Analysis
-
max time kernel
85s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
05/08/2023, 21:21
General
-
Target
427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
-
Size
1.4MB
-
MD5
34aa0ca40863c30653a0b6ba10d3daa2
-
SHA1
c5dbbc9a3f6d537ab49aeb89223810cd67c256f7
-
SHA256
427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9
-
SHA512
34e46909f3ea586033baa5f73ecbf1f5072f2d05cfaf77f6ab2535ee0798f01427b1e62719fc4026f4b38af03e445a33ff2deb22ef9817ab42e506cfb5cb10d2
-
SSDEEP
24576:O94Lauo2BLrZ6dj7Wd50QKQIsBJXkQsUc/i/Egj87qLom0Y5m6Uy:O/uHrZ6WPKQ5X0QsUN/EgQ7qEmv
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 57 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5279a162a0f457c3925c6d25f552077f8
SHA1e742ae135af96e778b2d6e3fa857e093865cb552
SHA2565eed62f6763fca950bf9e084277eae334b1b839500102c27588ca15958ba1250
SHA512b74d4345756d9f4b061a2e62b121995602899ed8e6d1f3af49dda7138c5075231ae3ace3dd523131e984d229474452fe10a9be558a5438892b14beca842dbc0e
-
Filesize
1.4MB
MD54b16efd15c0656b33cb2b7ae999627ad
SHA10e9a1c7d17ed20972d5353d8db13d8ae23246865
SHA25681d5bba95f82ace536b92b7f42376604c175c8f0ebc5755590b58668fc117a94
SHA5127570c5b0d2f30921ab146c8f99dc3a490882b45f7ef770a46740382b85a598a4801783128f089345de05e7c89dbd1ac435c877eb06479571a04b62ed581476ff
-
Filesize
1.5MB
MD53867ae71d8f0d7883fb2c9baedaae155
SHA13ac163b2d80cf6ebbe6cf461836cb9e3d2a6d9ea
SHA25666dfb26f2f39f251aaf488af75b08132c2dcc6ae109ba4d38ff3a1b5ffb96318
SHA512120c570355f87dec6a22c9076ff4783da6d1f7074227756ce31ec92d35515ae259d5a5933f38efb4582b935c37ab293867f346ed5a4849ce29f52da3e3a8261f
-
Filesize
2.1MB
MD5051ac924b4e4164726e16902724bd3c7
SHA1a74a72ffc59a92fa782a09d0589542ed48f55183
SHA2569901c51e110bbe3e9530c3811fb981885658d0b92383ec2888ec73492aaf9fd3
SHA51283c2fa9a03400938b41e9a06482a3f4ee0ea789b18febd94f654930b238fba6f39a250f8992655e014d13d14239b3ac5139819f264959f2d031261aa869ce772
-
Filesize
1.2MB
MD5a7bcf89e42ce56c3e93ffa24803df9bb
SHA1d9bd782344c4dbc49c7ea28596d59186d2a7906a
SHA256c44a3cb0db32e42d2d7ebe1eccc091e191ca40012dec35851497b12d19780d0a
SHA512d5eaa990f10e0a6eb0b6b81b75c268a2d2db8c00464abfa0873f3cb8cff34efd4d88ad7ecdf9caf4328aa2ec3a402328ac7b98d58748362404450520847f60b8
-
Filesize
1.7MB
MD5699f3a92f5403196421779b7608713ad
SHA1467fd212aed527983b0822c814e60a0d1cbe9f0c
SHA256e50a267b91efb6f20ad98cd816a942644d10c5b912e94c5516f054fe04a85068
SHA51239cfc9c243d9bc092572d07de293d1894001ec050c38e70298fd644b46a8c44eb7d1e7d3d3ab562c423983c403bb21e917ad633edddf2110947c7ad6f9245034
-
Filesize
1.3MB
MD5f829499a6662d81fd3f937697a97b100
SHA1a9836a6243f6dc8f450704ced4f205657813ee68
SHA2565401942354a9a5ceeaf8715a22cbcb36d3a83b88e3a3833a677bd3e179f0cc48
