blustealer | 5460a91a459c049de389e20ce484875a26ce10a391701d2545f9fbed739bf3e5

General

Target

price quote.exe
Size

574KB
MD5

985c89ebdec3c29ea7d3c37bc98984cf
SHA1

5bd5fcc00bce44d3276625f0683aafdfdf2c6a3a
SHA256

5460a91a459c049de389e20ce484875a26ce10a391701d2545f9fbed739bf3e5
SHA512

fcc617119e84a2616829b399daf2158dc0d9d07a60c741b27346296873b93f7edb717a6ec66bd44d919279bc396dfc645d8433c2fa6d2d4e0a920c0e2059f1cb
SSDEEP

12288:orp5mVfyKi7SymriIp6i2OFOeCNYj93778lZ/CKtxH3pOxbS:jVf5oSymriIpH2o5L7cZ6K7H3qS

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5806519032:AAFXvpc6Ywo24erqs91HjOs76SIn9mEqx8I/sendMessage?chat_id=5798400850

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
4936	acksbden.exe
5004	acksbden.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 5004	4936	acksbden.exe	80
PID 5004 set thread context of 3504	5004	acksbden.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4936	acksbden.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5004	acksbden.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4936	3912	price quote.exe	79
PID 3912 wrote to memory of 4936	3912	price quote.exe	79
PID 3912 wrote to memory of 4936	3912	price quote.exe	79
PID 4936 wrote to memory of 5004	4936	acksbden.exe	80
PID 4936 wrote to memory of 5004	4936	acksbden.exe	80
PID 4936 wrote to memory of 5004	4936	acksbden.exe	80
PID 4936 wrote to memory of 5004	4936	acksbden.exe	80
PID 5004 wrote to memory of 3504	5004	acksbden.exe	81
PID 5004 wrote to memory of 3504	5004	acksbden.exe	81
PID 5004 wrote to memory of 3504	5004	acksbden.exe	81
PID 5004 wrote to memory of 3504	5004	acksbden.exe	81
PID 5004 wrote to memory of 3504	5004	acksbden.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\price quote.exe
"C:\Users\Admin\AppData\Local\Temp\price quote.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\acksbden.exe
  "C:\Users\Admin\AppData\Local\Temp\acksbden.exe" C:\Users\Admin\AppData\Local\Temp\rzexvqaxlkk.l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\acksbden.exe
    "C:\Users\Admin\AppData\Local\Temp\acksbden.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:3504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acksbden.exe

Filesize
277KB

MD5
2e77164240e4e8a7eda940732e4fadc7

SHA1
a277ebd8c377f4700600d88f9c6f88e279943a48

SHA256
db574e25485aee48748cb789facedd0cb3080a7d5f376fccb60395238a5b9991

SHA512
2e6dde8a64fbe10a340f10b8dbc57285cd6011e630a4e5e835cec8b130bf3c80c6ce6a03d54bfd2d5cf8071e01987f5115ff7d97d0c9e0f432ca8246be51dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acksbden.exe

Filesize
277KB

MD5
2e77164240e4e8a7eda940732e4fadc7

SHA1
a277ebd8c377f4700600d88f9c6f88e279943a48

SHA256
db574e25485aee48748cb789facedd0cb3080a7d5f376fccb60395238a5b9991

SHA512
2e6dde8a64fbe10a340f10b8dbc57285cd6011e630a4e5e835cec8b130bf3c80c6ce6a03d54bfd2d5cf8071e01987f5115ff7d97d0c9e0f432ca8246be51dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acksbden.exe

Filesize
277KB

MD5
2e77164240e4e8a7eda940732e4fadc7

SHA1
a277ebd8c377f4700600d88f9c6f88e279943a48

SHA256
db574e25485aee48748cb789facedd0cb3080a7d5f376fccb60395238a5b9991

SHA512
2e6dde8a64fbe10a340f10b8dbc57285cd6011e630a4e5e835cec8b130bf3c80c6ce6a03d54bfd2d5cf8071e01987f5115ff7d97d0c9e0f432ca8246be51dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzexvqaxlkk.l

Filesize
5KB

MD5
a0cb93c5f07c907fad45b12e0cb465a7

SHA1
190d6b0d00a5d782252fac5148ff0d60ea5407ea

SHA256
9448c35ab44d0aadc349446e494b03e9640b56161e5d44574613d2cb8536c4d3

SHA512
0cf46b9bb6e1febc3b172f4c8293b8da92a24dd97fe9275de8192f178d2726dcc12a844b95cb3977889c190ecc22a33b2ae71c6fc789dd388f6e67ea0385c5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcjygzi.auo

Filesize
456KB

MD5
f2b03e28713ce90f459111f736dd0886

SHA1
300ff5137a1453fbe799ac5ed80680de3f589bf1

SHA256
f06e1b71b2469c69d65db560370de82a7dcd002d24b717d868548f612e3cf6bb

SHA512
4c695dbd068746f905cbbc49fe2b850209d9402c9e8b57f40cad103c71b8fed267f6fb774835f5c69e9e54458ed0792044e46628cdb044fcdc80e9c183001139

Download Submit
memory/3504-143-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/3504-144-0x0000000005090000-0x000000000512C000-memory.dmp

Filesize
624KB

Download
memory/5004-141-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5004-145-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing