Resubmissions
19-04-2024 11:12
240419-naxmgaab94 10Analysis
-
max time kernel
161s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 11:12
Behavioral task
behavioral1
Sample
BLTools_v2.9__PRO_.zip
Resource
win10v2004-20240412-en
General
-
Target
BLTools_v2.9__PRO_.zip
-
Size
9.9MB
-
MD5
da3006d8df49741a9f9927149df44aa9
-
SHA1
b1aff2369d9555a796945f614521a43d0a526a5b
-
SHA256
af2069fa9c086d6001a8950398afecb4759eba47bb61bcf8a76d3c6230217467
-
SHA512
56eec45706aa4be9386e94d0b1f72dfac83252a7fc421fe9bcb73d29e984ab6de2d2aefb0f2e3eba1f6adce0d055904f0717f64e5110ca7284f9bb9be9d33d05
-
SSDEEP
196608:KcbRU9MniZdA3D0yBI6t+tnZRUQdNFX6KlAUGkG3GlluFWccrVkm:KcViZ6LBVt+FFDmvGlQFW3um
Malware Config
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Executes dropped EXE 1 IoCs
pid Process 3296 BLTools v2.9 [PRO].exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0008000000023414-395.dat vmprotect behavioral1/memory/3296-396-0x00007FF680610000-0x00007FF6814E2000-memory.dmp vmprotect behavioral1/memory/3296-399-0x00007FF680610000-0x00007FF6814E2000-memory.dmp vmprotect behavioral1/memory/3296-450-0x00007FF680610000-0x00007FF6814E2000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: BLTools v2.9 [PRO].exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3296 BLTools v2.9 [PRO].exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2928 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe 3296 BLTools v2.9 [PRO].exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 980 7zG.exe Token: 35 980 7zG.exe Token: SeSecurityPrivilege 980 7zG.exe Token: SeSecurityPrivilege 980 7zG.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2928 NOTEPAD.EXE 980 7zG.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip1⤵PID:1932
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\joker.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2928
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1504
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap15706:116:7zEvent143821⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:980
-
C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD5bef86c9792f7f8bc658ca1d1bce63c60
SHA1d7d3fe3ae1e950cd4192d46a0bf6505ec3858689
SHA2562ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb
SHA5126ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7
-
C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Se uni¿« el 20 ene 2021].txt
Filesize5KB
MD5b8c0fb06925ca1677e8bdf8386b3cc9a
SHA162aeea0028c76df3989e6f81cc02d42327d64ef5
SHA256a43dba6ae6d2ec01b7ae8452584e255ff854dde38fd407bb1aabad0f29af61ee
SHA512279f30d1a6188c02714efd0ebe0e6992e415c556504d8eee4393a7797e1a34e46a6b4eefb39ffeb69f0c2368fecca1762d64d50b3e7065f93e20a6c3c3cf7015
-
C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt
Filesize2KB
MD5bef31f66287ccd0f96bc48f105538573
SHA105fa574f3a934b69bf4ba3a07626d408ae5ee2e5
SHA256fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279
SHA512bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9
-
C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers.txt
Filesize3KB
MD501e104c694b1a15a6eda3c381f424e12
SHA19b960d2573b71f60605e10e6113c92aedf21c89e
SHA25689c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0
SHA5125376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c
-
Filesize
162B
MD5dcf8460736b44df4d74df47f0542c3e1
SHA13455fed6e6b178ca7739ae662b3d759002ff6560
SHA25685ca60defb5631cb5f68ae8a17770e7a7473f98d3de8debac398ad9057a7ff28
SHA51227773d48d06f095675ad0d178504b560af1ca70652f911b88ca38bdaff6ad72cd7e717d90357d77e279d030f4f1a519b5c4826a5605103f489a7ebd270a8c458