Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2023 09:12

General

  • Target

    1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe

  • Size

    522KB

  • MD5

    6874fa404214cace1c3e0607f827e16e

  • SHA1

    110ca7ad3965a397badae82729be1c43ede7c670

  • SHA256

    1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1

  • SHA512

    41b384435b0ec80f44df6b4e2d45877b84160dd1067a6d04e7b5684a29e06ed4fddeef6e7fa8da08997c2aa3baebfc4a3a293ffe186b1d95bb757ef1db3dd26f

  • SSDEEP

    12288:2GTIYlV2h+RZu5ZcgnziDG/kYiOaONNoZiXL1MkrupND6e:hIYlVDK8m2SsOVNNWiRMuFe

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5374342837:AAHF-c1HAIvNCdF89VuEdNggsL2YBlpgkSE/sendMessage?chat_id=2133303215

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"
      2⤵
        PID:2180
      • C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe
        "C:\Users\Admin\AppData\Local\Temp\1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1_JC.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4904

    Network

    • flag-us
      DNS
      146.78.124.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      146.78.124.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      108.211.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      108.211.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      108.211.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      108.211.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      icanhazip.com
      AppLaunch.exe
      Remote address:
      8.8.8.8:53
      Request
      icanhazip.com
      IN A
      Response
      icanhazip.com
      IN A
      104.18.114.97
      icanhazip.com
      IN A
      104.18.115.97
    • flag-us
      GET
      http://icanhazip.com/
      AppLaunch.exe
      Remote address:
      104.18.114.97:80
      Request
      GET / HTTP/1.1
      Host: icanhazip.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 13 Aug 2023 09:13:48 GMT
      Content-Type: text/plain
      Content-Length: 13
      Connection: keep-alive
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Methods: GET
      Set-Cookie: __cf_bm=Wef1w8fdw9Sw7FwreuKfDs1aoQVB_PEX5YQmYNeZWBg-1691918028-0-AZkAIYmQTwQGU9jlPLIm6zqc26pvBOTztMnxUkMeueBt+0QPgNgSHTNDrDVqMbrXY0nW7NgCRsljAJBPqfEmZdQ=; path=/; expires=Sun, 13-Aug-23 09:43:48 GMT; domain=.icanhazip.com; HttpOnly
      Server: cloudflare
      CF-RAY: 7f5fd81cce000c69-AMS
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      97.114.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.114.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      1.208.79.178.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.208.79.178.in-addr.arpa
      IN PTR
      Response
      1.208.79.178.in-addr.arpa
      IN PTR
      https-178-79-208-1amsllnwnet
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      254.136.241.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.136.241.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      210.143.182.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      210.143.182.52.in-addr.arpa
      IN PTR
      Response
    • 104.18.114.97:80
      http://icanhazip.com/
      http
      AppLaunch.exe
      293 B
      663 B
      5
      3

      HTTP Request

      GET http://icanhazip.com/

      HTTP Response

      200
    • 8.8.8.8:53
      146.78.124.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      146.78.124.51.in-addr.arpa

    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      108.211.229.192.in-addr.arpa
      dns
      74 B
      145 B
      1
      1

      DNS Request

      108.211.229.192.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      365 B
      5

      DNS Request

      103.169.127.40.in-addr.arpa

      DNS Request

      103.169.127.40.in-addr.arpa

      DNS Request

      103.169.127.40.in-addr.arpa

      DNS Request

      103.169.127.40.in-addr.arpa

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      108.211.229.192.in-addr.arpa
      dns
      74 B
      145 B
      1
      1

      DNS Request

      108.211.229.192.in-addr.arpa

    • 8.8.8.8:53
      icanhazip.com
      dns
      AppLaunch.exe
      59 B
      91 B
      1
      1

      DNS Request

      icanhazip.com

      DNS Response

      104.18.114.97
      104.18.115.97

    • 8.8.8.8:53
      97.114.18.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      97.114.18.104.in-addr.arpa

    • 8.8.8.8:53
      1.208.79.178.in-addr.arpa
      dns
      71 B
      116 B
      1
      1

      DNS Request

      1.208.79.178.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      254.136.241.8.in-addr.arpa
      dns
      72 B
      126 B
      1
      1

      DNS Request

      254.136.241.8.in-addr.arpa

    • 8.8.8.8:53
      210.143.182.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      210.143.182.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3936-141-0x000000000AE50000-0x000000000AEEC000-memory.dmp

      Filesize

      624KB

    • memory/3936-135-0x0000000005D50000-0x00000000062F4000-memory.dmp

      Filesize

      5.6MB

    • memory/3936-133-0x0000000000D50000-0x0000000000DD8000-memory.dmp

      Filesize

      544KB

    • memory/3936-147-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

    • memory/3936-137-0x00000000059F0000-0x0000000005A00000-memory.dmp

      Filesize

      64KB

    • memory/3936-138-0x00000000057E0000-0x00000000057EA000-memory.dmp

      Filesize

      40KB

    • memory/3936-139-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

    • memory/3936-140-0x00000000059F0000-0x0000000005A00000-memory.dmp

      Filesize

      64KB

    • memory/3936-136-0x0000000005840000-0x00000000058D2000-memory.dmp

      Filesize

      584KB

    • memory/3936-134-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

    • memory/4720-155-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/4720-145-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/4720-142-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/4904-149-0x0000000001310000-0x000000000132A000-memory.dmp

      Filesize

      104KB

    • memory/4904-151-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

    • memory/4904-150-0x00000000057B0000-0x0000000005816000-memory.dmp

      Filesize

      408KB

    • memory/4904-152-0x00000000058D0000-0x00000000058E0000-memory.dmp

      Filesize

      64KB

    • memory/4904-154-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.