blustealer | 705a5f8f4299ced58dcbd2498becd1d5c53a9fa4ee6b84a457eef9f4113f5463

General

Target

RFQ# 437179.exe
Size

562KB
MD5

dded803ba4269da1756fc43235dfbcf0
SHA1

b33cbfc5cce9a52c20cb92521c13b0b2140d6ad8
SHA256

705a5f8f4299ced58dcbd2498becd1d5c53a9fa4ee6b84a457eef9f4113f5463
SHA512

37792b21f4d112286e38f7b17699d28f815c8c60c7b3ed2c3b366f2d6cfa8736d751be1a26ea8f367fc393b5ecf4f6653914b28c270017f322854aa21e2dd667
SSDEEP

12288:guarcBuv8Q7MHctIHPwvnZMoy12nyDNzazm5WANPRvYZJzmZLjm7cY:gfg9EMHhHQFyDR0EWCPVYZJzUPxY

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
4816	fnpqojeedf.exe
3884	fnpqojeedf.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 3884	4816	fnpqojeedf.exe	82
PID 3884 set thread context of 1140	3884	fnpqojeedf.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4816	fnpqojeedf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3884	fnpqojeedf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 4816	1848	RFQ# 437179.exe	80
PID 1848 wrote to memory of 4816	1848	RFQ# 437179.exe	80
PID 1848 wrote to memory of 4816	1848	RFQ# 437179.exe	80
PID 4816 wrote to memory of 3884	4816	fnpqojeedf.exe	82
PID 4816 wrote to memory of 3884	4816	fnpqojeedf.exe	82
PID 4816 wrote to memory of 3884	4816	fnpqojeedf.exe	82
PID 4816 wrote to memory of 3884	4816	fnpqojeedf.exe	82
PID 3884 wrote to memory of 1140	3884	fnpqojeedf.exe	83
PID 3884 wrote to memory of 1140	3884	fnpqojeedf.exe	83
PID 3884 wrote to memory of 1140	3884	fnpqojeedf.exe	83
PID 3884 wrote to memory of 1140	3884	fnpqojeedf.exe	83
PID 3884 wrote to memory of 1140	3884	fnpqojeedf.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\RFQ# 437179.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ# 437179.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe
  "C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe" C:\Users\Admin\AppData\Local\Temp\tltkja.o
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe
    "C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe

Filesize
267KB

MD5
d3358b13e7fb7c125f3940df2d445ef5

SHA1
d63264abfcc366467aee71c6771e6bd0e79258bb

SHA256
411b14ca48d7bc96e76ad74b25aef8d35ce69cab385ee9d49cde0f9333ee9f2e

SHA512
c5ecac1e91518fd2d3d088899289ea7832ba5484f8372f02e41c059124ea6f9207d11fd522e303b00ea2a78c3529c90696f7dbd4f37ed42cbdd79c9070cea742

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe

Filesize
267KB

MD5
d3358b13e7fb7c125f3940df2d445ef5

SHA1
d63264abfcc366467aee71c6771e6bd0e79258bb

SHA256
411b14ca48d7bc96e76ad74b25aef8d35ce69cab385ee9d49cde0f9333ee9f2e

SHA512
c5ecac1e91518fd2d3d088899289ea7832ba5484f8372f02e41c059124ea6f9207d11fd522e303b00ea2a78c3529c90696f7dbd4f37ed42cbdd79c9070cea742

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnpqojeedf.exe

Filesize
267KB

MD5
d3358b13e7fb7c125f3940df2d445ef5

SHA1
d63264abfcc366467aee71c6771e6bd0e79258bb

SHA256
411b14ca48d7bc96e76ad74b25aef8d35ce69cab385ee9d49cde0f9333ee9f2e

SHA512
c5ecac1e91518fd2d3d088899289ea7832ba5484f8372f02e41c059124ea6f9207d11fd522e303b00ea2a78c3529c90696f7dbd4f37ed42cbdd79c9070cea742

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyoyc.ocz

Filesize
440KB

MD5
ff1de85f4db373268a5cb25f636519a7

SHA1
00d253041f045e76d2d59b32818c0f3b240f56e4

SHA256
da1b8039807e1766de8c4c4de00f6d44a1058e768654eef3a37cc44fa1b357bc

SHA512
731f0506148d4108727da059f35ecc85920fdbdf0a961e61f7545b5701507cb816aa83733b28a802ebb81fcff9473e5405247f912572074ec6e466d6f86ee162

Download Submit
C:\Users\Admin\AppData\Local\Temp\tltkja.o

Filesize
5KB

MD5
45b85d88d4e24f0b8a9438b119dc0362

SHA1
a5a47e35ef9f3ad813ad0b079af14285b29b787a

SHA256
0c870ba371b3c285211631c2868db4fe06759b091de2dae16b698e95b91e2856

SHA512
2da30edbfa26ad2c18e54eacbb51a4128ea9c2dbfda34bd905218da8de570ef7c53cff3947c573965b85f04e9a3eb6522bcea623a799f03a28d70b1f13bf7cb1

Download Submit
memory/1140-143-0x0000000001300000-0x0000000001366000-memory.dmp

Filesize
408KB

Download
memory/1140-144-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

Filesize
624KB

Download
memory/3884-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing