blustealer | 2506cbaa56d9893a48a39a5d991f34da06122deb55efb3979a7629684d24ce78 | Triage

Sharing

General

Target

2506cbaa56d9893a48a39a5d991f34da06122deb55efb3979a7629684d24ce78
Size

2.4MB
Sample

220816-mns1rsfhbn
MD5

2bd43ab6044247edd65f2d29f3540be7
SHA1

892e34e6cabdeea13258d7e7e7e098a6820afbe2
SHA256

2506cbaa56d9893a48a39a5d991f34da06122deb55efb3979a7629684d24ce78
SHA512

3da26f98e66a15cdea0f223134eef790fe6ef6d8a602e5e6e169b347c056a660f7eb18e1adc85c5d269ae148b3722b179ce1cd00edf1b90b8ed989d723485dd3

Score

10^/10

blustealer persistence stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
lotexh.shop
Port:
587
Username:
[email protected]
Password:
AmWcR;&S@thk

Targets

- Target
  
  2506cbaa56d9893a48a39a5d991f34da06122deb55efb3979a7629684d24ce78
- Size
  
  2.4MB
- MD5
  
  2bd43ab6044247edd65f2d29f3540be7
- SHA1
  
  892e34e6cabdeea13258d7e7e7e098a6820afbe2
- SHA256
  
  2506cbaa56d9893a48a39a5d991f34da06122deb55efb3979a7629684d24ce78
- SHA512
  
  3da26f98e66a15cdea0f223134eef790fe6ef6d8a602e5e6e169b347c056a660f7eb18e1adc85c5d269ae148b3722b179ce1cd00edf1b90b8ed989d723485dd3
Score

10^/10

blustealer persistence stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerpersistencestealer

behavioral2

blustealerpersistencestealer