blustealer | 3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0 | Triage

Submit
Reports

Overview

overview

Static

static

IMG50063065.pif.exe

windows7-x64

IMG50063065.pif.exe

windows10-2004-x64

Sharing

General

Target

IMG50063065.pif.exe
Size

1.2MB
Sample

220827-ayhasscfg3
MD5

b1ebf9a17fd043323203f7b7ce7b5723
SHA1

6b8111febaa3376fa44e6ed415dc947884e57b34
SHA256

3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0
SHA512

f1151a2888b0841d981f9a540a4863ccc54de24039a9bcdfc439986722a57e020f8d0b559d713d5ab3e836ed8a93651d83dc8fe7f1420e497444f490e36bc30a
SSDEEP

24576:HmeNfdhdkhFXFQRUDcgvhdaMPe858oN357XOf3z3woEY:HPfKHFQCDZnag58ohxXo3zw

Score

10^/10

blustealer netwire botnet persistence rat stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

IMG50063065.pif.exe

Resource

win7-20220812-en

blustealer netwire botnet persistence rat stealer upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

IMG50063065.pif.exe

Resource

win10v2004-20220812-en

blustealer netwire botnet persistence rat stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

augtolife.serveftp.com:500

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
sep
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  IMG50063065.pif.exe
- Size
  
  1.2MB
- MD5
  
  b1ebf9a17fd043323203f7b7ce7b5723
- SHA1
  
  6b8111febaa3376fa44e6ed415dc947884e57b34
- SHA256
  
  3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0
- SHA512
  
  f1151a2888b0841d981f9a540a4863ccc54de24039a9bcdfc439986722a57e020f8d0b559d713d5ab3e836ed8a93651d83dc8fe7f1420e497444f490e36bc30a
- SSDEEP
  
  24576:HmeNfdhdkhFXFQRUDcgvhdaMPe858oN357XOf3z3woEY:HPfKHFQCDZnag58ohxXo3zw
Score

10^/10

blustealer netwire botnet persistence rat stealer upx
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blustealernetwirebotnetpersistenceratstealerupx

behavioral2

blustealernetwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy