Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 19:54
Static task
static1
Behavioral task
behavioral1
Sample
3dbc477725b5a88f511f1b4e3bcc38fc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3dbc477725b5a88f511f1b4e3bcc38fc.exe
Resource
win10v2004-20231222-en
General
-
Target
3dbc477725b5a88f511f1b4e3bcc38fc.exe
-
Size
1.0MB
-
MD5
3dbc477725b5a88f511f1b4e3bcc38fc
-
SHA1
a81ed8a5aed97fb6efa956e5c485f2aad8467e9f
-
SHA256
8742189aa8e9303ed7ce67da39348d2bb6628a6c5243c6e9a968499098f42178
-
SHA512
60de5350d98658ab152bd361e5a7fe6c5c3f294ced8067a8ea1a3e98004759723457a9e9e36a6cc01c5a35474ab4db06695111a0143972ffb0fdfe55c97da517
-
SSDEEP
12288:CGj/sthsNaJ31H2FTQi66ulHOG8BmRSdss/K0Iwxz0GAoSKv4wvx0mwTiEH8vPNG:9othaFMiA78BTQRGLgw0XTiEHwm
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.yekamuhendislik.com - Port:
587 - Username:
[email protected] - Password:
MuhasebE123*
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
A310logger Executable 3 IoCs
resource yara_rule behavioral2/memory/4016-55-0x0000000000D70000-0x0000000000E22000-memory.dmp a310logger behavioral2/files/0x0006000000023287-54.dat a310logger behavioral2/files/0x0006000000023287-53.dat a310logger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 3dbc477725b5a88f511f1b4e3bcc38fc.exe -
Executes dropped EXE 1 IoCs
pid Process 4016 Fox.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3516 set thread context of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 632 3dbc477725b5a88f511f1b4e3bcc38fc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3516 wrote to memory of 1236 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 102 PID 3516 wrote to memory of 1236 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 102 PID 3516 wrote to memory of 1236 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 102 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 3516 wrote to memory of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 104 PID 632 wrote to memory of 4016 632 3dbc477725b5a88f511f1b4e3bcc38fc.exe 105 PID 632 wrote to memory of 4016 632 3dbc477725b5a88f511f1b4e3bcc38fc.exe 105 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe"C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqTEFYQXsiQibk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BBE.tmp"2⤵
- Creates scheduled task(s)
PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe"C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb3b60479f56c17daecf828d05935288
SHA19f89d499b89e2aa5f7df79aae55bf294d474e5e8
SHA25631c88515c0a21b871d482da05a57e6417c41c87a58aec42211bf429650813bff
SHA51205c29566845ea9fafaa7c17a43d9dda82b5564ec4b6aea0cc601bedc497956279d1b591a7d78c2f23c528ff5f551757ddf6e23ec598485f740a7fd35d8e9a10b
-
Filesize
285KB
MD540a9752d59f2883e40d928f85a749008
SHA1c60fb58eff64a7969b46f3934766f991352eeb47
SHA256ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c
-
Filesize
382KB
MD523fc074dc1aac647eb2b856948805bd0
SHA1113dfbe3ba6554087a95d838df8df7b1275f9085
SHA2567f7badd5197dcb4864320f16d6bb64880a9fde01274a8ccc3805241c49e1e2cb
SHA512ac20058dab07f07e0430572e62a9e30d17ebb93c72b80b092e892695d2f969d7e69c62eb55f5c2bf22f5a4e30ee607476390542f9ca542b4cc1a667ed8f15c98
-
Filesize
93KB
MD501157a9116c5029c13c46a48ae4c2c13
SHA16a6b8e376c9867d97bec3f9fb40bfd8623dd8c66
SHA2569e950481562db4e79aea90e8fb577ead1eb6a0e73b144b50d976ac7ba476360b
SHA512f42ed363f8f88aefb4e10b62f28e6714309f5609a1884ad394bcbf6d29a0b9c3bfc3fe1cee9759374846b157aab4816d9503c7eb694d41d9f41de2a1bea98cd8
-
Filesize
691B
MD5055c857272026583a61e1b5821c69a24
SHA1ec39d34f16487682801dd2b319554cbed57feca4
SHA256190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b