blustealer | 2a63a204abf0c8437b694e8b31e048a1c25bdebfae0cfda7e6e2bf469f74be1c

General

Target

Request for quotation.exe
Size

561KB
MD5

99bbaa54e597de53a3db66bb29fdbbc9
SHA1

ba9bf171acc6c2d7e897dc0a14515ff8e410d14a
SHA256

2a63a204abf0c8437b694e8b31e048a1c25bdebfae0cfda7e6e2bf469f74be1c
SHA512

7fd6b89ecda676aa7f664d6ec0ebb447ab5de5d95f30de247216355a37d16f6d8c1d68077876690da3df2fd9ea5803f5e6e64715da211e5f7d7a0bae3bfaaee2
SSDEEP

12288:2i3ArxsUjZytOBwImCTSuXz5S/FoDrXcGVf8kC9+Q1:2wArxsUZcORVpX9SMXPVf83

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
4560	zkijohgosn.exe
4968	zkijohgosn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4560 set thread context of 4968	4560	zkijohgosn.exe	82
PID 4968 set thread context of 4860	4968	zkijohgosn.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4560	zkijohgosn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4968	zkijohgosn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4560	3892	Request for quotation.exe	81
PID 3892 wrote to memory of 4560	3892	Request for quotation.exe	81
PID 3892 wrote to memory of 4560	3892	Request for quotation.exe	81
PID 4560 wrote to memory of 4968	4560	zkijohgosn.exe	82
PID 4560 wrote to memory of 4968	4560	zkijohgosn.exe	82
PID 4560 wrote to memory of 4968	4560	zkijohgosn.exe	82
PID 4560 wrote to memory of 4968	4560	zkijohgosn.exe	82
PID 4968 wrote to memory of 4860	4968	zkijohgosn.exe	83
PID 4968 wrote to memory of 4860	4968	zkijohgosn.exe	83
PID 4968 wrote to memory of 4860	4968	zkijohgosn.exe	83
PID 4968 wrote to memory of 4860	4968	zkijohgosn.exe	83
PID 4968 wrote to memory of 4860	4968	zkijohgosn.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for quotation.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe
  "C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe" C:\Users\Admin\AppData\Local\Temp\jrevgxst.ioj
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe
    "C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpnqhbhmy.a

Filesize
440KB

MD5
80d01a7c918b10d10ae268e29c45588e

SHA1
5272b365e8593946a5b5d81cd61361198821aaef

SHA256
2b6ebef92ad1872663f4096146d4bd03ebc048fa2d354173810247dfd1148f9a

SHA512
67ea7893826261a14a248c1fbf6b89d6bfb570aed058f0958b2adda9ce09da97efd7a35ac757072817a33f837e7f2dff154c9d02000db2ad221eef00db44587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrevgxst.ioj

Filesize
5KB

MD5
5b83826c5ebd10f449c49916b527d74c

SHA1
671086f501b5b2d6daafc88e5d3c54aea875ba1a

SHA256
a4d7b8b6278c40d53f6b0fae44512e84447eb4cb918d719c26084bc53c5e1471

SHA512
f0fd17435f853dbc4cb2d1eccc98038ab9c4725eaf138d5e2a6f3c75a1870fa5d0af38c6dd28444cc59229930f0aaed308bde33e1670c9e7c48a88371ae8735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe

Filesize
277KB

MD5
dda34f4113e26505c51dd8ba718c92c9

SHA1
3cd29431be36fab6f96d4c264b15134840d2e7ef

SHA256
fe21e115f63870ab636b98e30b7149bb7c1af3cb34fc20090d4fdd86c4d748e5

SHA512
f20ade7e45ac833b7ace3208f6c0bf145d6fafd8a488c62760655bda2fc7ebe1007db02f01a66ad2295004274a4847643bec6cb7f8462df6b3604c1d095c69aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe

Filesize
277KB

MD5
dda34f4113e26505c51dd8ba718c92c9

SHA1
3cd29431be36fab6f96d4c264b15134840d2e7ef

SHA256
fe21e115f63870ab636b98e30b7149bb7c1af3cb34fc20090d4fdd86c4d748e5

SHA512
f20ade7e45ac833b7ace3208f6c0bf145d6fafd8a488c62760655bda2fc7ebe1007db02f01a66ad2295004274a4847643bec6cb7f8462df6b3604c1d095c69aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkijohgosn.exe

Filesize
277KB

MD5
dda34f4113e26505c51dd8ba718c92c9

SHA1
3cd29431be36fab6f96d4c264b15134840d2e7ef

SHA256
fe21e115f63870ab636b98e30b7149bb7c1af3cb34fc20090d4fdd86c4d748e5

SHA512
f20ade7e45ac833b7ace3208f6c0bf145d6fafd8a488c62760655bda2fc7ebe1007db02f01a66ad2295004274a4847643bec6cb7f8462df6b3604c1d095c69aa

Download Submit
memory/4860-143-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/4860-144-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download
memory/4968-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4968-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing