blustealer | ea5a8a4d5e3180f4958be147f31947948eb8f1fd1c5f2a841988acc8d05d3a4c

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
27-07-2022 06:03

Target

sample.pdf.exe
Size

201KB
MD5

2aa93fb4ec6c724e0cf33e46519600d6
SHA1

ccb75105251231f5c30ced69d08a6fd9d8a06637
SHA256

ea5a8a4d5e3180f4958be147f31947948eb8f1fd1c5f2a841988acc8d05d3a4c
SHA512

da8dcb7b30fd00ed98b0c6ad6efcd56a1b0b84a6799bf83263da4744b6b8a4cfb35a395bdc9639d3f6e4f94793c02ff4ff9d0f6eb8b5b9890e702a2aa7866e9b

Score

10^/10

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2004	1856	sample.pdf.exe	27

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2004	cvtres.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27
PID 1856 wrote to memory of 2004	1856	sample.pdf.exe	27

C:\Users\Admin\AppData\Local\Temp\sample.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\sample.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2004

memory/1856-54-0x0000000000210000-0x0000000000246000-memory.dmp

Filesize
216KB

Download
memory/1856-55-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1856-56-0x0000000000520000-0x0000000000548000-memory.dmp

Filesize
160KB

Download
memory/2004-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-58-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-62-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download