blustealer | b44fca03a737dabed36acbe2a42cac044fb33e5571a919c669926b1aba3f4150

Analysis

max time kernel
187s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2022 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e-dekont.exe
Size

1.9MB
MD5

ada986026c468dd80925e205aa84a0ac
SHA1

d3e9594b6532a9c1aeb1790d51d4f4d11e6e62a9
SHA256

b44fca03a737dabed36acbe2a42cac044fb33e5571a919c669926b1aba3f4150
SHA512

8ccc8538ae07bef283cbf7ff0bfeecba552aa057330215f3f2533ada449c205ced2e1066be340a6df85d98327ff14a6242ffa5ec21ce9b4a2fa56ba67d05d4e3
SSDEEP

12288:tsK9j7OYmHvTvOJeA6iUitUG1dtKI67jEhuCqgpxAebAQGOYRqP2lU+5IwVK8vwo:/y6JeXGVvZhZYRqOl5Iu0FDRa5+7VO

Score

10^/10

blustealer stealer

Malware Config

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FcYbRRNH.lnk	e-dekont.exe

Loads dropped DLL 2 IoCs

pid	Process
4740	e-dekont.exe
4740	e-dekont.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 3824	4740	e-dekont.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	e-dekont.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85
PID 4740 wrote to memory of 3824	4740	e-dekont.exe	85

C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
  "C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
  2⤵
  PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InternalApplicationIdentit.dll

Filesize
670KB

MD5
c9652b395870659636dc088900ff4a1f

SHA1
8e13f8c8d79a2a895522ce849f330e48cf60b047

SHA256
4e1e636d7daf18d321aba24c57564b901affc12ddfe458622f93dc63740f1487

SHA512
2cc0d8eba90b80fac73a5bd375506a016ab731e110a1d07ad2fdce071b9d32c36769d8253fb217fa2a6e4da425e47e3d54c517b67880c11c2cfec3488320b53d

Download Submit
C:\Users\Admin\AppData\Roaming\InternalApplicationIdentit.dll

Filesize
670KB

MD5
c9652b395870659636dc088900ff4a1f

SHA1
8e13f8c8d79a2a895522ce849f330e48cf60b047

SHA256
4e1e636d7daf18d321aba24c57564b901affc12ddfe458622f93dc63740f1487

SHA512
2cc0d8eba90b80fac73a5bd375506a016ab731e110a1d07ad2fdce071b9d32c36769d8253fb217fa2a6e4da425e47e3d54c517b67880c11c2cfec3488320b53d

Download Submit
memory/3824-140-0x00000000005D0000-0x00000000005F2000-memory.dmp

Filesize
136KB

Download
memory/4740-132-0x0000000000AC0000-0x0000000000CB0000-memory.dmp

Filesize
1.9MB

Download
memory/4740-133-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/4740-134-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/4740-137-0x0000000006AD0000-0x0000000006B7E000-memory.dmp

Filesize
696KB

Download