Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
6a239782a002f49be71a6dfca139864c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6a239782a002f49be71a6dfca139864c.exe
Resource
win10v2004-20231215-en
General
-
Target
6a239782a002f49be71a6dfca139864c.exe
-
Size
792KB
-
MD5
6a239782a002f49be71a6dfca139864c
-
SHA1
6609a8974b80600598a64149340bad3989ecf780
-
SHA256
722a5ea9b20e3a0b77f4f1628f763e46ccd4e87d284ac28997cec9874c479064
-
SHA512
700385b2854878c8897a9733ac1288a67dfaa33bfeeef4a18286acfaf46e65a08cb2daec606edaee5421565e4f93508d254ae0834d466328174404db340b3b4a
-
SSDEEP
12288:N9PUs72U6RTSRX8ALpieAmx4D9IumDgcVZObrC0Svr6bIXU7jxf62pI9G6DMzu:N9T729YMycQz5Babervr6koy2pgGLy
Malware Config
Extracted
blustealer
https://api.telegram.org/bot1959368257:AAG0IlwChPBIRiANxaRyW1iZU_vU7xxDdgs/sendMessage?chat_id=691917680
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Detect ZGRat V1 7 IoCs
resource yara_rule behavioral1/memory/2960-64-0x0000000005120000-0x0000000005196000-memory.dmp family_zgrat_v1 behavioral1/memory/2960-68-0x0000000005120000-0x0000000005190000-memory.dmp family_zgrat_v1 behavioral1/memory/2960-72-0x0000000005120000-0x0000000005190000-memory.dmp family_zgrat_v1 behavioral1/memory/2960-74-0x0000000005120000-0x0000000005190000-memory.dmp family_zgrat_v1 behavioral1/memory/2960-70-0x0000000005120000-0x0000000005190000-memory.dmp family_zgrat_v1 behavioral1/memory/2960-66-0x0000000005120000-0x0000000005190000-memory.dmp family_zgrat_v1 behavioral1/memory/2960-65-0x0000000005120000-0x0000000005190000-memory.dmp family_zgrat_v1 -
A310logger Executable 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016c14-2548.dat a310logger behavioral1/memory/1700-2552-0x0000000001310000-0x00000000013C2000-memory.dmp a310logger -
Executes dropped EXE 2 IoCs
pid Process 2108 InstallUtil.exe 1700 Fox.exe -
Loads dropped DLL 2 IoCs
pid Process 2960 6a239782a002f49be71a6dfca139864c.exe 2108 InstallUtil.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\KPrrSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallUtil.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2960 set thread context of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2960 6a239782a002f49be71a6dfca139864c.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2108 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2960 6a239782a002f49be71a6dfca139864c.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2108 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2108 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2960 wrote to memory of 2108 2960 6a239782a002f49be71a6dfca139864c.exe 30 PID 2108 wrote to memory of 1700 2108 InstallUtil.exe 31 PID 2108 wrote to memory of 1700 2108 InstallUtil.exe 31 PID 2108 wrote to memory of 1700 2108 InstallUtil.exe 31 PID 2108 wrote to memory of 1700 2108 InstallUtil.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD540a9752d59f2883e40d928f85a749008
SHA1c60fb58eff64a7969b46f3934766f991352eeb47
SHA256ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c
-
Filesize
24B
MD598a833e15d18697e8e56cdafb0642647
SHA1e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b
-
Filesize
5.4MB
MD5c2730a34b8872a0cceab43a350888efe
SHA16b1174235e7c26bd88cb3a982664372912c40c56
SHA2566ed67032b1d0a4ad0128d076c33a6678ca1e880f7ad5ca6d4e55a1fe9bbbae5b
SHA5129bc5466e30e313e5c6e71fdfa5de4b8c0b96e763e4bbfde4998f9a5fcc1df06b186828451aac112bc9093235b672ed86a96e249520f017eb897df5a97747ff01
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
332KB
MD578d0aef7d29687af047b146828b973da
SHA1839398a8e77357f5a1de1ebbb7370ff9ea4a9282
SHA256e0d2806b40938a57e2d602024447a2ef5505363dea5dbc0ba1c627a072fee9e3
SHA5127a5422cf5fa03b0c19c0b589148fbc52e8dc94617bca6ad76cdea7dbb74569e5e0da9901f6a43c88b2e8e1b1c543ca8da15a0e3eacde584e45b68cd44b81acd3
-
Filesize
1.0MB
MD56779656f854992edbee2ad1846017fd1
SHA15cab4691f8030c646548f4a3dbfeb35081a20424
SHA256edb2f7694e733edec0f6837041cda5caf26ac79d870137a51a5af029031e436c
SHA512225f0e89e2042e3398686fc43b46b8f3d19b3febac31988f322b74cf8da29e1705ac57c6a4da7443d901b3cabfaf9cb07940d46e5307780aa3a1fe9060de814c
-
Filesize
431KB
MD54c365f6af861710e13b9db42cc9e8645
SHA15201f433bbe7bbc3a524e077336826d5c5a3de2b
SHA256d146a045d83dac6d9b00bbb487932452cef797543071426497df171ff8a762a8
SHA512a49fb2a9186bd94ca4ab1e7aa19ebd1bbf2f181f2d4651b844717395bcb9139d8da3bf44aea88a8b03ef6d67095c614323de9c8a59ee6f76d489fb7b896af4f4
-
Filesize
488KB
MD575743f01eedd378792518b054f1cf993
SHA17eada6051ebefd6f0e844b06e0cd4f53e80089d6
SHA256cab0eb04bcec8f1c871203fd3226160e3ba65e61e136670ffea076f335e9a234
SHA5122046b1ab697dc733989d631459647f3dc9be97ff439218188e3b0dec9a6b553fc4d7bfddda72619900ef6033d2b5196a32ef51a5e9acb7021a436d825e5ddbf7
-
Filesize
890KB
MD586cf7fc65a8c52e204ec73de209af5fd
SHA14740affab24610f399ed0df295042e06157814ee
SHA2560a89e43e694d74ab0e4d6ff80ea7f234cf54bce9888d0085586525fc1f6225bc
SHA512e0c56a7f7950678915a036bf9a19287bece3aee1a573fe30771569c63dbca6697a2681f8db510912ea77b9352fb9b9de0cc2b025379f0b7250ae428bed35fe7f
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
639KB
MD52b39e954b2c28ab3d5c45966b3044c26
SHA172a51b8a7164a2ea739f7bf8615e2cd44bfa2ef2
SHA256564e834763d60164deac8fce4c543a67d6d5e30dd497e02483718cd018df9ada
SHA51293be2e9497ccd9c1822f8670f5e30d0612a39a55e104864a944f270f8817bd1f88c4291561a6595866f574488ade5d110b896a7f8af70e07d52f2d6b2bd99dbc
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
574KB
MD585e8225f4364102695a08fd4abb0574b
SHA17f216f1ad168cebb44a2fac149d0090c040f4ddb
SHA25605b86ca97a07c57c951c69f86a8a704bea840e8c7cd873e71a194263ae441b3c
SHA512ad64e826171c678b0ff3008175058cd940cc44d4a268fa3dcefa6cce567032deb08df0829dbdf41947c104986e5fde9677049f02bb3a884caeb4b523dc7dc9f3
-
Filesize
545KB
MD512b6ff3c33d82f769c111279d950ff0f
SHA12691aab499061323ffd3fbc800f574cd4c3ac21f
SHA256e670a68c7554e2a51629b148c942d78fd4d347cea57a358504264784e09538d3
SHA5124194abc3cb9a78e311337a1ff8a88013766b77befbbd49313632e6769e37e904a3c819983c8cc629590966c77d0b730dc236e7526b6d49cd90f4be6ededb585c
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
517KB
MD568668233aabb6f438ee7e89815020eb9
SHA117b2ef00429853919a5d5b2ee9eea1fd23cc33b8
SHA256fcbb24b1e74db2efa0eb300691715b38f64f57a732f3d00ac04cb804604dea95
SHA512bdc57aefa40abc07651944ba33f92886c85251399d43d96fa8a331a97fb13d520cc0d13273254d40fd8d451caa7d6f313c7098a75eca5d3b53c679fa39bcfc4c
-
Filesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
Filesize
689KB
MD591b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892