Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26-12-2023 00:39
General
-
Target
470621f5aef9787e21b629735c1a5f9f.exe
-
Size
1.3MB
-
MD5
470621f5aef9787e21b629735c1a5f9f
-
SHA1
be32079fc5d6662582685689c644322642073778
-
SHA256
d0b801a4ea3be10c3cf2dfff06e2437c9d96e4cbe5be96483c00a4c10b27d2c5
-
SHA512
9e321a30ae8d88c13f96033fd63a7a5bb78a35c2bb1edbe02c30109df518c07c54a72f29c3f11c9573943483ac2fb5e273d8ad2054e30458396b5de6f78c534c
-
SSDEEP
24576:P4S/d3rKzksfks2y8jIGReCFlolhhNxuNeG5Gm+8MN6ZNBZ:TKqYGRzlWoejmcN6ZNB
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.sabaint.me - Port:
587 - Username:
[email protected] - Password:
regina1983-
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVSwXOCV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEBA6.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ded816b9ca44395d733f5cfc60df1e8
SHA107e16a98959d8b2de3965d773f78cffe431468d7
SHA25605f5728997bb596061f1676803309d442ae9189b624ff6af1bac67d2dbf9e59f
SHA512ac4d192cef0f4d9b01552ea7eea74503e4609aa0b1c919b510e35eae6bc8c7b21b5826ee29cddd610ca6bf490e10e182412ba8c47885d83bd11d75d285346898
-
Filesize
122KB
MD537ac88bc53abcc353b3a93f68fb30871
SHA1f5165c03b5de33db3704d502227bac35eae1c6c5
SHA2567bc03158a3c0bcb001093d9d40eaf6b9a7adf14e685db68fbd9d0f135d447ebe
SHA51201c65cbf90c2db90d0563d4a45650d4abd19e1a90bb8467f0e5a57ff1c6c377e3be8216f3324b81af58822b75a22b52f7317df985c11f3a7a45b72843134fc38
-
Filesize
400B
MD5f4b697cdc931fedb91f40d77625780f2
SHA17e91abf4ca294fb80ee7d34ea6af569af4f8b91a
SHA2562516ecbb5a7635442f0abfcd17480b943bdef9338970bd3989171fa635e0d441
SHA5126a12939a691b1d648665f829823e85a6f96607300ba96a412a1693d84df79faa06fce34fb390807361ed0fc45e5dcf7ab229e8d7ff8ba0b9d506f952c87589ec
-
Filesize
24B
MD598a833e15d18697e8e56cdafb0642647
SHA1e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b
-
Filesize
311B
MD5db5700972f1118dc1a565288bc476977
SHA14fc84184de0220825efc72fccd000c99af8cc080
SHA25686bfd9009f3e99eb1c6d64cda0758304f238acb54749ac8906a57f7e15dd580b
SHA51228743ff261dc8012e5b11a242f81b70415bc8be543f4b62ece008455b9dfa4549dff3b1a8465ee1ea091087223e9415b2421fd69f82b700f9cd7b7382de9865c
-
Filesize
156KB
MD50c3c728a9b4376e014bc97f7b1da74f0
SHA1de2253d0c3e02ea9d27ae6f46082cec9d0164a02
SHA25605f0ac30ce02bc3608d957b40896240ae750da01393f4e26a8951fc7987959ca
SHA512f610ae81854bc99086f139833b7d16b7e7634f53ef1125dc97d01611ec46c262e1f87dde31aa47a19e17a81334c4f25b4096d8e255460e3446bf45d656f5f81c
-
Filesize
72KB
-
Filesize
224KB
-
Filesize
656KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
1.3MB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB