blustealer | 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057

General

Target

70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
Size

1.3MB
MD5

20cf6b947841f6ed3546f82ed68c1b7f
SHA1

d65463fd21602d678f23678565d1169b3a4a8333
SHA256

70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057
SHA512

e225529b0e191aa3e5ef6ecc362f6f44b3e81d084a6f0fc2240613af9d15f11fb4ca6291ae3b2815ca6c791a9fd25c5ab0bea835441db92bfe65c223eac6cec5
SSDEEP

24576:USeAC7aqFZpthlSTLp6tRgF/3QTJq8vOGxgiNdaeEntTI2IOw:MARqFHthlQp6DIfQfvr5Nct

Score

10^/10

blustealer spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.jdaroil.com
Port:
587
Username:
[email protected]
Password:
JDAR-iraq#@

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Loads dropped DLL 2 IoCs

pid	Process
5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 5032 set thread context of 3996	5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 4928 wrote to memory of 5032	4928	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	98
PID 5032 wrote to memory of 3996	5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	100
PID 5032 wrote to memory of 3996	5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	100
PID 5032 wrote to memory of 3996	5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	100
PID 5032 wrote to memory of 3996	5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	100
PID 5032 wrote to memory of 3996	5032	70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe	100

C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
"C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
  "C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/3996-151-0x0000000074280000-0x0000000074831000-memory.dmp

Filesize
5.7MB

Download
memory/3996-150-0x0000000074280000-0x0000000074831000-memory.dmp

Filesize
5.7MB

Download
memory/3996-147-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/4928-136-0x0000000009670000-0x000000000970C000-memory.dmp

Filesize
624KB

Download
memory/4928-137-0x0000000009710000-0x0000000009776000-memory.dmp

Filesize
408KB

Download
memory/4928-132-0x0000000000F50000-0x0000000001096000-memory.dmp

Filesize
1.3MB

Download
memory/4928-135-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/4928-134-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/4928-133-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/5032-139-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-141-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-144-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5032-145-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing