Analysis Overview
SHA256
139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72
Threat Level: Known bad
The file 0bb1c29f4a8c046e798cd9781cc127a7 was found to be: Known bad.
Malicious Activity Summary
A310logger
BluStealer
A310logger Executable
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads local data of messenger clients
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies system certificate store
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 02:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 02:29
Reported
2023-12-30 16:42
Platform
win7-20231215-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
A310logger
BluStealer
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1880 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp"
C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"{path}"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smtp.privateemail.com | udp |
| US | 66.29.159.53:465 | smtp.privateemail.com | tcp |
| US | 66.29.159.53:465 | smtp.privateemail.com | tcp |
| US | 66.29.159.53:465 | smtp.privateemail.com | tcp |
Files
memory/1880-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1880-0-0x0000000000DF0000-0x0000000000ED2000-memory.dmp
memory/1880-2-0x0000000000570000-0x00000000005B0000-memory.dmp
memory/1880-3-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1880-4-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1880-5-0x0000000000570000-0x00000000005B0000-memory.dmp
memory/1880-6-0x00000000080C0000-0x000000000817E000-memory.dmp
memory/1880-7-0x0000000004F50000-0x0000000004FC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp
| MD5 | 507025585ff4c4532a8ad5126d67e529 |
| SHA1 | db826f82d8a0b76deba826f1d06e48bd5d4e8bd9 |
| SHA256 | 427809fee70d4c78750119481481305030179ac45a020d09bb00c5b7402cfdd7 |
| SHA512 | 6f710565eb1e81046f904f2d4d5c648b7e198421d1a94ff6f50003d85dda35ad9dad3ddbe4ea60f59530a1282d916203999e26f154928d07f229753a04a3fe53 |
memory/2632-11-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2632-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2632-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2632-19-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2632-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1880-21-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2632-22-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\CUE3L4~1.ZIP
| MD5 | 40a9752d59f2883e40d928f85a749008 |
| SHA1 | c60fb58eff64a7969b46f3934766f991352eeb47 |
| SHA256 | ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820 |
| SHA512 | ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
| MD5 | 91b41651e6e9ab352805c6d35a297d08 |
| SHA1 | 11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e |
| SHA256 | 0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723 |
| SHA512 | b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892 |
memory/2640-55-0x0000000000220000-0x00000000002D2000-memory.dmp
memory/2640-56-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/2640-57-0x0000000001EC0000-0x0000000001F40000-memory.dmp
memory/2640-59-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/2632-111-0x0000000002A10000-0x0000000002A11000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
| MD5 | 98a833e15d18697e8e56cdafb0642647 |
| SHA1 | e5f94d969899646a3d4635f28a7cd9dd69705887 |
| SHA256 | ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c |
| SHA512 | c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\AssertSend.xlsx
| MD5 | e7dfb78025c821c6959902749fed2c1e |
| SHA1 | 5f91573212a6801d24919cbbe10361575c11a77d |
| SHA256 | 74ca119efde4a8b210138dc83db9182c12d788dc4659e0cd9ec3bbcc63e67345 |
| SHA512 | da667417b5898a259a7cd9d67d1d27082062adb2db60431e6eea7180d78a75f38d2663d3cdf9cfba8a410e4721f0ca426563eb1244e5a99a4258664aef4bcd5e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DisconnectLimit.docx
| MD5 | 8cd7fad9d98a3179f3991286aad65b29 |
| SHA1 | 9dcb3c53c522c30cd5104dcc4b686af5e20d5193 |
| SHA256 | e66f180b0d92e996677139a59bba6b4e2eaa792e61e6d1004413e312a635853f |
| SHA512 | f4983639bc62c0ee07733ca71cf58cdcb16a2fb8da25c8c4fd7018b9ec5d9f80b003f4f488df612787b81c72f8c7cd11c0c52ac34ee411b7409f31b65b67de91 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ShowDebug.docx
| MD5 | 9f23713daefce937d5c5a5778690e29d |
| SHA1 | d49a4aa5d93217be0c47e55fa4023ea7e3079214 |
| SHA256 | 9f994e0c46db6baa24ca1afbc549a2bab3ed8fb825c803856f9a1a244cb421b9 |
| SHA512 | 26b75f2c54b3e6d8c90580a56af86580c5f098ee40fc0f3bef9fc604eb932fe6aead1db9d57c8bd1f7ad860096e8760571c9defe0b2d7ec71613b5c21f7ec127 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UseSubmit.docx
| MD5 | fe54bdfad78cbcdaabce46305c2dd964 |
| SHA1 | c24dcc944979811670002569b61e7da1c1fc1f6a |
| SHA256 | 3b72973ab47039dc72f5c23a6a2565fa68178b5ab2dd552ed997de2614ea491f |
| SHA512 | a6caebc8456df12e096984e75160d8f70e0c36802fbf5399f78212b9c244c0396182432177ea934a76d47185dd24e1962d2121ab9785a38d5d34d592688a707b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
| MD5 | d79638c7a82b3efe9951679fc65dcc2c |
| SHA1 | 3bea7f043ec7c69121281954be4e66cb2c504f9b |
| SHA256 | 819733cca92548f167b5190ee3a8f6f9e1cdeb29e365bbfad15f8d4f4e430c3a |
| SHA512 | a4bfc699d6e56576feb25dec2eb9213030c5aebe79790b828771b7742e0c02c214618d13fae5f7df6dec199843f285b5e831c62d48ce04da7d040361dabcb0c4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UnprotectInitialize.rtf
| MD5 | 799a3e25f8471a2f1f7cf551bdb14150 |
| SHA1 | 39332cec3e7fc97893db963453e43d58300b5e56 |
| SHA256 | 54fb1c379000e063f37b329ff388c219def1ceba09387a9107d5a277c48b7108 |
| SHA512 | 7a331abe3fbf6ca69f68360e0dbdf59580fb59603fb0e8f94d7197df7e6d727f1e35c09aae0a830dbd390aa79690f4600d0f8983c02c4332008928a6d285cc5d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\TestInitialize.docm
| MD5 | 7837f6a2d0c1dbf756295621a976a5d4 |
| SHA1 | 4870062cf50a0ef8141c02a57b2e7d31e5806132 |
| SHA256 | 3dc4b97c2b2face60aa12a7526e684a105c4e6ce17f637d03246b27bc45404d9 |
| SHA512 | 6f46de6fe83769e30bda9d9a98169c488e5356794a3e3b7315b19d210a364f3372b1f8ba44df499893a009a142af97844b2be2331ec1149991f715212794dbfb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SuspendDismount.xlsm
| MD5 | bb9d2cb8c4d25310d862bcb2a681b05d |
| SHA1 | 2dcbd1212f7c08e1d557abbd31153cf1a1a0a521 |
| SHA256 | 63c6efb32f0ac64ab02208b0565f3470fb5405ac9750d5155f7c1e62d6420658 |
| SHA512 | caf6035632b110362df85c51d3bac3d084eaebf3afbb7248b03f6d3ce86add48d1096ac970c9e812abb9e192a660ff22c676e5f24cd41d7f5c978d439a820c0b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SkipSubmit.doc
| MD5 | f0b1e86847b0b0709546e858868a3513 |
| SHA1 | 22ee1a44f23046750d20284d93a29077fbf0992b |
| SHA256 | ec5c727ac62e6927302aa7096a8303e4f0a34a01af5f3f2a0f6930ec11e8e8ae |
| SHA512 | 5d8e49d31b5e721a95677165960911d83b88ca381d59da370cf9c0f0b82d48044877d995d14a329fc53e333a2d39b11883b739f76f8cd9b51a4cbf73012d143d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\RepairUpdate.pdf
| MD5 | 88626ef70b4740946160ae6207170bb0 |
| SHA1 | b0614df776697c653d515174698b696149c523df |
| SHA256 | 928144009f5818d0c04407469d3cf5405f7b13b8b7d843abf95016187b0efd2c |
| SHA512 | f936c31527e10fd877c24f0e4757e3c1f444ab89050cbec792a84de5b38a2a85fc22e00e46da4a427fad63acd873bed66bb4e92f07defab04dc3da1721497cc6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ConvertUndo.rtf
| MD5 | 384c89718564ad9f63b4605b2b590624 |
| SHA1 | 7f6af83eafe3af413e170df621d09cbbc2644de3 |
| SHA256 | c5bfd4045e4c0204c49b90bfcc1683b530e40d47f3c32dd9e599bbd716c04ac1 |
| SHA512 | 854d92cb525b4bad1223de3cc16ada8fc23ce44cdad8ce300aa941524f6c2a180abadc5a11303a64fb5045aa4bd69e48619d736c26f4d446e5985ac7b85510d2 |
C:\Users\Admin\AppData\Local\Temp\Cab65B7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6608.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2632-217-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2632-219-0x0000000002A10000-0x0000000002A11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 02:29
Reported
2023-12-30 16:44
Platform
win10v2004-20231215-en
Max time kernel
50s
Max time network
96s
Command Line
Signatures
A310logger
BluStealer
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp"
C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"{path}"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.privateemail.com | udp |
| US | 66.29.159.53:465 | smtp.privateemail.com | tcp |
| US | 8.8.8.8:53 | 53.159.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
Files
memory/1164-1-0x0000000000680000-0x0000000000762000-memory.dmp
memory/1164-0-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/1164-2-0x0000000005730000-0x0000000005CD4000-memory.dmp
memory/1164-3-0x0000000005180000-0x0000000005212000-memory.dmp
memory/1164-4-0x0000000005160000-0x0000000005170000-memory.dmp
memory/1164-5-0x0000000005150000-0x000000000515A000-memory.dmp
memory/1164-6-0x00000000054E0000-0x00000000054E8000-memory.dmp
memory/1164-7-0x0000000006480000-0x000000000651C000-memory.dmp
memory/1164-8-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/1164-9-0x0000000005160000-0x0000000005170000-memory.dmp
memory/1164-10-0x0000000007EF0000-0x0000000007FAE000-memory.dmp
memory/1164-11-0x0000000007D80000-0x0000000007DF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3052-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1164-19-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/3052-18-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
| MD5 | 8e247ee4a5ad26e808ad76a8f65ea1c9 |
| SHA1 | 4bcd3462dd28b4703ca078be8dc63151e3b235bb |
| SHA256 | bf226e2098d459e5158507c6c1b9fe45e4882331f2fc06221842ce0292c2e3c9 |
| SHA512 | 919a9f794534c663f801abad4df0256b697f8f9727e29677e0563fb0de1956903a91e1e372811a133b607e7f9afc79ea36899b0fcb446dbccc42ab74359d2a34 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
| MD5 | 6e0f56005f4b540bcbc1e062326c5b12 |
| SHA1 | f6af0da73d8659cff8468e30dfbe3b345b2b25a2 |
| SHA256 | a4b91781bc28fe99832fe17ebd67e720225c7ee5fd8f789593ef34c5b3eed846 |
| SHA512 | 328e99f174adb5346de400d3e581b26d0aaf5e042dc75dc048b389df049920e637aa3ecd545f5a267562508e6cf303ce585ec2336709796752824cafe77aff50 |
memory/1092-51-0x00000000009B0000-0x0000000000A62000-memory.dmp
memory/1092-53-0x000000001B730000-0x000000001B740000-memory.dmp
memory/1092-52-0x00007FFCF07B0000-0x00007FFCF1271000-memory.dmp
memory/1092-61-0x00007FFCF07B0000-0x00007FFCF1271000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
| MD5 | 055c857272026583a61e1b5821c69a24 |
| SHA1 | ec39d34f16487682801dd2b319554cbed57feca4 |
| SHA256 | 190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84 |
| SHA512 | d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
| MD5 | 98a833e15d18697e8e56cdafb0642647 |
| SHA1 | e5f94d969899646a3d4635f28a7cd9dd69705887 |
| SHA256 | ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c |
| SHA512 | c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
| MD5 | 58c176860e5fd80830f83e1327aedf6e |
| SHA1 | db73217a964c27a3cb6b60cf950b19a7c8ca4199 |
| SHA256 | 734be1e3625b6795aa0125996dda01264ba09b8cfe81bcf8ee58587ea16e4f57 |
| SHA512 | b46f6cc81fca0992e9e3e99d7ae220dc01193073be3bd9d0b15ebe176379da54fc0dfdc7c7b2da76d5d5ae053d4568fe56ca96416c4bcbef2d26ee0ac8deaff3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\PingPublish.pdf
| MD5 | 91300b76ee60c9f235d90e95fadac3d5 |
| SHA1 | 2f7040a435560b6cffb2120d2f6ee4a19f9cf275 |
| SHA256 | e2933e1b7e5c268393a6d2752637a3f9aa694b37d6d0ce94490e18d0a5dced1f |
| SHA512 | 8df6e18585d8f9bafd81f47777036cbe338729cad0e264200f831ee296a44b9bfac33800503fefbe6aede81a91ca00ecc6a557d1ede3abd653f7dc31e9701be0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ImportGet.xlsm
| MD5 | c5d81c4d42dbb3fa076f803cb2e629e5 |
| SHA1 | b9785c3dd1c74a384abf0546d4711ea50dbd48d2 |
| SHA256 | e4c0931304ead1184d1a04e0898b9e2d50716f3130578be0e37bbabdbb3ad9b1 |
| SHA512 | 667a16cf83e996fd61835986f2d3494f6778f15a60c0cfaa641090a697c449440ee7457946639089af168ef04462cf6679a09a9c18133cd84439099f6aef1b5d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DebugResize.rtf
| MD5 | 15f28d2da355b46aac95f16968b9d26a |
| SHA1 | 5382e5ab1e2baf6ec8ca4231cd78b5acc8b124f7 |
| SHA256 | fcfa6468cff03836d2aabc43bd17efa7dbcdd276fafbbbca92b32672fe86c9ec |
| SHA512 | fbdcd157c3d731979abbb352bcda590b66036b688ae171a1e8e11d1b2aad71612beff2505b22b4dce4fc85bd358bdf70f2953beb2c9a719fe93b9afbe175eb60 |
memory/3052-139-0x0000000000400000-0x000000000045F000-memory.dmp