blustealer | ee2dcb13a7dfaeaa3aea32272b9ea2b54afee47edf4234b299e8e8c89c631bf2 | Triage

Sharing

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.9499.14648
Size

781KB
Sample

220727-feh1wadha5
MD5

2363b71b194a80c4ee951a41e2c5b645
SHA1

02c724cdcbb3b7569deb2e1cb8211d5dc31b3532
SHA256

ee2dcb13a7dfaeaa3aea32272b9ea2b54afee47edf4234b299e8e8c89c631bf2
SHA512

d72efbfaa04df1dc400e958128dc875eb6cb856292ea9275e478b0a9a2b60ef342514d61652f96e20437ea90a14680f9dd3b852f45707345c5d078f25e018104

Score

10^/10

blustealer persistence stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
B9@jPT5115

Targets

- Target
  
  SecuriteInfo.com.W32.AIDetectNet.01.9499.14648
- Size
  
  781KB
- MD5
  
  2363b71b194a80c4ee951a41e2c5b645
- SHA1
  
  02c724cdcbb3b7569deb2e1cb8211d5dc31b3532
- SHA256
  
  ee2dcb13a7dfaeaa3aea32272b9ea2b54afee47edf4234b299e8e8c89c631bf2
- SHA512
  
  d72efbfaa04df1dc400e958128dc875eb6cb856292ea9275e478b0a9a2b60ef342514d61652f96e20437ea90a14680f9dd3b852f45707345c5d078f25e018104
Score

10^/10

blustealer persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerpersistencestealer

behavioral2

blustealerpersistencestealer