5fab
SHA2564596d57808026b6f74102cb5436581e163d6a02f518857f18ed7f7e6fb559b04
SHA51289835646fd7a254cbab91aa5b2eda5a3357b21fc19082322e90e6facec654a1a0da6bc6ae081e858e575ecde5c1259b52e411e1e7c53ccc5062873529d0c40de
-
Filesize
1.6MB
MD578a24e3b720c12ac5d761a5d590079d4
SHA1f0e490d858887878e1488af21884db3ee5251f16
SHA2569f76e4111107fc7347852b92163ae05c1d518a58fbe86b6992b6e7c9894d4988
SHA51207e33d607275f56d110d2336cd6bfd54fdbe04840e4d38c5e462f587729c3c34f81b9b01f192d0d1c1756462d9346a8d610f80088ea03524b73d1b04835383eb
-
Filesize
1.6MB
MD578a24e3b720c12ac5d761a5d590079d4
SHA1f0e490d858887878e1488af21884db3ee5251f16
SHA2569f76e4111107fc7347852b92163ae05c1d518a58fbe86b6992b6e7c9894d4988
SHA51207e33d607275f56d110d2336cd6bfd54fdbe04840e4d38c5e462f587729c3c34f81b9b01f192d0d1c1756462d9346a8d610f80088ea03524b73d1b04835383eb
-
Filesize
1.3MB
MD59ab365cc3de2f277760e8c0bddbb0cb3
SHA1777895dba785991809c1f2f47d7b3445e8c0ca7e
SHA2566e98e11028409a92d1c7a17f3b7aadbebc9fd501e85532168f784c16402e930a
SHA512e64fc4e9999c1930fa0e9c97b0e3ee3e595cdecf11fed665feff65be0f82ee90986475ebf6ad6f1c3bcf43b33f099b0b977c86afdc047339254f7c642125da68
-
Filesize
1.4MB
MD5c75be64d9493a98f5682ec39e8f5c0eb
SHA1ad50acaff7378f0ec3560dc1fec05e2511a452d6
SHA25688afb32456b73e3ad1b0fdce7558c91d12750d7288dacbdcf8ffcb46e59be6e1
SHA512bf133558571b814bd9d7edb12109ede16e11468010d53b9ad5ec502e16193428f2196dd36e285de2313bcd03c7779b2a1a44d10ea1a9ba610d8e03ad5a0edeb7
-
Filesize
1.8MB
MD56a173d73121e5bf326802fb750af44ea
SHA18dbd7067c9b9f47cbdcc019ede697f36942fc6f2
SHA256514d2a70ead8ca79fc83408689485ec455feee734bf91f287c7be8a3ed228ec3
SHA5126bfedd13643fa04ae704d178c644a662e51f7448e4ae2f6aed48a42c19b2ece20307ce09a806a0be8b3ca4727f65a41ee0d1be493a9d07cfba0e25ee8ddb8dfb
-
Filesize
1.4MB
MD5bc0be71e18384917087ea8c4dea5c934
SHA132fdb8d4994d606f41a13d1815f7ebd031650d7d
SHA25696f800840bd4bcd66eb22b4acbbe27f639bcae55a9cefd3391c57e150e134852
SHA5128ce1285ddf609afd4f926758b37bf60ffd3e658fd9f27e15b8ddc3c40be360f6c8f4726446ee7e92a91335a2f683e56e4ddd8bd99b2e71c2aacf4ce134097e75
-
Filesize
1.5MB
MD53b7103139f764eef1560cba61b32b507
SHA19ec27027ccbb0c661958da86efd42b95e1397dde
SHA256864094ea4248fe6a9df1879fd76fd688b413cb964dfe1abc7ba5bfcc6e278d4f
SHA51281754bbb749ebae1c653a8c5f5a1f7600b72ca98c8cdb7d4c382d476191d809a15a9ae2e7d37175c93713e9997dab8a55e42a1d83bde22c60dee35195541f9c7
-
Filesize
2.0MB
MD587103c82af2bf716bde3d2614e1f2876
SHA1631a72971f4b2e69077bf7006f4c296d0b8916fe
