Overview

overview

10

Static

static

3

Quote 1345 rev.7.exe

windows7-x64

10

Quote 1345 rev.7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2023 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote 1345 rev.7.exe

  • Size

    1.5MB

  • MD5

    e67a119b25c041892a38c6147fd54c60

  • SHA1

    8c3c63629929b9754c62fbad1e731f33758d2d2d

  • SHA256

    2bfafdc20b461ef574d77bd7c29d586c6a7c3ad6b3ad9bbecab8c014308b07d9

  • SHA512

    414e8de5219f34c4abcf885444dfab93e794abf69808d9c2e9e70f8de806da9e2159ba3d58dec41991be675955d7bb99b596e6b358a4cf7b3a32881cbbad1776

  • SSDEEP

    24576:OwwBIEAbPY00PXKtW93ZwJGRNI7MhXOd+DsyFqcpVsZB4yYH:0BIENBvDIwmeqcpVSed

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 12 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 15 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
    "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe
      "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.7.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:208
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:4220
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1236
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4076
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2316
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:816
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:4516
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2400
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:3508
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:4904
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:3960
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:3856
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      PID:3144

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      2.1MB

      MD5

      711b6e82a07e4422cb58a3cd7fcbe1da

      SHA1

      69197812a288b3a267b9fa86b230b7730b8f2656

      SHA256

      2b38b3dcd675790ceb84d759acc82d9f302eaa4133c3fda5ffa81b2448cf98bf

      SHA512

      30b40d9c01042909bd5976f50df2a05e81c1c7c2fb2867a66ca856d0440d28cb3447dfb9a6af3486de0713236778a1ee3b3ac615664cc364936d2d052a669946

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      1.4MB

      MD5

      453ed73d807acbb69a23c956dbc45b17

      SHA1

      9c80f316b6c267efe542badef5495f5e7f778107

      SHA256

      5960f76f39a70ff5241e618cf5128b0669a69232e4f922f0a772c74d9211f9e4

      SHA512

      ff0c25164f5f1334655bc5c05c5107faac1385e1d0327b718b26996bbd149d3ec5f0c2e9214f787c6c939aca525c621d8322a77c874cfb23924238220888f0a3

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      1.5MB

      MD5

      39adf954e4c75a74f4ca79c0961814ac

      SHA1

      9888f229185b95f8a16795f941d26983ddc6fd6d

      SHA256

      e0271f4a59fef445c04dc325f7695847ad3e617de6111ba659661a7955047d25

      SHA512

      9d559a46701509c90a25e59de72dca93b1c319e7e54ce7924ab14afbc192fc637d7267d54a64cce9bd2f5382bbea2e4f971e11838f36183e7185d9b42a685ec2

      Download Submit

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      Filesize

      2.1MB

      MD5

      90e9f592395d769537108fac69042b7f

      SHA1

      665b788ee0aec63989076b55e06a285e21473382

      SHA256

      9dc70e713d0daa214a2c3b06a00f307eb1fdfb0e23246d137fb58d07686fd7cc

      SHA512

      ce5bf9df1663952a0e02d49dbcf5b36f4e4877b419694ec98b799fa49c768e7acfc245aeab98a5e4943049f0cf0ec935baa25b75890fdc2306f9fe5d8ac37bd5

      Download Submit

    • C:\Windows\SysWOW64\perfhost.exe
      Filesize

      1.2MB

      MD5

      f1151dd86e6dc4f5b351085fc6ff3131

      SHA1

      7b24988701811e21187bff8f79218cf43c1b75b6

      SHA256

      51236ad2115aeb72cfc26fe6b9b35388cd8e836f8dd4c68138c48cef2b57a447

      SHA512

      39547ef06f577b44857183fa886849f8288c2d73e56175eff54388bd52ccb0dc944702a5bbce69f2a1ca463852c193858b47a37485f31ddc86df2d31faa64abb

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      1.3MB

      MD5

      3039285c5f4c2de1c1440ff6d7e4ac4e

      SHA1

      c6e19832b9631fa6ba42da724cc75ee336cb3355

      SHA256

      85378c73fae4d63ee39e0dfd72c26ae0381489b8eac0368170fdb86b1a44ad49

      SHA512

      30033d44927aaf052de6a78e131254127bf14d1578d1dcc8afc00417d6fe719298f69f3f6de9340d0a739384dd82e9080ab6e6462e9e48ceb500c87a01ca5bfc

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.2MB

      MD5

      8dcf16523f324490a67e7f0eb64e155d

      SHA1

      0956304dd51e6e7a891e97ea925a8230f547b301

      SHA256

      8f5d290221555388bcb32a27ba3e8332ad777fd1ad50b689dc26a99364b77add

      SHA512

      18b1d09a002935e4fc52e87d9d21a5618ba4c53d2c125c46ede11cefc428d0ee119655d1c021706730e040aeae73ae6ad00b79c3e7299fed72b1b1389055ec37