SHA51236e22b5d9ba96b897bdb2beff0b25881951e9bf04ffe9077d9d7f7a6b566494726a146e2ca67cd5756d56f63b1e93e290f4cbe5ce56670a9c350c1026efc6cfc
-
Filesize
1.2MB
MD5a1e88030b2449f9ac78adb16bf938086
SHA10f1effe7750977648384ce11622495c8f031b00f
SHA25672939196dc73d3dbc930775b94b1a61a271d4ae9959e19b8b1eee0e35dbcef0c
SHA512a895015052867b5034b54308aca2f04538d6c1f827695836ae5645fdfd24b5f8382b580727db6df4a7bf83b9ebaf73ea90bd748f7bfc6e65bf3ee766fa166027
-
Filesize
1.2MB
MD5f9ae4b83b531a0f96fb732e43db3498b
SHA13007decfcddbe4c60ea0eaecd01b90767a6e1717
SHA2566d342c6ef7276fee0e69882197a48335c5b6ffa016fc4c9ace148a8e9b5982e1
SHA51297aec66cb2f3b4f717ddeb4f1f87d47193b893d1eca39abab7345c3e5563ad29523ad5266d6fb1639ffb60d4f2dfe284677f0f2ebbf3c00440f04111ddf0225a
-
Filesize
1.6MB
MD5e42eae98aeda344ee8a50e225f240741
SHA18341f836a4ba7e06db896f50798f57c5d9be680c
SHA2560e19d0ed88595549296ffe92763d6d4272736003cc1804db52d8f1a351e191c3
SHA5121b4094703fd909a2b7c49cde350864ec5496a009d5c094c305d3b14516f3abdc4e5f6c92e071ed83c90c5a14260b28f61dbef3da2163f2f137a975377a666e48
-
Filesize
1.6MB
MD5e42eae98aeda344ee8a50e225f240741
SHA18341f836a4ba7e06db896f50798f57c5d9be680c
SHA2560e19d0ed88595549296ffe92763d6d4272736003cc1804db52d8f1a351e191c3
SHA5121b4094703fd909a2b7c49cde350864ec5496a009d5c094c305d3b14516f3abdc4e5f6c92e071ed83c90c5a14260b28f61dbef3da2163f2f137a975377a666e48
-
Filesize
1.3MB
MD502d1198a254338ff8e254a41a6b9d706
SHA10940bea48117fcc2fcd2d574f1b31e08198e5c79
SHA25666bb5e7803982d652656ec06118a70f467076f4972ab20905caa25b857eecf36
SHA5127bac4f289426a1ca9076535a3829f6c275870ba11424626cd848709791e382dd322028278ca0f02916dab7bfc8db4b985f41aec179d29da2a1456c5049e4dd15
-
Filesize
1.4MB
MD542a45b1ba35be7eb117d737b74ffffaa
SHA1882cf4f769c84c635c3e38a0537f295942c680d6
SHA256cf6b13261a047b17a292afdfbc04a1dc757419c40d92514d2b45e5cb8fb5a327
SHA5124b25bbb3d513899d7cc8e93a8e15b34f83688a08e40fcc368ca8caebf883e34d5a9d2e84865b0b519ba97a264f315a164ab349ee7f3a8b0a7e29281091ac8f45
-
Filesize
1.8MB
MD55231411340b02e8caa33f8cbfd5b6eff
SHA1bff13798aab8cbd6fdccbe3ec5ecce94805dbdde
SHA25608bef788f27bc9d202bb34486918a08974e58c7aa9f57482622a0a0947e24abd
SHA51222d7c3e90610867cad1c4365a575dd75c52108c9033d45b6d9aa57dbd498ae26b72a1bcaa4d8665b96314231f516378a42664bc27f6048fc89c198be29f5a873
-
Filesize
1.4MB
MD517321ff42daf4929302b8e4c4159fbad
SHA1eb8038c63c6b6e5c9ac38b80b5c9b4398e3f3efa
SHA256b6c282937000908b26292177125b049a9b8fdb50d28ce4b540044b963718ecf6
SHA5128761d4890da35ce9b110e345bca6894d60558fe400f8f71ecfe9104f47097971abe251a13fe4ef400aebbbdff33fa2d586c79e26df19dec4278e5713fab7b7b4
-
Filesize
1.5MB
MD5e59c9d2dfcecfcef1af627b2f57e672a
SHA14cdedc0014c5b554fff0c5ded28819f399f95419
SHA256741772b31c0789bf0f6ded514ff8fbf189ad7cf71fce78854eeac443c4685891
SHA512a98058e92f1c16f029743a1da7023109595c6ec8ae10172960410043fe25216f621266e55f461f48430ab3f08a3508d133fcf1079f80653b163c569e9ec24842
-
Filesize
2.0MB
MD503303ef18d8e2c0e4ac535978c5d2652
SHA1e6c88babd0120324b9f6c2c737b1beae40aa9159
SHA25618f09304d53df6eaf298333b383ee0d5a4a17a31de070b19f3b562702da1b37d
SHA51233d5e3ad0a83aa74da4348a22bb725f70c962ec71d7c8ef12abc5229363a859055cb67a1e3545785a24dfb177cce999647aa70cd29d91e5195d7be38f807f06b
-
Filesize
1.3MB
MD5b585737688296e380bcd186ca9f20b12
SHA154d5e9cb70e782e911771b317203f1a4c4493822
SHA2562940b7cc850907e2c64bde47cd88ed76af00bed20780347a76b8ed2cb8fa3c3a
SHA512c2b6543c12305a7cb580c55c012d1065ba1cd2c1c64b237665210c7735b18935ec11801526840654459ed4ff470f9c9611988f7ff85e31da7b832d382da0bd01
-
Filesize
1.4MB
MD5ef1721fdc2d98d80e8e52a38c13b946b
SHA12b68b91edd71c55d6e351726ae5f8bd15cd06bd4
SHA2564ca33bb8816c225fa5e72797d133e67238e48a851a14f1228edf3d88b3c7d266
SHA512a3004efa1153c52a11a2a348772488eb727356a17d0f9419762a47848399de985889bd5ee16ee72ab83ac0cf2a154d56e6fa9937163cdde127b5323c6598ac8b
-
Filesize
1.2MB
MD543567adfca1e0dcea7243464f573e762
SHA1f95056888e1c243f3f2f33e1fd7e88ec368de100
SHA2568ba498ba005e2f846bf16164fb2af4ced989e568bf815aada7f50559d7cdf800
SHA5125655c83a2d3427801e3dbc53e15a418c225ddc068c8078713d2bcb3ecc6bb11abb9e0d4fe17e7a81d6b5adb07a7c0221ec7f8b196e84d5659da91b3b9b0d7d36
-
Filesize
1.3MB
MD5c735788be2e69b5ee42157330555c693
SHA19b39a6f49493b7dc493a6f3b69f777e833bb00be
SHA256ad6103dff2edc97d33044abd64cc8c7212bb9e971055180260f3f48e45737b3a
SHA51288fb8ebbdf6fdf16278b9dd38377e6544f2f746e51249adb890584719d3a6e6c3136e58533ca8bb28e9044984bb22a4915f36b9e181a7fcd7be61c91efc1b052
-
Filesize
1.4MB
MD5cdb55154a0127f9c4c74288f763c6583
SHA1702976930cf0aefd0fd5c4b953dc393b5706b7b4
SHA256000b3a089c5b11d395f69ce951fabeb4ea99530a9c123b5a3759f4ecf1d2b2d3
SHA5121de9491ed5ba09aeac49dc43f88672de8f071bc8bb36ff70ec5c2e2d6c617551f32bfac743112488d8d750fa9b6b5b409e2176762febf1005fc456ec3b5c833b
-
Filesize
2.1MB
MD538f949f53b3ab2623474f2c6a967ec45
SHA1ce0a0b0086672fa0809d6fd440771c6adcfed936
SHA256ed33c18eaa4e0317941c115f01867d9b754dfbcd7442cc917bbc4537eb29e845
SHA5120fbf7be35f3431ee111f84dd8544c6c49e1878b5fa154b7bed78ccea158f3fb0dfa802968ecf171f5a05e18969f27269f5925f717a11768f909e19819e5a9546
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
1.4MB
-
Filesize
384KB
-
Filesize
5.6MB
-
Filesize
1.4MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.9MB
-
Filesize
384KB
-
Filesize
1.9MB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
1.9MB
-
Filesize
384KB
-
Filesize
1.9MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
408KB
-
Filesize
1.9MB
-
Filesize
408KB
-
Filesize
1.9MB
-
Filesize
408KB
-
Filesize
384KB
-
Filesize
2.3MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB