Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
6a239782a002f49be71a6dfca139864c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6a239782a002f49be71a6dfca139864c.exe
Resource
win10v2004-20231215-en
General
-
Target
6a239782a002f49be71a6dfca139864c.exe
-
Size
792KB
-
MD5
6a239782a002f49be71a6dfca139864c
-
SHA1
6609a8974b80600598a64149340bad3989ecf780
-
SHA256
722a5ea9b20e3a0b77f4f1628f763e46ccd4e87d284ac28997cec9874c479064
-
SHA512
700385b2854878c8897a9733ac1288a67dfaa33bfeeef4a18286acfaf46e65a08cb2daec606edaee5421565e4f93508d254ae0834d466328174404db340b3b4a
-
SSDEEP
12288:N9PUs72U6RTSRX8ALpieAmx4D9IumDgcVZObrC0Svr6bIXU7jxf62pI9G6DMzu:N9T729YMycQz5Babervr6koy2pgGLy
Malware Config
Extracted
blustealer
https://api.telegram.org/bot1959368257:AAG0IlwChPBIRiANxaRyW1iZU_vU7xxDdgs/sendMessage?chat_id=691917680
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Detect ZGRat V1 7 IoCs
resource yara_rule behavioral2/memory/4920-65-0x00000000076F0000-0x0000000007766000-memory.dmp family_zgrat_v1 behavioral2/memory/4920-75-0x00000000076F0000-0x0000000007760000-memory.dmp family_zgrat_v1 behavioral2/memory/4920-73-0x00000000076F0000-0x0000000007760000-memory.dmp family_zgrat_v1 behavioral2/memory/4920-71-0x00000000076F0000-0x0000000007760000-memory.dmp family_zgrat_v1 behavioral2/memory/4920-69-0x00000000076F0000-0x0000000007760000-memory.dmp family_zgrat_v1 behavioral2/memory/4920-67-0x00000000076F0000-0x0000000007760000-memory.dmp family_zgrat_v1 behavioral2/memory/4920-66-0x00000000076F0000-0x0000000007760000-memory.dmp family_zgrat_v1 -
A310logger Executable 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023227-2542.dat a310logger behavioral2/memory/1992-2543-0x0000000000040000-0x00000000000F2000-memory.dmp a310logger -
Executes dropped EXE 2 IoCs
pid Process 3180 InstallUtil.exe 1992 Fox.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KPrrSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallUtil.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4920 set thread context of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 48 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4920 6a239782a002f49be71a6dfca139864c.exe 4920 6a239782a002f49be71a6dfca139864c.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4920 6a239782a002f49be71a6dfca139864c.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3180 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3180 InstallUtil.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 4920 wrote to memory of 3180 4920 6a239782a002f49be71a6dfca139864c.exe 96 PID 3180 wrote to memory of 1992 3180 InstallUtil.exe 97 PID 3180 wrote to memory of 1992 3180 InstallUtil.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"C:\Users\Admin\AppData\Local\Temp\6a239782a002f49be71a6dfca139864c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
24B
MD598a833e15d18697e8e56cdafb0642647
SHA1e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b
-
Filesize
1.9MB
MD583f2757e368f7eab79dbd044af44471a
SHA18aa4bd1deb977142d0d4e1be8f2c4eacc6aeadb6
SHA256ffa0595854fead244f89a048a1ce2510ad575f39ce4137a94a6bc058aa7d2ac0
SHA5124f74718804bbabffd2f7aab88d5cc0f0825e1dec645458211e82a07aabad79b9c44731516da9c781e58de0aa3d111f9722225e7433f312df1db8830cf0a2bf40
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
1.9MB
MD56a85545808def30894aa286bd807a364
SHA1476a6343b6a52fa6c67a7239feb8b63ed36cf02f
SHA256549dd72abbf820801c16f305a5cfba42ee59be5efff55708673e01506f4cb628
SHA51239e603930f53de609215a2e243f4b003c2cd9579085059b20b8d72ff9e8c297150ec0a69abbb8fccb8adc3f67b223c6f77dba4286daf335b24c139768263c4d3
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
285KB
MD540a9752d59f2883e40d928f85a749008
SHA1c60fb58eff64a7969b46f3934766f991352eeb47
SHA256ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c
-
Filesize
689KB
MD591b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
Filesize
691B
MD5055c857272026583a61e1b5821c69a24
SHA1ec39d34f16487682801dd2b319554cbed57feca4
SHA256190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b