blustealer | 0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
Size

2.3MB
MD5

7278f8490937cab29d3dd5bc75cb52ab
SHA1

69a0419c995fc139ea27e731a44205cb1b686f1d
SHA256

0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b
SHA512

71f6b363327b6ef6d5204cbfd31e2cb71d456ef54c24d53cd504bed6eec5b14079605f60cf47bc7ec9fbffe8b89ca37766b418ab236801193838417b4587deb7

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 276 set thread context of 1156	276	MSBuild.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
276	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 1904 wrote to memory of 276	1904	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	27
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28
PID 276 wrote to memory of 1156	276	MSBuild.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-67-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/276-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/276-56-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/276-57-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/276-59-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/276-61-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/276-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/276-79-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1156-69-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1156-71-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1156-74-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1156-76-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1156-78-0x0000000002450000-0x000000000250C000-memory.dmp

Filesize
752KB

Download
memory/1904-54-0x00000000009F0000-0x0000000000C4C000-memory.dmp

Filesize
2.4MB

Download
memory/1904-55-0x0000000004DB0000-0x0000000004FFC000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing