blustealer | dfb02aea4ef548939b2aad3dae07655f55649dcd81ef0d36ed7d9307b4aafea8

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2022 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Remittance (M-103)-USD-565.exe
Size

678KB
MD5

acce170c053656447b94bf4f1b47b272
SHA1

2203b6a8201c47b505fc2f65831ecbbcc7f3d65a
SHA256

15f15c2249333a073c8ba95ebd2e8c23d0778ecc0c83fe9bc80d36513037ad2b
SHA512

fafb1564a47cfbf4ae011129c2b52f3db78d4250d59068381d71423df221d23b0e9ef29f9ea5efcd159bcb161d678cdf1a0fb987de6a708f2d83aa13c45c4c8e

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.ionos.es
Port:
587
Username:
[email protected]
Password:
barkoner

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Loads dropped DLL 2 IoCs

pid	Process
3400	vbc.exe
3400	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 3400 set thread context of 2944	3400	vbc.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4840	Swift Remittance (M-103)-USD-565.exe
4840	Swift Remittance (M-103)-USD-565.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	Swift Remittance (M-103)-USD-565.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3400	vbc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1944	4840	Swift Remittance (M-103)-USD-565.exe	81
PID 4840 wrote to memory of 1944	4840	Swift Remittance (M-103)-USD-565.exe	81
PID 4840 wrote to memory of 1944	4840	Swift Remittance (M-103)-USD-565.exe	81
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 4840 wrote to memory of 3400	4840	Swift Remittance (M-103)-USD-565.exe	82
PID 3400 wrote to memory of 2944	3400	vbc.exe	84
PID 3400 wrote to memory of 2944	3400	vbc.exe	84
PID 3400 wrote to memory of 2944	3400	vbc.exe	84
PID 3400 wrote to memory of 2944	3400	vbc.exe	84
PID 3400 wrote to memory of 2944	3400	vbc.exe	84

C:\Users\Admin\AppData\Local\Temp\Swift Remittance (M-103)-USD-565.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Remittance (M-103)-USD-565.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/2944-147-0x0000000073A20000-0x0000000073FD1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-146-0x0000000073A20000-0x0000000073FD1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-143-0x0000000001140000-0x000000000114E000-memory.dmp

Filesize
56KB

Download
memory/3400-135-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3400-141-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3400-140-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3400-137-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4840-132-0x00000000004B0000-0x000000000055C000-memory.dmp

Filesize
688KB

Download