Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 11:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a64609feb0d9955ae617f71141225cba.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
a64609feb0d9955ae617f71141225cba.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a64609feb0d9955ae617f71141225cba.exe
-
Size
818KB
-
MD5
a64609feb0d9955ae617f71141225cba
-
SHA1
b4a16cda26aad808b1206b683ebce9ec82005a07
-
SHA256
5dabf8a97f60ebb9c51e86fc57888989511adf92cfb478c9f7a85cb152c232b2
-
SHA512
471c68d7a9789e35255cb09dd4a407642bf655d5543d2991ff4ae8721ec97495907f71bb3fc7692368984246b372ab7ee4a5ba12304e3c259959301a3e60141a
-
SSDEEP
12288:KfZFuKzFV3ahKIQGraTQBBZepucskf1GcdB1U03Fl89dHu:Ug63ahdqa7Qf1G4U03G0
Score
10/10
Malware Config
Extracted
Family
blustealer
Credentials
Protocol: smtp- Host:
budgetn.xyz - Port:
587 - Username:
[email protected] - Password:
E6uOyau@R_(Q
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/1664-9-0x0000000007480000-0x00000000074EC000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-29-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-51-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-49-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-53-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-73-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-71-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-69-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-67-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-65-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-63-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-61-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-59-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-57-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-55-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-47-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-45-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-43-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-41-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-39-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-37-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-35-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-33-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-31-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-27-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-25-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-23-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-21-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-19-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-17-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-15-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-13-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-11-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 behavioral2/memory/1664-10-0x0000000007480000-0x00000000074E6000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrsg\\suh.exe\"" a64609feb0d9955ae617f71141225cba.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1664 set thread context of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe 1664 a64609feb0d9955ae617f71141225cba.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1664 a64609feb0d9955ae617f71141225cba.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4964 a64609feb0d9955ae617f71141225cba.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1664 wrote to memory of 5096 1664 a64609feb0d9955ae617f71141225cba.exe 94 PID 1664 wrote to memory of 5096 1664 a64609feb0d9955ae617f71141225cba.exe 94 PID 1664 wrote to memory of 5096 1664 a64609feb0d9955ae617f71141225cba.exe 94 PID 1664 wrote to memory of 2464 1664 a64609feb0d9955ae617f71141225cba.exe 95 PID 1664 wrote to memory of 2464 1664 a64609feb0d9955ae617f71141225cba.exe 95 PID 1664 wrote to memory of 2464 1664 a64609feb0d9955ae617f71141225cba.exe 95 PID 1664 wrote to memory of 2028 1664 a64609feb0d9955ae617f71141225cba.exe 96 PID 1664 wrote to memory of 2028 1664 a64609feb0d9955ae617f71141225cba.exe 96 PID 1664 wrote to memory of 2028 1664 a64609feb0d9955ae617f71141225cba.exe 96 PID 1664 wrote to memory of 4864 1664 a64609feb0d9955ae617f71141225cba.exe 97 PID 1664 wrote to memory of 4864 1664 a64609feb0d9955ae617f71141225cba.exe 97 PID 1664 wrote to memory of 4864 1664 a64609feb0d9955ae617f71141225cba.exe 97 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98 PID 1664 wrote to memory of 4964 1664 a64609feb0d9955ae617f71141225cba.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe"C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exeC:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe2⤵PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exeC:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe2⤵PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exeC:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe2⤵PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exeC:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe2⤵PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exeC:\Users\Admin\AppData\Local\Temp\a64609feb0d9955ae617f71141225cba.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:4964
-