Overview

overview

10

Static

static

1

6a239782a0...4c.exe

windows7-x64

10

6a239782a0...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a239782a002f49be71a6dfca139864c.exe

  • Size

    792KB

  • MD5

    6a239782a002f49be71a6dfca139864c

  • SHA1

    6609a8974b80600598a64149340bad3989ecf780

  • SHA256

    722a5ea9b20e3a0b77f4f1628f763e46ccd4e87d284ac28997cec9874c479064

  • SHA512

    700385b2854878c8897a9733ac1288a67dfaa33bfeeef4a18286acfaf46e65a08cb2daec606edaee5421565e4f93508d254ae0834d466328174404db340b3b4a

  • SSDEEP

    12288:N9PUs72U6RTSRX8ALpieAmx4D9IumDgcVZObrC0Svr6bIXU7jxf62pI9G6DMzu:N9T729YMycQz5Babervr6koy2pgGLy

Score
10/10
a310loggerblustealerzgratcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot1959368257:AAG0IlwChPBIRiANxaRyW1iZU_vU7xxDdgs/sendMessage?chat_id=691917680

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Detect ZGRat V1 7 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • A310logger Executable 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe
    "C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
    Filesize

    24B

    MD5

    98a833e15d18697e8e56cdafb0642647

    SHA1

    e5f94d969899646a3d4635f28a7cd9dd69705887

    SHA256

    ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

    SHA512

    c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
    Filesize

    1.9MB

    MD5

    83f2757e368f7eab79dbd044af44471a

    SHA1

    8aa4bd1deb977142d0d4e1be8f2c4eacc6aeadb6

    SHA256

    ffa0595854fead244f89a048a1ce2510ad575f39ce4137a94a6bc058aa7d2ac0

    SHA512

    4f74718804bbabffd2f7aab88d5cc0f0825e1dec645458211e82a07aabad79b9c44731516da9c781e58de0aa3d111f9722225e7433f312df1db8830cf0a2bf40

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docx
    Filesize

    11KB

    MD5

    a33e5b189842c5867f46566bdbf7a095

    SHA1

    e1c06359f6a76da90d19e8fd95e79c832edb3196

    SHA256

    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

    SHA512

    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx
    Filesize

    11KB

    MD5

    4a8fbd593a733fc669169d614021185b

    SHA1

    166e66575715d4c52bcb471c09bdbc5a9bb2f615

    SHA256

    714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

    SHA512

    6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx
    Filesize

    11KB

    MD5

    bfbc1a403197ac8cfc95638c2da2cf0e

    SHA1

    634658f4dd9747e87fa540f5ba47e218acfc8af2

    SHA256

    272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

    SHA512

    b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx
    Filesize

    11KB

    MD5

    3b068f508d40eb8258ff0b0592ca1f9c

    SHA1

    59ac025c3256e9c6c86165082974fe791ff9833a

    SHA256

    07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

    SHA512

    e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\RedoSplit.txt
    Filesize

    1.9MB

    MD5

    6a85545808def30894aa286bd807a364

    SHA1

    476a6343b6a52fa6c67a7239feb8b63ed36cf02f

    SHA256

    549dd72abbf820801c16f305a5cfba42ee59be5efff55708673e01506f4cb628

    SHA512

    39e603930f53de609215a2e243f4b003c2cd9579085059b20b8d72ff9e8c297150ec0a69abbb8fccb8adc3f67b223c6f77dba4286daf335b24c139768263c4d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx
    Filesize

    11KB

    MD5

    87cbab2a743fb7e0625cc332c9aac537

    SHA1

    50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

    SHA256

    57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

    SHA512

    6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\HQVZPAOM04.zip
    Filesize

    285KB

    MD5

    40a9752d59f2883e40d928f85a749008

    SHA1

    c60fb58eff64a7969b46f3934766f991352eeb47

    SHA256

    ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820

    SHA512

    ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    Filesize

    689KB

    MD5

    91b41651e6e9ab352805c6d35a297d08

    SHA1

    11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

    SHA256

    0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

    SHA512

    b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
    Filesize

    691B

    MD5

    055c857272026583a61e1b5821c69a24

    SHA1

    ec39d34f16487682801dd2b319554cbed57feca4

    SHA256

    190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

    SHA512

    d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

    Download Submit
  • memory/1992-2553-0x00007FF80EAE0000-0x00007FF80F5A1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1992-2545-0x000000001ADB0000-0x000000001ADC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1992-2544-0x00007FF80EAE0000-0x00007FF80F5A1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1992-2543-0x0000000000040000-0x00000000000F2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3180-2618-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3180-2510-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4920-28-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-69-0x00000000076F0000-0x0000000007760000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4920-42-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-44-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-48-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-46-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-38-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-50-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-56-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-61-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-63-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-64-0x0000000007270000-0x00000000072E6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4920-59-0x0000000005260000-0x0000000005270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4920-58-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-54-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-52-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-36-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-65-0x00000000076F0000-0x0000000007766000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4920-34-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-32-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-24-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-22-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-75-0x00000000076F0000-0x0000000007760000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4920-73-0x00000000076F0000-0x0000000007760000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4920-71-0x00000000076F0000-0x0000000007760000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4920-40-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-67-0x00000000076F0000-0x0000000007760000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4920-66-0x00000000076F0000-0x0000000007760000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4920-878-0x0000000005260000-0x0000000005270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4920-2501-0x00000000077A0000-0x00000000077BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4920-26-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-30-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-2512-0x0000000074BB0000-0x0000000075360000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4920-0-0x0000000074BB0000-0x0000000075360000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4920-20-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-18-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-16-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-14-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-12-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-10-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-9-0x0000000007140000-0x00000000071E7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/4920-8-0x0000000007140000-0x00000000071EC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/4920-7-0x0000000074BB0000-0x0000000075360000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4920-6-0x0000000005260000-0x0000000005270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4920-5-0x0000000005120000-0x000000000512A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4920-4-0x0000000005260000-0x0000000005270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4920-3-0x0000000005060000-0x00000000050F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4920-2-0x0000000005530000-0x0000000005AD4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4920-1-0x00000000005B0000-0x0000000000678000-memory.dmp
    Filesize

    800KB

    Download