blustealer | fd962f72de43438e9d5d9c104deffb4c66ff599a670eabddc9ce47c3ace31e4e

General

Target

AMC-C1702-2022-TRADING.exe
Size

823KB
MD5

7cb6bad3520dfe8cf6f6c430eb822230
SHA1

79c40a60a489e81e0984e3fd5977086b82d4da7e
SHA256

5acba03de2ea77f11d0ad772a6141ca9e6f3305c00a468ebcb10c2608722a474
SHA512

eeda9a5473768cc80f3f2e6229cea0049932d239cf6762395647b52cfeb4dde75980425889ebb0002e260ed8015cb812c7265cc7c6455acb35a9c4df5e5c2634

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.ionos.es
Port:
587
Username:
[email protected]
Password:
barkoner

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Loads dropped DLL 2 IoCs

pid	Process
1980	vbc.exe
1980	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1980 set thread context of 1836	1980	vbc.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1980	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1824 wrote to memory of 1980	1824	AMC-C1702-2022-TRADING.exe	26
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28
PID 1980 wrote to memory of 1836	1980	vbc.exe	28

C:\Users\Admin\AppData\Local\Temp\AMC-C1702-2022-TRADING.exe
"C:\Users\Admin\AppData\Local\Temp\AMC-C1702-2022-TRADING.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/1824-55-0x0000000000600000-0x000000000069A000-memory.dmp

Filesize
616KB

Download
memory/1824-56-0x0000000000350000-0x00000000003EC000-memory.dmp

Filesize
624KB

Download
memory/1824-54-0x0000000000900000-0x00000000009D4000-memory.dmp

Filesize
848KB

Download
memory/1836-72-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1836-81-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/1836-77-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1836-75-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1836-70-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1980-58-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-68-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1980-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-60-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-57-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-82-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing