blustealer | 792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 13:48

Target

792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe
Size

714KB
MD5

e565160ae6aa45409dd8c2963f802700
SHA1

54b3f0e549b36e2a8bb91fae7c8e697174655382
SHA256

792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab
SHA512

0e1e9a7784b914271acee6613a0ff6a0674ac4229e46f8974f643cdb00bb58f9e3d1eb73f6b14806e68b2d18297e3224cdff7e16b35058acb9d684623775c1e2

Score

10^/10

Family

blustealer

https://api.telegram.org/bot5424772161:AAH6VQSqwjXeoEOdtG4956oBr1sLrNy1vkE/sendMessage?chat_id=2053442539

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Loads dropped DLL 2 IoCs

pid	Process
4256	cvtres.exe
4256	cvtres.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5032 set thread context of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 4256 set thread context of 328	4256	cvtres.exe	90

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4256	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4256	cvtres.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 5032 wrote to memory of 4256	5032	792621a22b3db912726e2b70b953bd948b86ef6970f380e3f5151d87cd9a8cab.exe	88
PID 4256 wrote to memory of 328	4256	cvtres.exe	90
PID 4256 wrote to memory of 328	4256	cvtres.exe	90
PID 4256 wrote to memory of 328	4256	cvtres.exe	90
PID 4256 wrote to memory of 328	4256	cvtres.exe	90
PID 4256 wrote to memory of 328	4256	cvtres.exe	90

C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/328-142-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/328-145-0x0000000073480000-0x0000000073A31000-memory.dmp

Filesize
5.7MB

Download
memory/4256-134-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4256-136-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4256-139-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4256-140-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/5032-132-0x00000000004D0000-0x0000000000580000-memory.dmp

Filesize
704KB

Download