blustealer | 6d22dfb53e173bdd14f24a6e08bd334596c89bd18519bfd5d9e1371991934ae9

General

Target

104bfff4e7a7f04efd06e865cce96c4d.exe
Size

87KB
MD5

104bfff4e7a7f04efd06e865cce96c4d
SHA1

f05c8e92b0cc671aa27606347026383cfe179309
SHA256

6d22dfb53e173bdd14f24a6e08bd334596c89bd18519bfd5d9e1371991934ae9
SHA512

9be13b498850a8223119afa3d8e26b1e1cf15a4dc60a3130120944868c1ab531a7d274bd95caf98594fda249364f02cbc971355358bac1cb08c9423c0980cec4

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

104bfff4e7a7f04efd06e865cce96c4d.exe

description pid process target process

PID 2192 set thread context of 3800 2192 104bfff4e7a7f04efd06e865cce96c4d.exe 104bfff4e7a7f04efd06e865cce96c4d.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

104bfff4e7a7f04efd06e865cce96c4d.exe

pid process

2192 104bfff4e7a7f04efd06e865cce96c4d.exe
2192 104bfff4e7a7f04efd06e865cce96c4d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

104bfff4e7a7f04efd06e865cce96c4d.exe

description pid process

Token: SeDebugPrivilege 2192 104bfff4e7a7f04efd06e865cce96c4d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

104bfff4e7a7f04efd06e865cce96c4d.exe

pid process

3800 104bfff4e7a7f04efd06e865cce96c4d.exe

description	pid	process	target process
PID 2192 set thread context of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe

pid	process
2192	104bfff4e7a7f04efd06e865cce96c4d.exe
2192	104bfff4e7a7f04efd06e865cce96c4d.exe

description	pid	process
Token: SeDebugPrivilege	2192	104bfff4e7a7f04efd06e865cce96c4d.exe

pid	process
3800	104bfff4e7a7f04efd06e865cce96c4d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

104bfff4e7a7f04efd06e865cce96c4d.exe

description	pid	process	target process
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe
PID 2192 wrote to memory of 3800	2192	104bfff4e7a7f04efd06e865cce96c4d.exe	104bfff4e7a7f04efd06e865cce96c4d.exe

C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe
"C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe
  C:\Users\Admin\AppData\Local\Temp\104bfff4e7a7f04efd06e865cce96c4d.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3800

memory/2192-115-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2192-117-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2192-118-0x0000000005AF0000-0x0000000005C13000-memory.dmp

Filesize
1.1MB

Download
memory/2192-119-0x0000000005EE0000-0x0000000005FDE000-memory.dmp

Filesize
1016KB

Download
memory/3800-120-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3800-121-0x00000000004027A8-mapping.dmp

Download
memory/3800-122-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/3800-123-0x0000000002B30000-0x0000000002B3A000-memory.dmp

Filesize
40KB

Download