Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 17:03
Static task
static1
Behavioral task
behavioral1
Sample
0bb1c29f4a8c046e798cd9781cc127a7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0bb1c29f4a8c046e798cd9781cc127a7.exe
Resource
win10v2004-20231215-en
General
-
Target
0bb1c29f4a8c046e798cd9781cc127a7.exe
-
Size
876KB
-
MD5
0bb1c29f4a8c046e798cd9781cc127a7
-
SHA1
bbad89c8d04b20f63d36014f00ded3818e595a53
-
SHA256
139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72
-
SHA512
4b439bd85c725f104be24956525a6ae1a16dba28fe254695cbd667933d0cce2225e9a0f934ef17e1f5ef65ac033aa6ed72d016e3bed0bf270dd3d1eef12de63f
-
SSDEEP
12288:+nkguFRskuUAlWC/44toU73kJiIWK4vV9BrFZsk1q1/1Yah2UKbnltqvTmDcN:0kEkuUAlV46zbk6K6VVZsuSYgF+qvH
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
@@@@@@
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
A310logger Executable 2 IoCs
resource yara_rule behavioral2/files/0x000700000002322d-49.dat a310logger behavioral2/memory/2552-51-0x0000000000B70000-0x0000000000C22000-memory.dmp a310logger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 0bb1c29f4a8c046e798cd9781cc127a7.exe -
Executes dropped EXE 1 IoCs
pid Process 2552 Fox.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4976 set thread context of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2012 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4812 0bb1c29f4a8c046e798cd9781cc127a7.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4812 0bb1c29f4a8c046e798cd9781cc127a7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4812 0bb1c29f4a8c046e798cd9781cc127a7.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4976 wrote to memory of 2012 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 97 PID 4976 wrote to memory of 2012 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 97 PID 4976 wrote to memory of 2012 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 97 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4976 wrote to memory of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 99 PID 4812 wrote to memory of 2552 4812 0bb1c29f4a8c046e798cd9781cc127a7.exe 104 PID 4812 wrote to memory of 2552 4812 0bb1c29f4a8c046e798cd9781cc127a7.exe 104 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp558D.tmp"2⤵
- Creates scheduled task(s)
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"{path}"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD546ef3f78745a6fcef03d424863df4f5f
SHA17c6445e114a49e56c43fdeffdada3a27a1955e26
SHA256f092902dfd7a2433377b0f5aaa7bba18601f4cfe2bb559cc13960c35e0d05d49
SHA512907eac8092ead453974f6e95e62e52b4da8c2549e280c3f250c787b4a6617def91b0ebaf3ef36226c3a6ccbf509777380bce8747cf2d7d1fc0d5f7cd1337fdb7
-
Filesize
285KB
MD540a9752d59f2883e40d928f85a749008
SHA1c60fb58eff64a7969b46f3934766f991352eeb47
SHA256ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c
-
Filesize
24B
MD598a833e15d18697e8e56cdafb0642647
SHA1e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b
-
Filesize
24KB
MD54beacb06c06c4248656da2918197bd4e
SHA1d4bd54dec65737ff674857ab9335294500536da6
SHA256b08ba29edc1b7861d16c3677bda1afcd6c5e9acc16e1c29a86219f7a19c3b8a8
SHA5123e3dc6ead15603501ca5b7276b70be9d1037cff236eba7d26d5d6a5ead1bf5db458477415a4bc106c00f8e74b7d10b181dfb469516cda6892acb8bf4fe8a5a87
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
39KB
MD5809603ee8e1f100e0f0598f1d384529b
SHA147e02ec9f672210297a6b462cda2b763feebe665
SHA256dcce5827065be416162ac53e61fb9667beefdbbd588f9ede78089472efcdc2d1
SHA512fc848037e59e180c12a579c235489aee62fb3f21249b9daba92187bdd332d0fdff31044542df3fd0b760e776ea8d3edce64bd0e61f2b3ec143aa5e3ab56d5155
-
Filesize
57KB
MD5a8e530725428064bb5cbcf32c40a0e7d
SHA181e7ab9a51921276f4e1ca4a3a9a225936328578
SHA256a258350a82087efe600611f6bd42a804b1e605ae6d70ce37e8a8e4c05e82950f
SHA5123e81c30134902d457f05c2e5ecb0bf1f84694085cc8a2b5f38e1fb3779e991c5955a7c68c1bb0cd599e208eae968425c8be6ae6fc569250749066eee608a0036
-
Filesize
75KB
MD5d450d7eded49b69964360e3e48b0aa5d
SHA151acb81d0d2ac189b4bac7ad3712bce700c14046
SHA2567dbc1b9beb1c6deecf917d8a3fe063618dcef813c17efac33c17dee59b52ecbb
SHA51249f4598aea58b5aae26819bba58d5b9b181a2bfd434ad4ec2382e2288db0e21326e0d2e337386475e3a4d821b89f2dd633e7dbbc2d9d49fb2ee9ffae12386899
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
13KB
MD5c83f69954a49110235f5761783d9f76d
SHA107a8efdbb529076faf9bd4b57f6b4a6af0115bd0
SHA256aeb9f099ba37bbdc9effb4dd84c5295a83eec5259bf55e3a432db6da8fe76f83
SHA512a41d691f9ebee6a0edb39547059e7dd143b141b1f13f8d04a0b2088148a558fe151e94ac2d92dd7a149f393f5a1a1001b0497e4e64a0fc7d62a4339a035721de
-
Filesize
34KB
MD5778e381b204c651a0ac701186728e746
SHA1e92cd8d95bfcf1a0d1a5273cb91c75a68c4a3de7
SHA256d1129fd3950185d5f1b009aa334d4d428affe74cdc0720f433a7e66a0b27acb3
SHA51217246359409b1a5df507f24bd1bc07d75b569bfd602409b5b6bde8ca5a9a23ab39ffbb6b9e19c099bd8901cb42d06a718f8d1faf2a5cc9531ca4b75a3f8a9a23
-
Filesize
114KB
MD5148c67f444d15b0337d8109db054ef87
SHA1f5fecd5ec70ab12e755b0d4844f2df60e5735723
SHA256957cceb91bc377042887a16a6c6ae4abacb213320855fdf0a5a7bac721a0c628
SHA512082d10a3c52e03508008e73f39c2c7718b17c53a7b69e2f9e2a29052302248f83ca399854d96474c2c92fb03d25544275d4b4b73e260735d0005281e76f34f92
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
125KB
MD50cf0b9f0ef01699ca92093809e3b5bf0
SHA176e1adc5b7fdf2d421cefe5d72d6aaa96a60f989
SHA25687dee080e29392b28126ddbc8b989341a36026fe9d8b2e0f2ea414187f1f9a34
SHA512f2905bc951fdcf8fb4498d9ac1a5e3604601ab2d96324073af5682016e3250da75f689a32f712a29c70aae97fb4063d9a5329f0567a2ad6b209d40c26b5c933b
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
126KB
MD5dc277201e7c9af1c09742790c9a31a38
SHA120a1b06e65a6ff0af45fa319f52fa8607357fd95
SHA256bee55164da9777dfd865547031d85c1028cc36396a1f1a1db7504bfea7daecf0
SHA512521a47dafc7785435040a49d60a649b090ef9e286844ab9134433e5367082e1cd29ff7921b1b3f4c82c40b78d8f65f1a2ed5d13ac1af01129a9dd0914b157c8a
-
Filesize
27KB
MD5bd3b3e35399037a2150cc1bb65109935
SHA1fe36cb9c0c410413c688ba3e61ee96dfd97899bf
SHA256ffafd2467194f3d450c68e795d0f9592e8d011f7fd34479a43b569db23a86ffb
SHA51267c591ecfe6f2a3b1167724b8e895109736be7e45d74ce3753592eacbb4c87e060a4d26049483659707709b2dd7af4936a7816105e946c022901999438384f21
-
Filesize
21KB
MD56d20af45ebe2882d4b424218847a4f9a
SHA173b3f76842ed9d3b26a954072c0e272519a44389
SHA256d1348805c9fc16898e06b98fb8b19b57008cfbfe8eb4ca6c7fbeb5c42f24ece2
SHA5123b333c93b675375052f3178ca084872d37131f0c469cbf2ca2e969b9fc07d673fec912faae8b433dccc79061b16036d7a5f3bd88f41240e4a31a51a96ab37eff
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
689KB
MD591b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
Filesize
691B
MD5055c857272026583a61e1b5821c69a24
SHA1ec39d34f16487682801dd2b319554cbed57feca4
SHA256190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b