blustealer | 9012008489104071ccbb3ba77891c6f6a6a30225001ae0c28b556eebe036788f

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE INV-20220000002008 EUR.pdf.exe
Size

1.8MB
MD5

b248b43bd8be6232f8e77cfc52858c00
SHA1

0c4e8493f3adcf8524526053d23d418cd1ca3497
SHA256

2ada6d9b9dee67c44eddfe99c9a558828165c090ff0fd8583195110b4415b480
SHA512

ae2665fa0497d5002a2cd0fbca0b82b22a7c670557d6e2798e5608300b6a4bde7265e0a968aab709454f562c40166a7c65110c5aafb0326ac857ef7a12ad6fc7
SSDEEP

24576:GAOcZDiI8Yj7+zblMSqZo6AIna1HA3kdfzFvJLhGmEcJasRPGQFV0aBTjWFqwAzF:sSiI7qOSqWIna63kd9NEcNtGQFV9jWM

Score

10^/10

blustealer collection persistence stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 3 IoCs

pid	Process
888	epepgacokv.pif
1484	RegSvcs.exe
2044	RegSvcs.exe

Loads dropped DLL 6 IoCs

pid	Process
1480	INVOICE INV-20220000002008 EUR.pdf.exe
1480	INVOICE INV-20220000002008 EUR.pdf.exe
1480	INVOICE INV-20220000002008 EUR.pdf.exe
1480	INVOICE INV-20220000002008 EUR.pdf.exe
888	epepgacokv.pif
888	epepgacokv.pif

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	epepgacokv.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_29\\EPEPGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\1_29\\VEPIGU~1.FJI"	epepgacokv.pif

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 1484	888	epepgacokv.pif	29
PID 1484 set thread context of 1224	1484	RegSvcs.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1484	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 1480 wrote to memory of 888	1480	INVOICE INV-20220000002008 EUR.pdf.exe	27
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 2044	888	epepgacokv.pif	28
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 888 wrote to memory of 1484	888	epepgacokv.pif	29
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30
PID 1484 wrote to memory of 1224	1484	RegSvcs.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE INV-20220000002008 EUR.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE INV-20220000002008 EUR.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif
  "C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif" vepiguxkl.fji
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\ndpko.qeh

Filesize
880KB

MD5
2b240fae952e8dc109549f5352db0011

SHA1
543508058ad9573dc34e9ddd4d5198d15f6b0086

SHA256
98dd494fbf33a5b4f1f1f3c326c0d1d9933e98685c1171641222377426d56df0

SHA512
1e2c81a6e073d995b8d1dd5a916e4476916ee55673b7448d590896f9ffc5fa6ff4cefe50c2a5bffb9dd83e1ceab97c20042b95354ecd2e7cafdb5bd8ea25c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\ovaledafms.pdf

Filesize
47KB

MD5
cbecf64c2befe2b1dafe648538691cdc

SHA1
c724aa06e3218597284b4b01e5bc8c727f9301eb

SHA256
2e8c8439e3916923f6df37b3036653776870ce671781dfabefe21e9fd7cc67b0

SHA512
5fcbca0d69bbef84097bb50ef434f9b5be1b79d6d167503323a4b4e7b0bc6af2e8e469cc41f417b4fc1c1a9204ddf033ccc3e6b499474dd2313cb751ff836a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\vepiguxkl.fji

Filesize
140.1MB

MD5
2b83e9fb3c7b62b51c6cae5c051925c5

SHA1
51239db54c1d8484a144475305549248e45752c8

SHA256
ff0e8e0b43d14e5957f6e3046ae95c5271991f4c0a0f91e23401362d01126f74

SHA512
d1d7fd9f75b57d4de8ec71dd420f85e73788072c2a4fc7cec7e2ec2785c24ae9e1a867a3352880a73c5a34961d521d02cd1fe58de7d13ba3f607ef4a624ffb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1224-82-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/1224-91-0x0000000004920000-0x00000000049DC000-memory.dmp

Filesize
752KB

Download
memory/1224-89-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/1224-87-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/1224-84-0x0000000000120000-0x0000000000186000-memory.dmp

Filesize
408KB

Download
memory/1480-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1484-67-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1484-81-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1484-77-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1484-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1484-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1484-70-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1484-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download