Overview

overview

10

Static

static

3

6c90d471c7...e3.exe

windows7-x64

10

6c90d471c7...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c90d471c7fa59b51f1a820b0fada9e3.exe

  • Size

    2.3MB

  • MD5

    6c90d471c7fa59b51f1a820b0fada9e3

  • SHA1

    b3ec13231b0bf2cd938c8edb531f6fc087bdb083

  • SHA256

    fce1e5d65d8375a41cd61ec690febb3ca3d2b6745194cc7b0f54727bf48197a9

  • SHA512

    11da870880f5070a477d9ae76d7ddee310c9e79c164c098a912625c166e7d06af214687b9e1cc4fe9b8345bf7e0b696f790b435467fd5a5a02d9106942cc8197

  • SSDEEP

    12288:e7tckxtGtCP7svhJrXFlrO02jle+qcs2eXNPnrEdrE:e7JxUtAsvhRDZO/qcsxXN/odo

Score
10/10
blustealerstealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    bojtai.xyz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    (mr.GT^Eg#C6

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c90d471c7fa59b51f1a820b0fada9e3.exe
    "C:\Users\Admin\AppData\Local\Temp\6c90d471c7fa59b51f1a820b0fada9e3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c
      2⤵
        PID:4376
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:1500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\6c90d471c7fa59b51f1a820b0fada9e3.exe" "C:\Users\Admin\AppData\Roaming\noot\noot.exe"
        2⤵
          PID:4760
      • C:\Users\Admin\AppData\Roaming\noot\noot.exe
        C:\Users\Admin\AppData\Roaming\noot\noot.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:5060
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c
          2⤵
            PID:4028
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:3912
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1472

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\noot\noot.exe
            Filesize

            2.2MB

            MD5

            338086ef63fe1e8abdd6962e32ad97c2

            SHA1

            90c2ba21cbbd3d069428fe957b2700962af0944d

            SHA256

            e89a9151f4ca8f5a4299d143c5af61fd4bbaecef40016e7938c4828590c186df

            SHA512

            8adbddfdf2a4bff877423e849b3188ff460a1be4ebc765bc14a71f79737fd10d26f3ea3adda1b8322b6c3d8e0566695322b05f3450f9809224b7dd3ccdd66bb9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\noot\noot.exe
            Filesize

            2.3MB

            MD5

            6c90d471c7fa59b51f1a820b0fada9e3

            SHA1

            b3ec13231b0bf2cd938c8edb531f6fc087bdb083

            SHA256

            fce1e5d65d8375a41cd61ec690febb3ca3d2b6745194cc7b0f54727bf48197a9

            SHA512

            11da870880f5070a477d9ae76d7ddee310c9e79c164c098a912625c166e7d06af214687b9e1cc4fe9b8345bf7e0b696f790b435467fd5a5a02d9106942cc8197

            Download Submit

          • memory/1472-55-0x000002047BD30000-0x000002047BD31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1472-56-0x000002047BD30000-0x000002047BD31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1472-57-0x000002047BE40000-0x000002047BE41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1472-53-0x000002047BD00000-0x000002047BD01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1472-37-0x0000020473990000-0x00000204739A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1472-21-0x0000020473890000-0x00000204738A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3052-13-0x0000000002A60000-0x0000000002A70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3052-5-0x00000000052E0000-0x00000000052EA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3052-1-0x0000000074F60000-0x0000000075710000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3052-0-0x00000000008F0000-0x0000000000B4A000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/3052-12-0x0000000074F60000-0x0000000075710000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3052-3-0x0000000004EB0000-0x0000000004F42000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3052-2-0x0000000005380000-0x0000000005924000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3052-4-0x0000000002A60000-0x0000000002A70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3924-6-0x0000000000400000-0x0000000000476000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3924-8-0x0000000000400000-0x0000000000476000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3924-11-0x0000000000400000-0x0000000000476000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4284-20-0x0000000004D20000-0x0000000004D30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4284-19-0x0000000074F60000-0x0000000075710000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4284-18-0x0000000000AF0000-0x0000000000D4A000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/5060-63-0x0000000000400000-0x0000000000476000-memory.dmp

            Filesize

            472KB

            Download