c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5

General

Target

BLTools_v2.9__PRO_.zip
Size

9.9MB
MD5

8586f2582de2dac652004ce8818a7741
SHA1

6c940e8dbe7ddfd23ea0efb79087728651d1aa9f
SHA256

c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5
SHA512

ce7cefe5c485316f94ba9034df5839cbaf71f1013b9e78ef313c70427bae9245849a2aa9df05dfd38c47b8719ad00aca5b8f9ce0e8a6d3c7e874b56d003b5e33
SSDEEP

196608:7Zkf5xM9FU495KnWXeWYGLq2uFn440rzX5ub18l3V2aC2/5K5ZD7Reu7ZvTvwqVn:lxvnuWLqR440/pCQ3k4w5Z9ZvzwOSsm2

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2608	BLTools v2.9 [PRO].exe
2884	BLTools v2.9 [PRO].exe

Loads dropped DLL 12 IoCs

pid	Process
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000016d36-394.dat	vmprotect
behavioral1/memory/2608-414-0x000000013F440000-0x0000000140312000-memory.dmp	vmprotect
behavioral1/memory/2884-433-0x000000013F4D0000-0x00000001403A2000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	BLTools v2.9 [PRO].exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2608	BLTools v2.9 [PRO].exe
2884	BLTools v2.9 [PRO].exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2608	BLTools v2.9 [PRO].exe
2884	BLTools v2.9 [PRO].exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2904	7zFM.exe
Token: 35	2904	7zFM.exe
Token: SeSecurityPrivilege	2904	7zFM.exe
Token: SeShutdownPrivilege	2608	BLTools v2.9 [PRO].exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	7zFM.exe
2904	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2388	2884	BLTools v2.9 [PRO].exe	33
PID 2884 wrote to memory of 2388	2884	BLTools v2.9 [PRO].exe	33
PID 2884 wrote to memory of 2388	2884	BLTools v2.9 [PRO].exe	33

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2904

C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2884 -s 260
  2⤵
  - Loads dropped DLL
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers.txt

Filesize
8KB

MD5
0847bf790b4d7ec5c05bf5ecf911d3b4

SHA1
6740f67e54ca510b34fbc7e959e062cc004d9c4d

SHA256
8777ed29ad8d3c4fcd45d9e55dd6ce072a32227198ff6ce7bcbdaaa7b5d23055

SHA512
c8ad15124e66eb46a39f42c883b8c6d0241affefa2c77957878b39c49533147da0e3be4c1e31fb1579574c6fc98899ab61d46669aaf04a04dacccd81d6f5d998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt

Filesize
2KB

MD5
bef31f66287ccd0f96bc48f105538573

SHA1
05fa574f3a934b69bf4ba3a07626d408ae5ee2e5

SHA256
fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279

SHA512
bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers\[11 sub] [4 videos] [47 views] [monetize false] [brand false] [1 channels] [Joined Jan 24, 2015].txt

Filesize
3KB

MD5
01e104c694b1a15a6eda3c381f424e12

SHA1
9b960d2573b71f60605e10e6113c92aedf21c89e

SHA256
89c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0

SHA512
5376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c

Download Submit
\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe

Filesize
7.1MB

MD5
bef86c9792f7f8bc658ca1d1bce63c60

SHA1
d7d3fe3ae1e950cd4192d46a0bf6505ec3858689

SHA256
2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb

SHA512
6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7

Download Submit
memory/2608-405-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2608-403-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2608-407-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2608-408-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2608-410-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2608-412-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2608-414-0x000000013F440000-0x0000000140312000-memory.dmp

Filesize
14.8MB

Download
memory/2884-426-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/2884-431-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2884-433-0x000000013F4D0000-0x00000001403A2000-memory.dmp

Filesize
14.8MB

Download

Analysis

Sharing