Overview

overview

10

Static

static

7

BLTools v2...O].exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BLTools v2.9 [PRO].exe

  • Size

    7.1MB

  • MD5

    bef86c9792f7f8bc658ca1d1bce63c60

  • SHA1

    d7d3fe3ae1e950cd4192d46a0bf6505ec3858689

  • SHA256

    2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb

  • SHA512

    6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7

  • SSDEEP

    98304:LinmCgeyQbyt5fTQ7lN7jGb5XQueha05FK7Km53t/VXCRjwsRMJnq2ISUMRlEGy:L0/UVQ7D+b56ha07K7KettcVFcIG

Score
10/10
lucastealerspywarestealervmprotect

Malware Config

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

    stealerlucastealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 [PRO].exe
    "C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 [PRO].exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:988
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4ec
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:968
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\sensfiles.zip
      Filesize

      1.1MB

      MD5

      7b3579220043b695d6fb78ac07b58c98

      SHA1

      dc6bca6c1ed95bd54e59128165ec3a53b227d0fd

      SHA256

      2a88d713e253a1cd9ac0f8c78873dcf0fe378a0b2cfda0ad225c5127fb614053

      SHA512

      8ac3e8b36de395e28601a8f3ec3d688619695b6028dedd7e965a11fd0f02cce95a6570e4378d3221e4f3e0aad08f6ab21cabd05d4fbff2ecd58ddcff5444ad7b

      Download Submit

    • memory/988-0-0x00007FF6DB140000-0x00007FF6DB4B4000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/988-1-0x00007FFD5C8B0000-0x00007FFD5C8B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/988-2-0x00007FFD5C8C0000-0x00007FFD5C8C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/988-3-0x00007FF6DAD00000-0x00007FF6DBBD2000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/988-54-0x00007FF6DB140000-0x00007FF6DB4B4000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/988-55-0x00007FF6DAD00000-0x00007FF6DBBD2000-memory.dmp

      Filesize

      14.8MB

      Download