      Download Submit

    • C:\Windows\System32\Locator.exe
      Filesize

      1.2MB

      MD5

      4a6c8386ed1aef7138b640d9cab739ca

      SHA1

      ba2d4d9c53d08bd85785ca8d8c0627f188319514

      SHA256

      5e1119cf288d3318fc8f5e7d4e25f08affb7257707631cb656bf45b51e34dc31

      SHA512

      4314a377cc9a8bed776a7b870eaf548c7140e790f6a7fccfb0af8273eeed36599bc2f43b8a7052049bfdac00d81ce994cfb77aabe982fd960281a4136a08852f

      Download Submit

    • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
      Filesize

      1.3MB

      MD5

      303f4bdd38f1b38549d854511661ace7

      SHA1

      a3dac86506263627c29a1469639c367ab0b6e043

      SHA256

      f4315484e8f206789739f299b042395e622ccb80232ef59edd55978b85b82c03

      SHA512

      47159f9b8a340067069b75ef478c55b6b5e25c1af95a22a4f9b01b115ae5f0d7b4c992106c4e151998110e1036451cf6060f4714f1e3ec2dcae4e4fd025e1274

      Download Submit

    • C:\Windows\System32\SensorDataService.exe
      Filesize

      1.8MB

      MD5

      719efcebbe534a32ae733e0b2596c3f0

      SHA1

      f6ebefef57b08fb94e198fd6296dba10a1714054

      SHA256

      b183c14546fd42bcffdc708f9c8c084ee557adb9f51747c3db35576afb8a5deb

      SHA512

      00bfa824adae1f1322b5ae2d848fc7b5338ad84ab8d282bafec613f0613e8eca9b38076f534ad10ee4b979860b0fb68511eea17c2ba6c5a649beeefeb82f9a81

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      1.3MB

      MD5

      de67acc83fe87130b2d9d115f2463a6b

      SHA1

      6e5592af3ecc4898b6aded28f6bbd872730ec2c8

      SHA256

      faaa9f0724ee6e7798a18a910231d2f4402f25475e139ab0d385134422c60452

      SHA512

      bcadf3e16fc55a814a449a40d68cc76d4e78585b1145e923f652e71331ec7d8f895900fc32a6eda54321befac86d9539d6a662e3e919ede8128baeed0d60bfb3

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      1.4MB

      MD5

      d138b88e1383d6def0529843045251e0

      SHA1

      539210d646f0e25ba3dcf1aaa4182c1baa9e7264

      SHA256

      4482c66fde9ef910871c173c8d84245af31a67c851a7e40e067487a7be38b1a0

      SHA512

      732add38e6250dcfebf98dd2b8c3c06e8aa49c8261d7976e9029b68039ad4333f5c290ea921fdba1c1d913b55db5b0b808b5d6ecc4492a84d9cf70dd3931a1bb

      Download Submit

    • memory/208-235-0x0000000000520000-0x0000000000586000-memory.dmp

      Filesize

      408KB

      Download

    • memory/208-236-0x0000000004B40000-0x0000000004B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/816-215-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/816-207-0x0000000000190000-0x00000000001F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/816-258-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/816-213-0x0000000000190000-0x00000000001F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1236-233-0x0000000140000000-0x0000000140200000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1236-170-0x0000000000690000-0x00000000006F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1236-173-0x0000000140000000-0x0000000140200000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1236-178-0x0000000000690000-0x00000000006F0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1336-150-0x0000000002FB0000-0x0000000003016000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1336-143-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1336-144-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1336-145-0x0000000002FB0000-0x0000000003016000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1336-140-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1336-171-0x0000000000400000-0x0000000000654000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2316-202-0x0000000000D50000-0x0000000000DB0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2316-245-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2316-205-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2316-196-0x0000000000D50000-0x0000000000DB0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-182-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2372-192-0x00000000009C0000-0x0000000000A20000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-189-0x00000000009C0000-0x0000000000A20000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-183-0x00000000009C0000-0x0000000000A20000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-193-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2400-237-0x00000000006D0000-0x0000000000730000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2400-234-0x0000000140000000-0x0000000140210000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2400-284-0x0000000140000000-0x0000000140210000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2656-137-0x0000000005610000-0x000000000561A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2656-139-0x0000000008D50000-0x0000000008DEC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2656-136-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2656-135-0x0000000005560000-0x00000000055F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2656-133-0x0000000000A30000-0x0000000000BB6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2656-138-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2656-134-0x0000000005C50000-0x00000000061F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3144-306-0x0000000140000000-0x00000001401D7000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3508-259-0x0000000140000000-0x0000000140226000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3856-305-0x0000000140000000-0x00000001401EC000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3960-285-0x0000000000400000-0x00000000005EE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4220-157-0x00000000004A0000-0x0000000000500000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4220-163-0x00000000004A0000-0x0000000000500000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4220-165-0x0000000140000000-0x0000000140201000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4220-230-0x0000000140000000-0x0000000140201000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4516-227-0x0000000002220000-0x0000000002280000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4516-231-0x0000000140000000-0x0000000140221000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4516-224-0x0000000002220000-0x0000000002280000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4516-218-0x0000000002220000-0x0000000002280000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4904-274-0x0000000140000000-0x0000000140202000-memory.dmp

      Filesize

      2.0MB

      Download