Resubmissions

19-04-2024 11:12

240419-naxmgaab94 10

Analysis

  • max time kernel
    161s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 11:12

General

  • Target

    BLTools_v2.9__PRO_.zip

  • Size

    9.9MB

  • MD5

    da3006d8df49741a9f9927149df44aa9

  • SHA1

    b1aff2369d9555a796945f614521a43d0a526a5b

  • SHA256

    af2069fa9c086d6001a8950398afecb4759eba47bb61bcf8a76d3c6230217467

  • SHA512

    56eec45706aa4be9386e94d0b1f72dfac83252a7fc421fe9bcb73d29e984ab6de2d2aefb0f2e3eba1f6adce0d055904f0717f64e5110ca7284f9bb9be9d33d05

  • SSDEEP

    196608:KcbRU9MniZdA3D0yBI6t+tnZRUQdNFX6KlAUGkG3GlluFWccrVkm:KcViZ6LBVt+FFDmvGlQFW3um

Malware Config

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip
    1⤵
      PID:1932
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\joker.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:2928
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1504
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap15706:116:7zEvent14382
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:980
      • C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
        "C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
        1⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3296

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe

        Filesize

        7.1MB

        MD5

        bef86c9792f7f8bc658ca1d1bce63c60

        SHA1

        d7d3fe3ae1e950cd4192d46a0bf6505ec3858689

        SHA256

        2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb

        SHA512

        6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7

      • C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Se uni¿« el 20 ene 2021].txt

        Filesize

        5KB

        MD5

        b8c0fb06925ca1677e8bdf8386b3cc9a

        SHA1

        62aeea0028c76df3989e6f81cc02d42327d64ef5

        SHA256

        a43dba6ae6d2ec01b7ae8452584e255ff854dde38fd407bb1aabad0f29af61ee

        SHA512

        279f30d1a6188c02714efd0ebe0e6992e415c556504d8eee4393a7797e1a34e46a6b4eefb39ffeb69f0c2368fecca1762d64d50b3e7065f93e20a6c3c3cf7015

      • C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt

        Filesize

        2KB

        MD5

        bef31f66287ccd0f96bc48f105538573

        SHA1

        05fa574f3a934b69bf4ba3a07626d408ae5ee2e5

        SHA256

        fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279

        SHA512

        bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9

      • C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers.txt

        Filesize

        3KB

        MD5

        01e104c694b1a15a6eda3c381f424e12

        SHA1

        9b960d2573b71f60605e10e6113c92aedf21c89e

        SHA256

        89c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0

        SHA512

        5376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c

      • C:\Users\Admin\AppData\Local\sensfiles.zip

        Filesize

        162B

        MD5

        dcf8460736b44df4d74df47f0542c3e1

        SHA1

        3455fed6e6b178ca7739ae662b3d759002ff6560

        SHA256

        85ca60defb5631cb5f68ae8a17770e7a7473f98d3de8debac398ad9057a7ff28

        SHA512

        27773d48d06f095675ad0d178504b560af1ca70652f911b88ca38bdaff6ad72cd7e717d90357d77e279d030f4f1a519b5c4826a5605103f489a7ebd270a8c458

      • memory/3296-396-0x00007FF680610000-0x00007FF6814E2000-memory.dmp

        Filesize

        14.8MB

      • memory/3296-398-0x00007FF8A5480000-0x00007FF8A5482000-memory.dmp

        Filesize

        8KB

      • memory/3296-397-0x00007FF8A5470000-0x00007FF8A5472000-memory.dmp

        Filesize

        8KB

      • memory/3296-399-0x00007FF680610000-0x00007FF6814E2000-memory.dmp

        Filesize

        14.8MB

      • memory/3296-450-0x00007FF680610000-0x00007FF6814E2000-memory.dmp

        Filesize

        14.8MB