Overview

overview

10

Static

static

3

74ccfbabd5...c5.exe

windows7-x64

10

74ccfbabd5...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74ccfbabd5376167c9e52c89c0478ec5.exe

  • Size

    1016KB

  • MD5

    74ccfbabd5376167c9e52c89c0478ec5

  • SHA1

    f054d3de07ec041a53e6566ad654fbd6f2a04098

  • SHA256

    24631515535420a7600ac6e1191f49b8162c7c3d1ca82a163b66451e448fab2f

  • SHA512

    dbf6a2395f3c56f074c750723a9b5568f035ab409fb502d0d068f2efc8d558978d00c282c51d6fbc64b1985071dde6ee26240e58b6e12dd0c2ff127de4b29f87

  • SSDEEP

    24576:Zg0sM873s6inVKDdbHUCB80yET0QMTS+YLY3qwhs:ZV9ms6cY9uoaVAs4

Score
10/10
a310loggerblustealercollectionspywarestealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.enche.com
  • Port:
    587
  • Username:
    merchandise@enche.com
  • Password:
    Merchandise08012021

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • A310logger Executable 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74ccfbabd5376167c9e52c89c0478ec5.exe
    "C:\Users\Admin\AppData\Local\Temp\74ccfbabd5376167c9e52c89c0478ec5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\74ccfbabd5376167c9e52c89c0478ec5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFdYmdUOJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zFdYmdUOJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFF3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2708
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:2564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFdYmdUOJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDFF3.tmp
    Filesize

    1KB

    MD5

    cdb8a143293a5e0599c2a7c820d1d5e7

    SHA1

    c050904992447774a1c67abe6445446d53d783ae

    SHA256

    8668b912545d51e38b4230c93e3da808368a7846176127c9c9ad6e4717dc6a07

    SHA512

    0adf975578901192927c7a45b34ce1dc0cab5f1790e4bd94b7571bfeaf0acfc6cfc58a342e6f4de348e13f22ce9e9eae14798d91c554fe852ba6fe619ed5614b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\0I8SIC~1.ZIP
    Filesize

    233KB

    MD5

    cd959135edb5995f9ea68a41edebddec

    SHA1

    0ee56f042af3f073f1df7c3bff94191b38ba0518

    SHA256

    ad7fdb5e4901c6430dab6a768f1997835feb8273a4d8cb5f53144b559e4cbe38

    SHA512

    58850223f80d2f7b89266117b576a415e339a5b0126964cda7bbca6bfd8ed9da8d17d6cf916304fac84f9aa1277cc14f541d329cc09c9500266546a1d1452ffe

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H4P08BFNIRG26EIY99DV.temp
    Filesize

    7KB

    MD5

    194d9990edd15f10b242c8e62fc8c9fc

    SHA1

    61b64a7b519fc5bdaeb05889e5abf5e32f941763

    SHA256

    935ff80ba7325cc59be13ace0376470b9d7d7109fecb329428c0b7050decb6f7

    SHA512

    88e604d22c7d545ba787376bb6ebf2f3fb10c605736d085d1b8f9e333775558450edfcda7ba85b682fc845040b32079f092fb6d620f6275d07633623ee00065d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    Filesize

    173KB

    MD5

    8e33c8033ebcbc02088cca4e5f2c6dd7

    SHA1

    feb3bf4e7e83f24eda2dca77c289ab92aede9cc4

    SHA256

    60c8a42cc80481d057714b5d32bbaa3937c38c70303422d6d2993d2f9fae032d

    SHA512

    0e9673b68ef181fbb3c9d31362ec01b86ab54c5a5a50a415da42576845e1c33d2f44c11ab90eb05cf37d9c0431fb5a0e0ff3f4989a905a356e6df64eb81252fa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    Filesize

    165KB

    MD5

    59ddb0f36868aa91d2f9d32a654c7e87

    SHA1

    e64bc8d5f6a80081566da214a46bbfb897276f56

    SHA256

    b99fd59bea78d231bdf24bb62e976e868012b2d663fe03a8585c43df91eb93ff

    SHA512

    61b585309f7cb075b843af75cc6474a4605f3eaeac4bfabe12e127b8bb6f228acdf57e4b0887d24b0298781cb658c152dbbf7e5768f92ded419af27b1ccd3656

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    Filesize

    190KB

    MD5

    0aefa051e98f26e3a1ad1e1c77c9ab0e

    SHA1

    4aa660ca2fe2a3b94d5f20a48e26aa53eef2ad73

    SHA256

    44ee3f4edfe1166579d539cc541c3ec8ef54dba029264eb76cc6e8ce4a73359b

    SHA512

    529c28b5ae6efc0989886d1f45c085dc4ef39459d941e00ce60761cf8b2041f7453becfd6deab83da2cfb33524836c8b84f9c002c50e28e5cf5856ced1f23dc5

    Download Submit
  • memory/2212-3-0x0000000000550000-0x0000000000568000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2212-7-0x0000000005270000-0x00000000052D8000-memory.dmp
    Filesize

    416KB

    Download
  • memory/2212-6-0x0000000005840000-0x0000000005914000-memory.dmp
    Filesize

    848KB

    Download
  • memory/2212-5-0x0000000004CD0000-0x0000000004D10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2212-39-0x0000000074B10000-0x00000000751FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2212-1-0x0000000074B10000-0x00000000751FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2212-4-0x0000000074B10000-0x00000000751FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2212-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2212-0-0x0000000000060000-0x0000000000164000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2564-87-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2564-86-0x00000000011D0000-0x0000000001282000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2564-88-0x000000001B2A0000-0x000000001B320000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2564-90-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2600-36-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2600-51-0x0000000000510000-0x0000000000550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2600-40-0x0000000000510000-0x0000000000550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2600-79-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2600-43-0x0000000000510000-0x0000000000550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2600-30-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2756-78-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2756-34-0x0000000002C10000-0x0000000002C50000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2756-32-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2756-42-0x0000000002C10000-0x0000000002C50000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2756-38-0x0000000002C10000-0x0000000002C50000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2756-37-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2836-49-0x0000000002820000-0x0000000002860000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2836-45-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2836-46-0x0000000002820000-0x0000000002860000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2836-85-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2836-48-0x000000006F610000-0x000000006FBBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2836-50-0x0000000002820000-0x0000000002860000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2884-33-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2884-41-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2884-20-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2884-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2884-27-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2884-60-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2884-22-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2884-91-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download