c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5

General

Target

BLTools_v2.9__PRO_.zip
Size

9.9MB
MD5

8586f2582de2dac652004ce8818a7741
SHA1

6c940e8dbe7ddfd23ea0efb79087728651d1aa9f
SHA256

c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5
SHA512

ce7cefe5c485316f94ba9034df5839cbaf71f1013b9e78ef313c70427bae9245849a2aa9df05dfd38c47b8719ad00aca5b8f9ce0e8a6d3c7e874b56d003b5e33
SSDEEP

196608:7Zkf5xM9FU495KnWXeWYGLq2uFn440rzX5ub18l3V2aC2/5K5ZD7Reu7ZvTvwqVn:lxvnuWLqR440/pCQ3k4w5Z9ZvzwOSsm2

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

BLTools v2.9 [PRO].exeBLTools v2.9 [PRO].exe

pid process

2608 BLTools v2.9 [PRO].exe
2884 BLTools v2.9 [PRO].exe
Loads dropped DLL 12 IoCs

Processes:

WerFault.exe

pid process

1184
1184
1184
1184
1184
1184
1184
1184
2388 WerFault.exe
2388 WerFault.exe
2388 WerFault.exe
2388 WerFault.exe

pid	process
1184
1184
1184
1184
1184
1184
1184
1184
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe	vmprotect
behavioral1/memory/2608-414-0x000000013F440000-0x0000000140312000-memory.dmp	vmprotect
behavioral1/memory/2884-433-0x000000013F4D0000-0x00000001403A2000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

BLTools v2.9 [PRO].exe

description ioc process

File opened (read-only) \??\F: BLTools v2.9 [PRO].exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BLTools v2.9 [PRO].exeBLTools v2.9 [PRO].exe

pid process

2608 BLTools v2.9 [PRO].exe
2884 BLTools v2.9 [PRO].exe

description	ioc	process
File opened (read-only)	\??\F:	BLTools v2.9 [PRO].exe

flow	ioc
5	ip-api.com

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

BLTools v2.9 [PRO].exeBLTools v2.9 [PRO].exe

pid	process
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2884	BLTools v2.9 [PRO].exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2904 7zFM.exe

pid	process
2904	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exeBLTools v2.9 [PRO].exe

description	pid	process
Token: SeRestorePrivilege	2904	7zFM.exe
Token: 35	2904	7zFM.exe
Token: SeSecurityPrivilege	2904	7zFM.exe
Token: SeShutdownPrivilege	2608	BLTools v2.9 [PRO].exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

2904 7zFM.exe
2904 7zFM.exe

pid	process
2904	7zFM.exe
2904	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

BLTools v2.9 [PRO].exe

description	pid	process	target process
PID 2884 wrote to memory of 2388	2884	BLTools v2.9 [PRO].exe	WerFault.exe
PID 2884 wrote to memory of 2388	2884	BLTools v2.9 [PRO].exe	WerFault.exe
PID 2884 wrote to memory of 2388	2884	BLTools v2.9 [PRO].exe	WerFault.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2904

C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2884 -s 260
  2⤵
  - Loads dropped DLL
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers.txt

Filesize
8KB

MD5
0847bf790b4d7ec5c05bf5ecf911d3b4

SHA1
6740f67e54ca510b34fbc7e959e062cc004d9c4d

SHA256
8777ed29ad8d3c4fcd45d9e55dd6ce072a32227198ff6ce7bcbdaaa7b5d23055

SHA512
c8ad15124e66eb46a39f42c883b8c6d0241affefa2c77957878b39c49533147da0e3be4c1e31fb1579574c6fc98899ab61d46669aaf04a04dacccd81d6f5d998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt

Filesize
2KB

MD5
bef31f66287ccd0f96bc48f105538573

SHA1
05fa574f3a934b69bf4ba3a07626d408ae5ee2e5

SHA256
fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279

SHA512
bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers\[11 sub] [4 videos] [47 views] [monetize false] [brand false] [1 channels] [Joined Jan 24, 2015].txt

Filesize
3KB

MD5
01e104c694b1a15a6eda3c381f424e12

SHA1
9b960d2573b71f60605e10e6113c92aedf21c89e

SHA256
89c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0

SHA512
5376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c

Download Submit
\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe

Filesize
7.1MB

MD5
bef86c9792f7f8bc658ca1d1bce63c60

SHA1
d7d3fe3ae1e950cd4192d46a0bf6505ec3858689

SHA256
2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb

SHA512
6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7

Download Submit
memory/2608-405-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2608-403-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2608-407-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2608-408-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2608-410-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2608-412-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2608-414-0x000000013F440000-0x0000000140312000-memory.dmp

Filesize
14.8MB

Download
memory/2884-426-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2884-431-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2884-433-0x000000013F4D0000-0x00000001403A2000-memory.dmp

Filesize
14.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads