Analysis
-
max time kernel
181s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
06-01-2024 19:36
General
-
Target
470621f5aef9787e21b629735c1a5f9f.exe
-
Size
1.3MB
-
MD5
470621f5aef9787e21b629735c1a5f9f
-
SHA1
be32079fc5d6662582685689c644322642073778
-
SHA256
d0b801a4ea3be10c3cf2dfff06e2437c9d96e4cbe5be96483c00a4c10b27d2c5
-
SHA512
9e321a30ae8d88c13f96033fd63a7a5bb78a35c2bb1edbe02c30109df518c07c54a72f29c3f11c9573943483ac2fb5e273d8ad2054e30458396b5de6f78c534c
-
SSDEEP
24576:P4S/d3rKzksfks2y8jIGReCFlolhhNxuNeG5Gm+8MN6ZNBZ:TKqYGRzlWoejmcN6ZNB
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.sabaint.me - Port:
587 - Username:
[email protected] - Password:
regina1983-
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVSwXOCV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5FB.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"C:\Users\Admin\AppData\Local\Temp\470621f5aef9787e21b629735c1a5f9f.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e1d49eb6937b39086110d96861a23a68
SHA119cdff79626b0268f147f2fd853bb9592d2961a8
SHA256678f6ab49ec5dc731e010d8377d2a68b2fbb6fc806017a74d432fd832e1f4494
SHA5126171a218121956fd196bb357de3f520ab2cc097ce2f73e1f5f7a1929be0d9d4046e7d20af531937e009492afc9bcf5edcf8a6cb98ecc2d6df82f3952d2fa4db6
-
Filesize
122KB
MD537ac88bc53abcc353b3a93f68fb30871
SHA1f5165c03b5de33db3704d502227bac35eae1c6c5
SHA2567bc03158a3c0bcb001093d9d40eaf6b9a7adf14e685db68fbd9d0f135d447ebe
SHA51201c65cbf90c2db90d0563d4a45650d4abd19e1a90bb8467f0e5a57ff1c6c377e3be8216f3324b81af58822b75a22b52f7317df985c11f3a7a45b72843134fc38
-
Filesize
24B
MD598a833e15d18697e8e56cdafb0642647
SHA1e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b
-
Filesize
156KB
MD50c3c728a9b4376e014bc97f7b1da74f0
SHA1de2253d0c3e02ea9d27ae6f46082cec9d0164a02
SHA25605f0ac30ce02bc3608d957b40896240ae750da01393f4e26a8951fc7987959ca
SHA512f610ae81854bc99086f139833b7d16b7e7634f53ef1125dc97d01611ec46c262e1f87dde31aa47a19e17a81334c4f25b4096d8e255460e3446bf45d656f5f81c
-
Filesize
1KB
MD538f6dfadf6091c7c24ff3ad4845ad8fb
SHA1ae319aec40873a8c6a4423e73515db426c620ecb
SHA2567afcbd3937672ecb06e3b239cf402464c275af9a4bab8fc814f945c46c7bf061
SHA51260c237583c6d7d650d81cd17bb84cf0aa109f79240a5f52b4659f445004a9249725475f2f1196acf5bbb807ebba3cd392f702b73286ec815301b1c0673edc067
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
656KB
-
Filesize
224KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
184KB