blustealer | 0e184b1b8ebe69d4e06a8a71c53054b3713ec9f2a0a9f8988ce235d130ac549c

Analysis

max time kernel
52s
max time network
43s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
06-08-2022 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a661148c26dc8bd4992bbd23b350f062.exe
Size

928KB
MD5

a661148c26dc8bd4992bbd23b350f062
SHA1

35af577d4c5c0d94585fc41b2f1834f463727c20
SHA256

0e184b1b8ebe69d4e06a8a71c53054b3713ec9f2a0a9f8988ce235d130ac549c
SHA512

adb8d4c0a859acbb8c5cd7114d9a1f9233dce045be42e3224f62a08b4e000513788263a9ccd6c27919a0449437d843072f2c8d81e876ecc2220b695b5eebfafe

Score

10^/10

blustealer stealer

Malware Config

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1720	powershell.exe
2032	a661148c26dc8bd4992bbd23b350f062.exe
2032	a661148c26dc8bd4992bbd23b350f062.exe
2032	a661148c26dc8bd4992bbd23b350f062.exe
2032	a661148c26dc8bd4992bbd23b350f062.exe
2032	a661148c26dc8bd4992bbd23b350f062.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	a661148c26dc8bd4992bbd23b350f062.exe
Token: SeDebugPrivilege	1720	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1768	InstallUtil.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1720	2032	a661148c26dc8bd4992bbd23b350f062.exe	27
PID 2032 wrote to memory of 1720	2032	a661148c26dc8bd4992bbd23b350f062.exe	27
PID 2032 wrote to memory of 1720	2032	a661148c26dc8bd4992bbd23b350f062.exe	27
PID 2032 wrote to memory of 1720	2032	a661148c26dc8bd4992bbd23b350f062.exe	27
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 900	2032	a661148c26dc8bd4992bbd23b350f062.exe	29
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 564	2032	a661148c26dc8bd4992bbd23b350f062.exe	30
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31
PID 2032 wrote to memory of 1768	2032	a661148c26dc8bd4992bbd23b350f062.exe	31

C:\Users\Admin\AppData\Local\Temp\a661148c26dc8bd4992bbd23b350f062.exe
"C:\Users\Admin\AppData\Local\Temp\a661148c26dc8bd4992bbd23b350f062.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-61-0x000000006F2E0000-0x000000006F88B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-60-0x000000006F2E0000-0x000000006F88B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-65-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1768-62-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1768-63-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1768-67-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1768-73-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1768-74-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2032-57-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000B30000-0x0000000000BC2000-memory.dmp

Filesize
584KB

Download
memory/2032-55-0x0000000004AD0000-0x0000000004BAC000-memory.dmp

Filesize
880KB

Download
memory/2032-54-0x0000000001310000-0x00000000013FE000-memory.dmp

Filesize
952KB

Download