blustealer | 5ff833d3f79aaec098d8b25ac40b1c42963dd83daddea1c48c129e9a84491c68

Analysis

max time kernel
296s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

commercial proposal for tender.exe
Size

673KB
MD5

ad50e25e4bd6ebfd000bd752f4460659
SHA1

47d00be456692150792e4c0f0c604a8c82d06866
SHA256

5ff833d3f79aaec098d8b25ac40b1c42963dd83daddea1c48c129e9a84491c68
SHA512

e796da95447c102428ae008e680bacfc25ea0e51f0bd104e194f82a9bca7cefb0299c3b7fdef2ad4b4eb67875c8880219ae54c7605df399ec10038b9a589df71

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.ionos.es
Port:
587
Username:
[email protected]
Password:
barkoner

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Loads dropped DLL 2 IoCs

pid	Process
2856	cvtres.exe
2856	cvtres.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 2856	4852	commercial proposal for tender.exe	89
PID 2856 set thread context of 4140	2856	cvtres.exe	90

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	cvtres.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 4852 wrote to memory of 2856	4852	commercial proposal for tender.exe	89
PID 2856 wrote to memory of 4140	2856	cvtres.exe	90
PID 2856 wrote to memory of 4140	2856	cvtres.exe	90
PID 2856 wrote to memory of 4140	2856	cvtres.exe	90
PID 2856 wrote to memory of 4140	2856	cvtres.exe	90
PID 2856 wrote to memory of 4140	2856	cvtres.exe	90

C:\Users\Admin\AppData\Local\Temp\commercial proposal for tender.exe
"C:\Users\Admin\AppData\Local\Temp\commercial proposal for tender.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:4140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/2856-134-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2856-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2856-139-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2856-140-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4140-142-0x0000000000F30000-0x0000000000F3E000-memory.dmp

Filesize
56KB

Download
memory/4140-145-0x0000000073970000-0x0000000073F21000-memory.dmp

Filesize
5.7MB

Download
memory/4140-146-0x0000000073970000-0x0000000073F21000-memory.dmp

Filesize
5.7MB

Download
memory/4852-132-0x0000000000A40000-0x0000000000AEA000-memory.dmp

Filesize
680KB

Download