blustealer | 5e26cb68b7cd24df50916757dd43c5357bcee359d05d8d8649749fdce26d540c

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
Size

825KB
MD5

f10789db721c1dfdf2e74554508f23e7
SHA1

12a2fb70d4e7358fc53e5f19ddfc91ae0f2ea018
SHA256

5e26cb68b7cd24df50916757dd43c5357bcee359d05d8d8649749fdce26d540c
SHA512

72a4cf5ca2d2fe08ee4b1b667e215801d750d1d8580d1fad90e06f0caf579b23969cda58a3534c1777a9617470aac784ba13ce4587ea3e856e7d2858480b7e49

Score

10^/10

blustealer persistence spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
*LQ.2{zR5.5z4aXnk*

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe

Loads dropped DLL 2 IoCs

pid	Process
4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uarexqz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lwsbz\\Uarexqz.exe\""	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4276 set thread context of 4952	4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5112	powershell.exe
5112	powershell.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 5112	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	80
PID 4448 wrote to memory of 5112	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	80
PID 4448 wrote to memory of 5112	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	80
PID 4448 wrote to memory of 1252	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	82
PID 4448 wrote to memory of 1252	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	82
PID 4448 wrote to memory of 1252	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	82
PID 4448 wrote to memory of 2336	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	83
PID 4448 wrote to memory of 2336	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	83
PID 4448 wrote to memory of 2336	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	83
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4448 wrote to memory of 4276	4448	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	84
PID 4276 wrote to memory of 4952	4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	85
PID 4276 wrote to memory of 4952	4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	85
PID 4276 wrote to memory of 4952	4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	85
PID 4276 wrote to memory of 4952	4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	85
PID 4276 wrote to memory of 4952	4276	SecuriteInfo.com.W32.AIDetectNet.01.22897.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.22897.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/4276-148-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4276-154-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4276-145-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4276-143-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4448-131-0x0000000005000000-0x0000000005022000-memory.dmp

Filesize
136KB

Download
memory/4448-130-0x0000000000440000-0x0000000000514000-memory.dmp

Filesize
848KB

Download
memory/4952-150-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/4952-153-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/5112-133-0x0000000000F90000-0x0000000000FC6000-memory.dmp

Filesize
216KB

Download
memory/5112-134-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/5112-139-0x0000000006240000-0x000000000625A000-memory.dmp

Filesize
104KB

Download
memory/5112-138-0x0000000007360000-0x00000000079DA000-memory.dmp

Filesize
6.5MB

Download
memory/5112-135-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/5112-137-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/5112-136-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing