Overview

overview

10

Static

static

3

44c401c50c...8f.exe

windows7-x64

1

44c401c50c...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c401c50cdbecf5f20fffd60e48628f.exe

  • Size

    299KB

  • MD5

    44c401c50cdbecf5f20fffd60e48628f

  • SHA1

    6ba74f52e4e774f5762e99d7f49cc787f28353d4

  • SHA256

    e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4

  • SHA512

    ae385fe48068210b45075d1b2433bb3606766f2e6fc17d9c14582040f2f2b64f411e1bcd29facc16fa59243987d894c7a084a573db032909e68a8d977d5108f3

  • SSDEEP

    6144:LWlg4qQdWyIAvEZ023cZ05Pi+xPwIwWFvAKbmWJI8xF7+Or:LQzAyIAvP7iwWyKb1+GqOr

Score
10/10
blustealercollectionspywarestealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.dm-teh.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Vm@(O;CO.vEQ

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c401c50cdbecf5f20fffd60e48628f.exe
    "C:\Users\Admin\AppData\Local\Temp\44c401c50cdbecf5f20fffd60e48628f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\44c401c50cdbecf5f20fffd60e48628f.exe
      "C:\Users\Admin\AppData\Local\Temp\44c401c50cdbecf5f20fffd60e48628f.exe"
      2⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • outlook_office_path
        • outlook_win_path
        PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\7XV7E7YJ54.zip
    Filesize

    122KB

    MD5

    37ac88bc53abcc353b3a93f68fb30871

    SHA1

    f5165c03b5de33db3704d502227bac35eae1c6c5

    SHA256

    7bc03158a3c0bcb001093d9d40eaf6b9a7adf14e685db68fbd9d0f135d447ebe

    SHA512

    01c65cbf90c2db90d0563d4a45650d4abd19e1a90bb8467f0e5a57ff1c6c377e3be8216f3324b81af58822b75a22b52f7317df985c11f3a7a45b72843134fc38

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EUCQOBEO_Admin.zip
    Filesize

    525B

    MD5

    6dff769418d85d1be525b6e38f6291a7

    SHA1

    4c73fb851985f909947c49115290dbad960d2dcf

    SHA256

    10ce5b7e904bb54d120bf84610b4b716392e145c75555fc7f494c514db2453db

    SHA512

    65222d1d4ddde8439d6de7e75650af44a0fdf0581d0bfa95bcb37fcf35565b0a37f8895bb551983f2370e97489b2940bdf667f674cb175fd1a8511256619becd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EUCQOBEO_Admin.zip
    Filesize

    24B

    MD5

    98a833e15d18697e8e56cdafb0642647

    SHA1

    e5f94d969899646a3d4635f28a7cd9dd69705887

    SHA256

    ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

    SHA512

    c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    Filesize

    156KB

    MD5

    0c3c728a9b4376e014bc97f7b1da74f0

    SHA1

    de2253d0c3e02ea9d27ae6f46082cec9d0164a02

    SHA256

    05f0ac30ce02bc3608d957b40896240ae750da01393f4e26a8951fc7987959ca

    SHA512

    f610ae81854bc99086f139833b7d16b7e7634f53ef1125dc97d01611ec46c262e1f87dde31aa47a19e17a81334c4f25b4096d8e255460e3446bf45d656f5f81c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
    Filesize

    1KB

    MD5

    7e6d4218f4d91de72684dfcbf95d308c

    SHA1

    d159e72cca5a9b128ce4a4fb3420111222cf3e70

    SHA256

    3710b77ce021b8add8c01948a90c93654d7d46ff93785a64d2acaf4beaf6e089

    SHA512

    05192bbd6af7f2360ebac042beddba308c78804078838eeade1f0a544b73357e4cad32170d032954fd23ed2131599d672730208a9db360c8461f8791c1081d1f

    Download Submit

  • memory/1648-5-0x0000000000140000-0x0000000000159000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1648-0-0x0000000000140000-0x0000000000159000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1648-1-0x0000000001040000-0x0000000001042000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3772-4-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3772-91-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3772-2-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4956-79-0x00000000009D0000-0x00000000009FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4956-80-0x00007FFB51470000-0x00007FFB51F31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4956-82-0x000000001B940000-0x000000001B950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-90-0x00007FFB51470000-0x00007FFB51F31000-memory.dmp

    Filesize

    10.8MB

    Download