Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
20-01-2024 10:05
General
-
Target
6a239782a002f49be71a6dfca139864c.exe
-
Size
792KB
-
MD5
6a239782a002f49be71a6dfca139864c
-
SHA1
6609a8974b80600598a64149340bad3989ecf780
-
SHA256
722a5ea9b20e3a0b77f4f1628f763e46ccd4e87d284ac28997cec9874c479064
-
SHA512
700385b2854878c8897a9733ac1288a67dfaa33bfeeef4a18286acfaf46e65a08cb2daec606edaee5421565e4f93508d254ae0834d466328174404db340b3b4a
-
SSDEEP
12288:N9PUs72U6RTSRX8ALpieAmx4D9IumDgcVZObrC0Svr6bIXU7jxf62pI9G6DMzu:N9T729YMycQz5Babervr6koy2pgGLy
Malware Config
Extracted
blustealer
https://api.telegram.org/bot1959368257:AAG0IlwChPBIRiANxaRyW1iZU_vU7xxDdgs/sendMessage?chat_id=691917680
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Detect ZGRat V1 7 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
A310logger Executable 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\I45YJU~1.ZIPFilesize
285KB
MD540a9752d59f2883e40d928f85a749008
SHA1c60fb58eff64a7969b46f3934766f991352eeb47
SHA256ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zipFilesize
24B
MD598a833e15d18697e8e56cdafb0642647
SHA1e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zipFilesize
5.4MB
MD5c2730a34b8872a0cceab43a350888efe
SHA16b1174235e7c26bd88cb3a982664372912c40c56
SHA2566ed67032b1d0a4ad0128d076c33a6678ca1e880f7ad5ca6d4e55a1fe9bbbae5b
SHA5129bc5466e30e313e5c6e71fdfa5de4b8c0b96e763e4bbfde4998f9a5fcc1df06b186828451aac112bc9093235b672ed86a96e249520f017eb897df5a97747ff01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\AssertUndo.xlsbFilesize
332KB
MD578d0aef7d29687af047b146828b973da
SHA1839398a8e77357f5a1de1ebbb7370ff9ea4a9282
SHA256e0d2806b40938a57e2d602024447a2ef5505363dea5dbc0ba1c627a072fee9e3
SHA5127a5422cf5fa03b0c19c0b589148fbc52e8dc94617bca6ad76cdea7dbb74569e5e0da9901f6a43c88b2e8e1b1c543ca8da15a0e3eacde584e45b68cd44b81acd3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\BackupRequest.docxFilesize
1.0MB
MD56779656f854992edbee2ad1846017fd1
SHA15cab4691f8030c646548f4a3dbfeb35081a20424
SHA256edb2f7694e733edec0f6837041cda5caf26ac79d870137a51a5af029031e436c
SHA512225f0e89e2042e3398686fc43b46b8f3d19b3febac31988f322b74cf8da29e1705ac57c6a4da7443d901b3cabfaf9cb07940d46e5307780aa3a1fe9060de814c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DenySplit.docmFilesize
431KB
MD54c365f6af861710e13b9db42cc9e8645
SHA15201f433bbe7bbc3a524e077336826d5c5a3de2b
SHA256d146a045d83dac6d9b00bbb487932452cef797543071426497df171ff8a762a8
SHA512a49fb2a9186bd94ca4ab1e7aa19ebd1bbf2f181f2d4651b844717395bcb9139d8da3bf44aea88a8b03ef6d67095c614323de9c8a59ee6f76d489fb7b896af4f4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\EditGet.xlsxFilesize
488KB
MD575743f01eedd378792518b054f1cf993
SHA17eada6051ebefd6f0e844b06e0cd4f53e80089d6
SHA256cab0eb04bcec8f1c871203fd3226160e3ba65e61e136670ffea076f335e9a234
SHA5122046b1ab697dc733989d631459647f3dc9be97ff439218188e3b0dec9a6b553fc4d7bfddda72619900ef6033d2b5196a32ef51a5e9acb7021a436d825e5ddbf7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\EnterBlock.xlsxFilesize
890KB
MD586cf7fc65a8c52e204ec73de209af5fd
SHA14740affab24610f399ed0df295042e06157814ee
SHA2560a89e43e694d74ab0e4d6ff80ea7f234cf54bce9888d0085586525fc1f6225bc
SHA512e0c56a7f7950678915a036bf9a19287bece3aee1a573fe30771569c63dbca6697a2681f8db510912ea77b9352fb9b9de0cc2b025379f0b7250ae428bed35fe7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\InitializeConvertTo.txtFilesize
639KB
MD52b39e954b2c28ab3d5c45966b3044c26
SHA172a51b8a7164a2ea739f7bf8615e2cd44bfa2ef2
SHA256564e834763d60164deac8fce4c543a67d6d5e30dd497e02483718cd018df9ada
SHA51293be2e9497ccd9c1822f8670f5e30d0612a39a55e104864a944f270f8817bd1f88c4291561a6595866f574488ade5d110b896a7f8af70e07d52f2d6b2bd99dbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\StopSave.xlsbFilesize
574KB
MD585e8225f4364102695a08fd4abb0574b
SHA17f216f1ad168cebb44a2fac149d0090c040f4ddb
SHA25605b86ca97a07c57c951c69f86a8a704bea840e8c7cd873e71a194263ae441b3c
SHA512ad64e826171c678b0ff3008175058cd940cc44d4a268fa3dcefa6cce567032deb08df0829dbdf41947c104986e5fde9677049f02bb3a884caeb4b523dc7dc9f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SuspendCompare.xlsbFilesize
545KB
MD512b6ff3c33d82f769c111279d950ff0f
SHA12691aab499061323ffd3fbc800f574cd4c3ac21f
SHA256e670a68c7554e2a51629b148c942d78fd4d347cea57a358504264784e09538d3
SHA5124194abc3cb9a78e311337a1ff8a88013766b77befbbd49313632e6769e37e904a3c819983c8cc629590966c77d0b730dc236e7526b6d49cd90f4be6ededb585c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UnregisterEnter.docFilesize
517KB
MD568668233aabb6f438ee7e89815020eb9
SHA117b2ef00429853919a5d5b2ee9eea1fd23cc33b8
SHA256fcbb24b1e74db2efa0eb300691715b38f64f57a732f3d00ac04cb804604dea95
SHA512bdc57aefa40abc07651944ba33f92886c85251399d43d96fa8a331a97fb13d520cc0d13273254d40fd8d451caa7d6f313c7098a75eca5d3b53c679fa39bcfc4c
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeFilesize
689KB
MD591b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
memory/1700-2556-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmpFilesize
9.9MB
-
memory/1700-2554-0x000000001B390000-0x000000001B410000-memory.dmpFilesize
512KB
-
memory/1700-2553-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmpFilesize
9.9MB
-
memory/1700-2552-0x0000000001310000-0x00000000013C2000-memory.dmpFilesize
712KB
-
memory/2108-2644-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2108-2606-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/2108-2674-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/2108-2519-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2960-29-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-35-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-55-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-57-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-53-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-61-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-59-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-51-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-49-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-47-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-63-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-64-0x0000000005120000-0x0000000005196000-memory.dmpFilesize
472KB
-
memory/2960-68-0x0000000005120000-0x0000000005190000-memory.dmpFilesize
448KB
-
memory/2960-72-0x0000000005120000-0x0000000005190000-memory.dmpFilesize
448KB
-
memory/2960-74-0x0000000005120000-0x0000000005190000-memory.dmpFilesize
448KB
-
memory/2960-70-0x0000000005120000-0x0000000005190000-memory.dmpFilesize
448KB
-
memory/2960-66-0x0000000005120000-0x0000000005190000-memory.dmpFilesize
448KB
-
memory/2960-65-0x0000000005120000-0x0000000005190000-memory.dmpFilesize
448KB
-
memory/2960-43-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-2517-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2960-41-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-39-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-37-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-45-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-24-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-33-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-27-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-31-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-0-0x0000000000E50000-0x0000000000F18000-memory.dmpFilesize
800KB
-
memory/2960-25-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2960-23-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2960-21-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-19-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-17-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-15-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-13-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-11-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-9-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-8-0x0000000007E30000-0x0000000007ED7000-memory.dmpFilesize
668KB
-
memory/2960-7-0x0000000007E30000-0x0000000007EDC000-memory.dmpFilesize
688KB
-
memory/2960-6-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2960-5-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB
-
memory/2960-4-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2960-3-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2960-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2960-1-0x0000000074170000-0x000000007485E000-memory.dmpFilesize
6.9MB