SHA256f4a356359c3562d4c3ba57ef2333816b69454a8303db82cd150e0e328fed9dca
SHA5124729d47f02a78a92f036dd84c7dee4d1865b84c41afe895512b8a4440dfc5b9ff448f4f7bcf9b09ca1d1179ed66deb6cd6374d1df09d938e22d2a39a6436794e
-
Filesize
1.3MB
MD5575a6d54403d24685a69e6b5eb7ae7e4
SHA11bf1638dfac324c7beeb86a446550f1d6f767d55
SHA2566eee655bb2f56c2c19b4bb5547eed7be86a96b87016e8532eb18f1096e4889f2
SHA5125e0af903ff476d18363ad69495d0b3aafe3a17fe40b7e911b0ae9179fef71963429f70c0a9f44495c4b770d1f08102260bf1d0cc5521f7db50d766f853e453a3
-
Filesize
1.4MB
MD5b7f28c938a7754024765a365372abc9b
SHA1718e34d4a66ccf9569dc184f679a6a5728d75a78
SHA2568fc19a68dc07e2dd65381f1c24b290da4e7034a975bcdf42c04ee3e180b91c4b
SHA512d3988d53b05c7ebe708d5a152f3096dd6e27d970f5c500d92197b5cca80192488a5902d27387727e2c81b6ba4674156a4a1a53b8ab7c6556c1aa105c7b8899df
-
Filesize
1.2MB
MD59d4f21a7c4a8273320a41807c8339aaa
SHA1bf65da391b14d6bde927303081cf86b2e54bc612
SHA256f2c8267f8d16fd0b1285957592547b5c198ea7361d3f94ffa138913ee274800b
SHA5123a4ba3baba51cf4dc0a987b6c65d8c5a7a2419572f2dab5de337150ba5e3eede1c4178e3ce00eefbba4ac68120ae751fded32d42052aaa66d40c7dbe583e3e0e
-
Filesize
1.3MB
MD530d7b3504b44613d520321a9ee514e42
SHA162f3aceb10748569db169d139e00cf1a717fdbc8
SHA2560dfb972b5de47aef87698609c1ff29b893ff2bbba98f40485fd8cd8f1a8721ab
SHA51206fe92cd7485eb986c2d7981e76a4b51531b8623e074f7e3249fc53a8aeb87c44fd61339e39b264db3925b0f0df33f50c9574ce142dd881c86ddbf14cce1d3be
-
Filesize
1.4MB
MD5c3063201512b33562180dadcb397f404
SHA16f2f63543297ef67d07b6e6cbd43da299d490694
SHA2566e78203f5fb40fcd01824be9f9e1de48e31aefdfc849b2fca32bac43f2922ba9
SHA512e94e5d63096bbe0deb2dcf25a4db45e9abae5ddf39ef2d07af710729a55da39eef0286c99b236255bc1f17ac727fc173263773beb18b97f00752c71c02b2d790
-
Filesize
2.1MB
MD52f98c1556569bb945367c9fe18ec6238
SHA19dad99eaf80ba8ad10d1c8d4cb953392bbe2c263
SHA2560d5b54ff9c32dd6461700aadb5461b512d0e333dc1b3902ed0a60d870bda6f45
SHA512fee929b61c624225382677f028d84255be04db3f778766e2bc13c758b1ab7e01ad36b50bd39d81eeaac42b3735a45ebf54532452a98479a87d9c047143092aa0
-
Filesize
2.2MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
1.9MB
-
Filesize
2.0MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
408KB
-
Filesize
1.9MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
1.5MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
1.9MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.3MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
2.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
1.4MB
-
Filesize
1.4MB