Overview

overview

10

Static

static

3

470621f5ae...9f.exe

windows7-x64

10

470621f5ae...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    470621f5aef9787e21b629735c1a5f9f.exe

  • Size

    1.3MB

  • MD5

    470621f5aef9787e21b629735c1a5f9f

  • SHA1

    be32079fc5d6662582685689c644322642073778

  • SHA256

    d0b801a4ea3be10c3cf2dfff06e2437c9d96e4cbe5be96483c00a4c10b27d2c5

  • SHA512

    9e321a30ae8d88c13f96033fd63a7a5bb78a35c2bb1edbe02c30109df518c07c54a72f29c3f11c9573943483ac2fb5e273d8ad2054e30458396b5de6f78c534c

  • SSDEEP

    24576:P4S/d3rKzksfks2y8jIGReCFlolhhNxuNeG5Gm+8MN6ZNBZ:TKqYGRzlWoejmcN6ZNB

Score
10/10
blustealerstealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.sabaint.me
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    regina1983-

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe
    "C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"
    1⤵
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe
        "C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"
        2⤵
          PID:1464
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
            3⤵
              PID:452
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVSwXOCV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp"
            2⤵
            • Creates scheduled task(s)
            PID:2324

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp
          Filesize

          1KB

          MD5

          61e75b93e719b2ac8863e99ac87377de

          SHA1

          f029016cdee7be81729f8b3975888b8f59ff4b78

          SHA256

          6dfda2c4ac93b71da9b074d3919bbc9ca65153cf13f388fb31def462b56dc883

          SHA512

          5149c6dc349453666ace87c863d80ffd43ab1b11dc82d70b3cb44674dbf993c7cf98fb1ee0277f3c26341cf753dce154db9e4004a2706d1f5f8c1fbe41b807bf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\JQGVKGNK_Admin.zip
          Filesize

          24B

          MD5

          98a833e15d18697e8e56cdafb0642647

          SHA1

          e5f94d969899646a3d4635f28a7cd9dd69705887

          SHA256

          ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

          SHA512

          c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\JQGVKGNK_Admin.zip
          Filesize

          525B

          MD5

          7c1557d9476dedfbccf26684753c441b

          SHA1

          c3f226901d593c4e28a7a4e62671a287c71bc653

          SHA256

          8a8f9236bab52ccb349624743780a72b5184451882efcb0ad1bd5d87e24cbd8e

          SHA512

          91ffcfb49eae63fa2ecb030bbc18743e6a814b6e848c51dbc1d35d4ebd9d6cde15849268c2711e3b7c7947d90dfcada237907dbeedc04e4c333e0b31a84e68d6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
          Filesize

          1KB

          MD5

          3552c157193c1532fe73a9c5ad258e5c

          SHA1

          4c6c010902971af7cf38d5b433a278739ab00dd7

          SHA256

          520315050867d504260051c5b0ef597ccc749edca282c413a62f8b4d798a15b8

          SHA512

          0d93adafee81750d67047ca979751c72cefe7e24f721018155b453e1306b29b46eebbc2433ab346ec6a8b02bac319a81f335c9ee94907fcefec2b5c67a18bc77

          Download Submit

        • memory/452-96-0x0000000000F80000-0x0000000000FAE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/452-101-0x0000000003040000-0x0000000003050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/452-107-0x00007FFA8B3B0000-0x00007FFA8BE71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/452-97-0x00007FFA8B3B0000-0x00007FFA8BE71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1464-17-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1464-24-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1464-108-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1464-20-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2732-21-0x0000000074590000-0x0000000074D40000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2732-9-0x0000000004F60000-0x0000000004F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2732-1-0x0000000000340000-0x000000000048A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2732-11-0x00000000081D0000-0x0000000008208000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2732-8-0x0000000074590000-0x0000000074D40000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2732-7-0x0000000004F50000-0x0000000004F62000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2732-0-0x0000000074590000-0x0000000074D40000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2732-6-0x0000000005010000-0x00000000050AC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2732-5-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2732-10-0x0000000005C30000-0x0000000005CD4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2732-4-0x0000000004F60000-0x0000000004F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2732-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2732-2-0x00000000053A0000-0x0000000005944000-memory.dmp

          Filesize

          5.6MB

          Download