blustealer | 3402c28f8bb37b47cf2868b16ca9fd851f7004458a93c17802c04cf2064909eb

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Offer Request.exe
Size

901KB
MD5

795b1ccc977fe6edbb2e9b1d2c5d6759
SHA1

d9a9dd8d825468d4155051dff9eccfc395b40a02
SHA256

3402c28f8bb37b47cf2868b16ca9fd851f7004458a93c17802c04cf2064909eb
SHA512

78c657b5f4604299728751e9967e50de9411a1c6409e2ddd72d3f103deed585d52a8c85f4fec146356b5e000d35b7c994cfd7e9bc2c9c1710a1f1ac4c583899a
SSDEEP

24576:/7p4L8ggIzMcvCqpB2hhqle3KVLfBU9Cekog6:l4L8gR9Cqn2hhqleKL6i

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 4604	1520	Offer Request.exe	97
PID 4604 set thread context of 4020	4604	Offer Request.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	Offer Request.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 1520 wrote to memory of 4604	1520	Offer Request.exe	97
PID 4604 wrote to memory of 4020	4604	Offer Request.exe	99
PID 4604 wrote to memory of 4020	4604	Offer Request.exe	99
PID 4604 wrote to memory of 4020	4604	Offer Request.exe	99
PID 4604 wrote to memory of 4020	4604	Offer Request.exe	99
PID 4604 wrote to memory of 4020	4604	Offer Request.exe	99

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Offer Request.exe
"C:\Users\Admin\AppData\Local\Temp\Offer Request.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\Offer Request.exe
  "C:\Users\Admin\AppData\Local\Temp\Offer Request.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-132-0x00000000006E0000-0x00000000007C8000-memory.dmp

Filesize
928KB

Download
memory/1520-133-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/1520-134-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/1520-135-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/1520-136-0x0000000008D90000-0x0000000008E2C000-memory.dmp

Filesize
624KB

Download
memory/4020-145-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/4604-138-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4604-140-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4604-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download