Overview

overview

10

Static

static

3

MT103-Paym...aj.exe

windows7-x64

10

MT103-Paym...aj.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2023 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103-Payment-SwiftMesaj.exe

  • Size

    1.0MB

  • MD5

    962b447996d774bd6b11a221ab39bd8f

  • SHA1

    aae4d7117ce9f6c493ed6f7c4d41cbc7c4f805f6

  • SHA256

    3752671d8ecafe3de17f8ec3a30ef23f137d8c3cd62683a13f6e9a56db5db4f4

  • SHA512

    23fbaf09f2e267883ed3e7db9c5f6f1512d2d2ca1ac097b23c3fb7183c7991e7c6b1397448ea996a1d24be6b16b3cc2a4b2d70fdb7c23249918d48923535df8e

  • SSDEEP

    24576:8GFKCcW9RoTHfzW/ZOaXxLvppk/suw0kIrhDhq12N3nCAIQ9:8G8CcW9RoT/a/YahLR2/9Yeh220A

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot6120911772:AAEvnEDbWRlbIuD1NP8MtmiY3tQ46T9SQyo/sendMessage?chat_id=6082430866

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MT103-Payment-SwiftMesaj.exe
    "C:\Users\Admin\AppData\Local\Temp\MT103-Payment-SwiftMesaj.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RnylxoqUaifuRI.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RnylxoqUaifuRI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BDA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1720
    • C:\Users\Admin\AppData\Local\Temp\MT103-Payment-SwiftMesaj.exe
      "C:\Users\Admin\AppData\Local\Temp\MT103-Payment-SwiftMesaj.exe"
      2⤵
        PID:2740
      • C:\Users\Admin\AppData\Local\Temp\MT103-Payment-SwiftMesaj.exe
        "C:\Users\Admin\AppData\Local\Temp\MT103-Payment-SwiftMesaj.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:640

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1BDA.tmp
      Filesize

      1KB

      MD5

      f4b26000046d1c1e7e2a3285bc21f7f0

      SHA1

      62e4d315e9ec1dc3ccdc650fc1b2b6e30480099c

      SHA256

      57050f08b8d0f7a01e51637b0c74058ed1bf780380a29e0f8f60b9da1da2bca6

      SHA512

      a8ca2d091bfb3471e5447ced525b34e8722a00b2bc41200465c64890fe80e88810d73ea860202f6202877c769dccb2481420dcac2dda1f379dca3d22a75967a7

      Download Submit

    • memory/640-94-0x00000000000F0000-0x0000000000156000-memory.dmp

      Filesize

      408KB

      Download

    • memory/640-93-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/640-101-0x00000000046B0000-0x000000000476C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/640-100-0x00000000047D0000-0x0000000004810000-memory.dmp

      Filesize

      256KB

      Download

    • memory/640-99-0x0000000071600000-0x0000000071CEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/640-98-0x00000000000F0000-0x0000000000156000-memory.dmp

      Filesize

      408KB

      Download

    • memory/640-96-0x00000000000F0000-0x0000000000156000-memory.dmp

      Filesize

      408KB

      Download

    • memory/640-91-0x00000000000F0000-0x0000000000156000-memory.dmp

      Filesize

      408KB

      Download

    • memory/640-102-0x0000000071600000-0x0000000071CEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-87-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2792-73-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2792-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2792-79-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2792-71-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2792-104-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2792-67-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2792-81-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/3024-82-0x0000000073CE0000-0x00000000743CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3024-61-0x00000000055B0000-0x000000000565E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/3024-59-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3024-56-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3024-55-0x0000000000BD0000-0x0000000000CE2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3024-57-0x0000000000590000-0x000000000059C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3024-54-0x0000000073CE0000-0x00000000743CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3024-58-0x0000000073CE0000-0x00000000743CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3024-60-0x00000000005A0000-0x00000000005AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3060-85-0x000000006E380000-0x000000006E92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3060-86-0x000000006E380000-0x000000006E92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3060-90-0x00000000026E0000-0x0000000002720000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3060-88-0x00000000026E0000-0x0000000002720000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3060-103-0x000000006E380000-0x000000006E92B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3060-89-0x00000000026E0000-0x0000000002720000-memory.dmp

      Filesize

      256KB

      Download