blustealer | aae211073286323b13bb03ad59c97ad540a46b7f89eb68f172d3358b5f055350

General

Target

doc3723636638837373344.exe
Size

546KB
MD5

bb0f727180c9b29e51c9ab2a9b4c539c
SHA1

ccd4d7a83603d2471aabb0caf2e1196b9193b586
SHA256

2b6b5926ec7e5d6acea355bbd8f43a89850ed85e0c3739edfad2608ead9f1573
SHA512

ce0670de14582f900b89149cb63fdfe171d188a1a7752d72ed068e57775c54557817acd09148d93725bd52456ed901de8e6b6d0fec0d064b24b46fa8dab7e5d5

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.yekamuhendislik.com
Port:
587
Username:
[email protected]
Password:
MuhasebE123*

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc3723636638837373344.exe

description pid process target process

PID 3484 set thread context of 1536 3484 doc3723636638837373344.exe doc3723636638837373344.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3320 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

doc3723636638837373344.exe

pid process

3484 doc3723636638837373344.exe
3484 doc3723636638837373344.exe
3484 doc3723636638837373344.exe
3484 doc3723636638837373344.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

doc3723636638837373344.exe

description pid process

Token: SeDebugPrivilege 3484 doc3723636638837373344.exe

description	pid	process	target process
PID 3484 set thread context of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe

pid	process
3320	schtasks.exe

pid	process
3484	doc3723636638837373344.exe
3484	doc3723636638837373344.exe
3484	doc3723636638837373344.exe
3484	doc3723636638837373344.exe

description	pid	process
Token: SeDebugPrivilege	3484	doc3723636638837373344.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

doc3723636638837373344.exe

description	pid	process	target process
PID 3484 wrote to memory of 3320	3484	doc3723636638837373344.exe	schtasks.exe
PID 3484 wrote to memory of 3320	3484	doc3723636638837373344.exe	schtasks.exe
PID 3484 wrote to memory of 3320	3484	doc3723636638837373344.exe	schtasks.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe
PID 3484 wrote to memory of 1536	3484	doc3723636638837373344.exe	doc3723636638837373344.exe

C:\Users\Admin\AppData\Local\Temp\doc3723636638837373344.exe
"C:\Users\Admin\AppData\Local\Temp\doc3723636638837373344.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ARXXSy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7309.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\doc3723636638837373344.exe
  "C:\Users\Admin\AppData\Local\Temp\doc3723636638837373344.exe"
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-125-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1536-126-0x0000000000401B9C-mapping.dmp

Download
memory/3320-124-0x0000000000000000-mapping.dmp

Download
memory/3484-115-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3484-117-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3484-118-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3484-119-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3484-120-0x0000000004F10000-0x000000000540E000-memory.dmp

Filesize
5.0MB

Download
memory/3484-121-0x0000000005010000-0x0000000005016000-memory.dmp

Filesize
24KB

Download
memory/3484-122-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/3484-123-0x0000000005D50000-0x0000000005DC9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads