blustealer | 9012008489104071ccbb3ba77891c6f6a6a30225001ae0c28b556eebe036788f

General

Target

INVOICE INV-20220000002008 EUR.pdf.exe
Size

1.8MB
MD5

b248b43bd8be6232f8e77cfc52858c00
SHA1

0c4e8493f3adcf8524526053d23d418cd1ca3497
SHA256

2ada6d9b9dee67c44eddfe99c9a558828165c090ff0fd8583195110b4415b480
SHA512

ae2665fa0497d5002a2cd0fbca0b82b22a7c670557d6e2798e5608300b6a4bde7265e0a968aab709454f562c40166a7c65110c5aafb0326ac857ef7a12ad6fc7
SSDEEP

24576:GAOcZDiI8Yj7+zblMSqZo6AIna1HA3kdfzFvJLhGmEcJasRPGQFV0aBTjWFqwAzF:sSiI7qOSqWIna63kd9NEcNtGQFV9jWM

Score

10^/10

blustealer collection persistence stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 3 IoCs

pid	Process
2888	epepgacokv.pif
868	RegSvcs.exe
4088	RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	INVOICE INV-20220000002008 EUR.pdf.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_29\\EPEPGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\1_29\\VEPIGU~1.FJI"	epepgacokv.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	epepgacokv.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 868	2888	epepgacokv.pif	93
PID 2888 set thread context of 4088	2888	epepgacokv.pif	92
PID 4088 set thread context of 392	4088	RegSvcs.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
824	868	WerFault.exe	93

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4088	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2888	1660	INVOICE INV-20220000002008 EUR.pdf.exe	84
PID 1660 wrote to memory of 2888	1660	INVOICE INV-20220000002008 EUR.pdf.exe	84
PID 1660 wrote to memory of 2888	1660	INVOICE INV-20220000002008 EUR.pdf.exe	84
PID 2888 wrote to memory of 4088	2888	epepgacokv.pif	92
PID 2888 wrote to memory of 4088	2888	epepgacokv.pif	92
PID 2888 wrote to memory of 4088	2888	epepgacokv.pif	92
PID 2888 wrote to memory of 868	2888	epepgacokv.pif	93
PID 2888 wrote to memory of 868	2888	epepgacokv.pif	93
PID 2888 wrote to memory of 868	2888	epepgacokv.pif	93
PID 2888 wrote to memory of 868	2888	epepgacokv.pif	93
PID 2888 wrote to memory of 868	2888	epepgacokv.pif	93
PID 2888 wrote to memory of 868	2888	epepgacokv.pif	93
PID 2888 wrote to memory of 4088	2888	epepgacokv.pif	92
PID 2888 wrote to memory of 4088	2888	epepgacokv.pif	92
PID 4088 wrote to memory of 392	4088	RegSvcs.exe	100
PID 4088 wrote to memory of 392	4088	RegSvcs.exe	100
PID 4088 wrote to memory of 392	4088	RegSvcs.exe	100
PID 4088 wrote to memory of 392	4088	RegSvcs.exe	100
PID 4088 wrote to memory of 392	4088	RegSvcs.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE INV-20220000002008 EUR.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE INV-20220000002008 EUR.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif
  "C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif" vepiguxkl.fji
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:392
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 80
      4⤵
      Program crash
      PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 868 -ip 868
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\epepgacokv.pif

Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\ndpko.qeh

Filesize
880KB

MD5
2b240fae952e8dc109549f5352db0011

SHA1
543508058ad9573dc34e9ddd4d5198d15f6b0086

SHA256
98dd494fbf33a5b4f1f1f3c326c0d1d9933e98685c1171641222377426d56df0

SHA512
1e2c81a6e073d995b8d1dd5a916e4476916ee55673b7448d590896f9ffc5fa6ff4cefe50c2a5bffb9dd83e1ceab97c20042b95354ecd2e7cafdb5bd8ea25c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\ovaledafms.pdf

Filesize
47KB

MD5
cbecf64c2befe2b1dafe648538691cdc

SHA1
c724aa06e3218597284b4b01e5bc8c727f9301eb

SHA256
2e8c8439e3916923f6df37b3036653776870ce671781dfabefe21e9fd7cc67b0

SHA512
5fcbca0d69bbef84097bb50ef434f9b5be1b79d6d167503323a4b4e7b0bc6af2e8e469cc41f417b4fc1c1a9204ddf033ccc3e6b499474dd2313cb751ff836a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_29\vepiguxkl.fji

Filesize
140.1MB

MD5
2b83e9fb3c7b62b51c6cae5c051925c5

SHA1
51239db54c1d8484a144475305549248e45752c8

SHA256
ff0e8e0b43d14e5957f6e3046ae95c5271991f4c0a0f91e23401362d01126f74

SHA512
d1d7fd9f75b57d4de8ec71dd420f85e73788072c2a4fc7cec7e2ec2785c24ae9e1a867a3352880a73c5a34961d521d02cd1fe58de7d13ba3f607ef4a624ffb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/392-151-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/392-150-0x0000000000E10000-0x0000000000E76000-memory.dmp

Filesize
408KB

Download
memory/4088-141-0x0000000000400000-0x00000000009AD000-memory.dmp

Filesize
5.7MB

Download
memory/4088-148-0x0000000000400000-0x00000000009AD000-memory.dmp

Filesize
5.7MB

Download
memory/4088-145-0x0000000000400000-0x00000000009AD000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing