blustealer | d794c27fbcf5de096750f2be32587d19cab1364b6fdd86318685574dedeb5af4

General

Target

New Enquiry.exe
Size

1.2MB
MD5

db8113681e395345f71223c1d18e40c4
SHA1

617ab388348ce4fa1bd203caa5558e570467db11
SHA256

d794c27fbcf5de096750f2be32587d19cab1364b6fdd86318685574dedeb5af4
SHA512

70302b571a40585a2776b8686fc9ac507456a317d1ab22dd6c43eba028d15ce2bef9bde0bf694d007869cb474c78b2706fc203f3608816819e9034ef76465b92
SSDEEP

24576:JxqZRqOIRqOMub30RfQVipC2mdQSDGSDFBi/txagaLNAJ4iTiwAAgEEY4:J3z0aiplJSDji1xawiiTQp

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 596	1168	New Enquiry.exe	27
PID 596 set thread context of 1292	596	New Enquiry.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
596	New Enquiry.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 1168 wrote to memory of 596	1168	New Enquiry.exe	27
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28
PID 596 wrote to memory of 1292	596	New Enquiry.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\New Enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\New Enquiry.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\New Enquiry.exe
  "C:\Users\Admin\AppData\Local\Temp\New Enquiry.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-61-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/596-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/596-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/596-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/596-63-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/596-60-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1168-58-0x0000000008040000-0x000000000810C000-memory.dmp

Filesize
816KB

Download
memory/1168-59-0x0000000008110000-0x00000000081A6000-memory.dmp

Filesize
600KB

Download
memory/1168-54-0x0000000000DF0000-0x0000000000F32000-memory.dmp

Filesize
1.3MB

Download
memory/1168-57-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1168-56-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/1168-55-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1292-72-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/1292-74-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/1292-77-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/1292-79-0x0000000000290000-0x00000000002F6000-memory.dmp

Filesize
408KB

Download
memory/1292-81-0x0000000004880000-0x000000000493C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing