blustealer | 3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe
Size

2.3MB
MD5

c04e99a3f7c169773a1fec0d98be2d5f
SHA1

219b3cf5e69a2aef57f4565ec914652f8d285612
SHA256

3f38e461404e7085d3b0372b10dd26a7fc8397383afd51dc119705d003f3eade
SHA512

63b52ae3d38a6d5e5c6ec89fa5cc77c6924d7593f75c9a7454a5690a6c9b22fd9de8c650cd9a62c5454cf8d1a3abbec2ebe7ebf51b3177cc2e1d808f186f62a3

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 4988 set thread context of 4316	4988	MSBuild.exe	92

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe
2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 2868 wrote to memory of 4988	2868	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	86
PID 4988 wrote to memory of 4316	4988	MSBuild.exe	92
PID 4988 wrote to memory of 4316	4988	MSBuild.exe	92
PID 4988 wrote to memory of 4316	4988	MSBuild.exe	92
PID 4988 wrote to memory of 4316	4988	MSBuild.exe	92
PID 4988 wrote to memory of 4316	4988	MSBuild.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-166-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-140-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-170-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-134-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-133-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-136-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-138-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-168-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-142-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-144-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-146-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-148-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-130-0x0000000000E30000-0x0000000001080000-memory.dmp

Filesize
2.3MB

Download
memory/2868-152-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-154-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-156-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-158-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-160-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-162-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-164-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-150-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-131-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/2868-132-0x0000000005A20000-0x0000000005AB2000-memory.dmp

Filesize
584KB

Download
memory/2868-172-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-174-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-176-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-178-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-180-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-182-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-184-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-186-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-188-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-190-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-192-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-194-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-196-0x0000000005BE0000-0x0000000005C21000-memory.dmp

Filesize
260KB

Download
memory/2868-7281-0x0000000005E00000-0x0000000005E22000-memory.dmp

Filesize
136KB

Download
memory/4316-7291-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/4316-7292-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/4988-7288-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download