Overview

overview

10

Static

static

1

6a239782a0...4c.exe

windows7-x64

10

6a239782a0...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a239782a002f49be71a6dfca139864c.exe

  • Size

    792KB

  • MD5

    6a239782a002f49be71a6dfca139864c

  • SHA1

    6609a8974b80600598a64149340bad3989ecf780

  • SHA256

    722a5ea9b20e3a0b77f4f1628f763e46ccd4e87d284ac28997cec9874c479064

  • SHA512

    700385b2854878c8897a9733ac1288a67dfaa33bfeeef4a18286acfaf46e65a08cb2daec606edaee5421565e4f93508d254ae0834d466328174404db340b3b4a

  • SSDEEP

    12288:N9PUs72U6RTSRX8ALpieAmx4D9IumDgcVZObrC0Svr6bIXU7jxf62pI9G6DMzu:N9T729YMycQz5Babervr6koy2pgGLy

Score
10/10
a310loggerblustealerzgratcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot1959368257:AAG0IlwChPBIRiANxaRyW1iZU_vU7xxDdgs/sendMessage?chat_id=691917680

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Detect ZGRat V1 7 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • A310logger Executable 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe
    "C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\I45YJU~1.ZIP
    Filesize

    285KB

    MD5

    40a9752d59f2883e40d928f85a749008

    SHA1

    c60fb58eff64a7969b46f3934766f991352eeb47

    SHA256

    ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820

    SHA512

    ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
    Filesize

    24B

    MD5

    98a833e15d18697e8e56cdafb0642647

    SHA1

    e5f94d969899646a3d4635f28a7cd9dd69705887

    SHA256

    ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

    SHA512

    c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
    Filesize

    5.4MB

    MD5

    c2730a34b8872a0cceab43a350888efe

    SHA1

    6b1174235e7c26bd88cb3a982664372912c40c56

    SHA256

    6ed67032b1d0a4ad0128d076c33a6678ca1e880f7ad5ca6d4e55a1fe9bbbae5b

    SHA512

    9bc5466e30e313e5c6e71fdfa5de4b8c0b96e763e4bbfde4998f9a5fcc1df06b186828451aac112bc9093235b672ed86a96e249520f017eb897df5a97747ff01

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docx
    Filesize

    11KB

    MD5

    a33e5b189842c5867f46566bdbf7a095

    SHA1

    e1c06359f6a76da90d19e8fd95e79c832edb3196

    SHA256

    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

    SHA512

    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\AssertUndo.xlsb
    Filesize

    332KB

    MD5

    78d0aef7d29687af047b146828b973da

    SHA1

    839398a8e77357f5a1de1ebbb7370ff9ea4a9282

    SHA256

    e0d2806b40938a57e2d602024447a2ef5505363dea5dbc0ba1c627a072fee9e3

    SHA512

    7a5422cf5fa03b0c19c0b589148fbc52e8dc94617bca6ad76cdea7dbb74569e5e0da9901f6a43c88b2e8e1b1c543ca8da15a0e3eacde584e45b68cd44b81acd3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\BackupRequest.docx
    Filesize

    1.0MB

    MD5

    6779656f854992edbee2ad1846017fd1

    SHA1

    5cab4691f8030c646548f4a3dbfeb35081a20424

    SHA256

    edb2f7694e733edec0f6837041cda5caf26ac79d870137a51a5af029031e436c

    SHA512

    225f0e89e2042e3398686fc43b46b8f3d19b3febac31988f322b74cf8da29e1705ac57c6a4da7443d901b3cabfaf9cb07940d46e5307780aa3a1fe9060de814c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DenySplit.docm
    Filesize

    431KB

    MD5

    4c365f6af861710e13b9db42cc9e8645

    SHA1

    5201f433bbe7bbc3a524e077336826d5c5a3de2b

    SHA256

    d146a045d83dac6d9b00bbb487932452cef797543071426497df171ff8a762a8

    SHA512

    a49fb2a9186bd94ca4ab1e7aa19ebd1bbf2f181f2d4651b844717395bcb9139d8da3bf44aea88a8b03ef6d67095c614323de9c8a59ee6f76d489fb7b896af4f4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\EditGet.xlsx
    Filesize

    488KB

    MD5

    75743f01eedd378792518b054f1cf993

    SHA1

    7eada6051ebefd6f0e844b06e0cd4f53e80089d6

    SHA256

    cab0eb04bcec8f1c871203fd3226160e3ba65e61e136670ffea076f335e9a234

    SHA512

    2046b1ab697dc733989d631459647f3dc9be97ff439218188e3b0dec9a6b553fc4d7bfddda72619900ef6033d2b5196a32ef51a5e9acb7021a436d825e5ddbf7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\EnterBlock.xlsx
    Filesize

    890KB

    MD5

    86cf7fc65a8c52e204ec73de209af5fd

    SHA1

    4740affab24610f399ed0df295042e06157814ee

    SHA256

    0a89e43e694d74ab0e4d6ff80ea7f234cf54bce9888d0085586525fc1f6225bc

    SHA512

    e0c56a7f7950678915a036bf9a19287bece3aee1a573fe30771569c63dbca6697a2681f8db510912ea77b9352fb9b9de0cc2b025379f0b7250ae428bed35fe7f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx
    Filesize

    11KB

    MD5

    4a8fbd593a733fc669169d614021185b

    SHA1

    166e66575715d4c52bcb471c09bdbc5a9bb2f615

    SHA256

    714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

    SHA512

    6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\InitializeConvertTo.txt
    Filesize

    639KB

    MD5

    2b39e954b2c28ab3d5c45966b3044c26

    SHA1

    72a51b8a7164a2ea739f7bf8615e2cd44bfa2ef2

    SHA256

    564e834763d60164deac8fce4c543a67d6d5e30dd497e02483718cd018df9ada

    SHA512

    93be2e9497ccd9c1822f8670f5e30d0612a39a55e104864a944f270f8817bd1f88c4291561a6595866f574488ade5d110b896a7f8af70e07d52f2d6b2bd99dbc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx
    Filesize

    11KB

    MD5

    bfbc1a403197ac8cfc95638c2da2cf0e

    SHA1

    634658f4dd9747e87fa540f5ba47e218acfc8af2

    SHA256

    272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

    SHA512

    b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx
    Filesize

    11KB

    MD5

    3b068f508d40eb8258ff0b0592ca1f9c

    SHA1

    59ac025c3256e9c6c86165082974fe791ff9833a

    SHA256

    07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

    SHA512

    e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\StopSave.xlsb
    Filesize

    574KB

    MD5

    85e8225f4364102695a08fd4abb0574b

    SHA1

    7f216f1ad168cebb44a2fac149d0090c040f4ddb

    SHA256

    05b86ca97a07c57c951c69f86a8a704bea840e8c7cd873e71a194263ae441b3c

    SHA512

    ad64e826171c678b0ff3008175058cd940cc44d4a268fa3dcefa6cce567032deb08df0829dbdf41947c104986e5fde9677049f02bb3a884caeb4b523dc7dc9f3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SuspendCompare.xlsb
    Filesize

    545KB

    MD5

    12b6ff3c33d82f769c111279d950ff0f

    SHA1

    2691aab499061323ffd3fbc800f574cd4c3ac21f

    SHA256

    e670a68c7554e2a51629b148c942d78fd4d347cea57a358504264784e09538d3

    SHA512

    4194abc3cb9a78e311337a1ff8a88013766b77befbbd49313632e6769e37e904a3c819983c8cc629590966c77d0b730dc236e7526b6d49cd90f4be6ededb585c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx
    Filesize

    11KB

    MD5

    87cbab2a743fb7e0625cc332c9aac537

    SHA1

    50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

    SHA256

    57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

    SHA512

    6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UnregisterEnter.doc
    Filesize

    517KB

    MD5

    68668233aabb6f438ee7e89815020eb9

    SHA1

    17b2ef00429853919a5d5b2ee9eea1fd23cc33b8

    SHA256

    fcbb24b1e74db2efa0eb300691715b38f64f57a732f3d00ac04cb804604dea95

    SHA512

    bdc57aefa40abc07651944ba33f92886c85251399d43d96fa8a331a97fb13d520cc0d13273254d40fd8d451caa7d6f313c7098a75eca5d3b53c679fa39bcfc4c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    Filesize

    689KB

    MD5

    91b41651e6e9ab352805c6d35a297d08

    SHA1

    11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

    SHA256

    0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

    SHA512

    b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

    Download Submit

  • memory/1700-2556-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1700-2554-0x000000001B390000-0x000000001B410000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1700-2553-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1700-2552-0x0000000001310000-0x00000000013C2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2108-2644-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2108-2606-0x00000000027E0000-0x00000000027E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-2674-0x00000000027E0000-0x00000000027E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-2519-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2960-29-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-35-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-55-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-57-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-53-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-61-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-59-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-51-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-49-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-47-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-63-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-64-0x0000000005120000-0x0000000005196000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2960-68-0x0000000005120000-0x0000000005190000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2960-72-0x0000000005120000-0x0000000005190000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2960-74-0x0000000005120000-0x0000000005190000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2960-70-0x0000000005120000-0x0000000005190000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2960-66-0x0000000005120000-0x0000000005190000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2960-65-0x0000000005120000-0x0000000005190000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2960-43-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-2517-0x0000000074170000-0x000000007485E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2960-41-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-39-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-37-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-45-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-24-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-33-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-27-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-31-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-0-0x0000000000E50000-0x0000000000F18000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2960-25-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2960-23-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2960-21-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-19-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-17-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-15-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-13-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-11-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-9-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-8-0x0000000007E30000-0x0000000007ED7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2960-7-0x0000000007E30000-0x0000000007EDC000-memory.dmp

    Filesize

    688KB

    Download

  • memory/2960-6-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2960-5-0x0000000074170000-0x000000007485E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2960-4-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2960-3-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2960-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2960-1-0x0000000074170000-0x000000007485E000-memory.dmp

    Filesize

    6.9MB

    Download