blustealer | 28e9d45ee2450876329e4aeb4004aa51b80ccc6cebc8a3cf8163c44e7efb386a

General

Target

410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe
Size

500KB
MD5

f01662cbdec43cea4bcea75645069dd2
SHA1

90999d548a998292b572ed0830809be1e53a6f25
SHA256

410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba
SHA512

136c5f9ac49d81c286faa8fb008ddf985d9614909161521c75bd78b9ed93dd982ad7cb7e16f756c0d5cf2a0aceca2349b3ae8f4069e52b291941d024424c05ff
SSDEEP

12288:r0I5u1XkZGYzabbkgbOPixn3BJ7RFZw4XIHdFyJbXl5EnQG3:rP5u1XkUiCfgOnb7RE4AdFu4QO

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1312	dfcnynaz.exe
388	dfcnynaz.exe

Loads dropped DLL 2 IoCs

pid	Process
1436	410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe
1312	dfcnynaz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 388	1312	dfcnynaz.exe	28
PID 388 set thread context of 660	388	dfcnynaz.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1312	dfcnynaz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
388	dfcnynaz.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1312	1436	410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe	27
PID 1436 wrote to memory of 1312	1436	410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe	27
PID 1436 wrote to memory of 1312	1436	410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe	27
PID 1436 wrote to memory of 1312	1436	410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe	27
PID 1312 wrote to memory of 388	1312	dfcnynaz.exe	28
PID 1312 wrote to memory of 388	1312	dfcnynaz.exe	28
PID 1312 wrote to memory of 388	1312	dfcnynaz.exe	28
PID 1312 wrote to memory of 388	1312	dfcnynaz.exe	28
PID 1312 wrote to memory of 388	1312	dfcnynaz.exe	28
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29
PID 388 wrote to memory of 660	388	dfcnynaz.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe
"C:\Users\Admin\AppData\Local\Temp\410f7baad41c5c770e27ed8f786ef161a389509fe505b97a8c618ad73ab147ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe
  "C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe" C:\Users\Admin\AppData\Local\Temp\sqmvvbgx.fvf
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe
    "C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe

Filesize
140KB

MD5
e4e4098ef1cb747baeb9794442225177

SHA1
7aaa12bd5167e08c1c3fa350b8e418efb231961c

SHA256
ee85282c43a4d2a3a6ed42ca82c137332a0b3fcc3c33590768857a1ee3ab53aa

SHA512
c27e48b0bff0b8b177d4ee52040458698dd84963a33430f8b77ea749c9099b8d771cac033720f7bd3543534140063f64392db7b0307e8a1810cb19ec86e72d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe

Filesize
140KB

MD5
e4e4098ef1cb747baeb9794442225177

SHA1
7aaa12bd5167e08c1c3fa350b8e418efb231961c

SHA256
ee85282c43a4d2a3a6ed42ca82c137332a0b3fcc3c33590768857a1ee3ab53aa

SHA512
c27e48b0bff0b8b177d4ee52040458698dd84963a33430f8b77ea749c9099b8d771cac033720f7bd3543534140063f64392db7b0307e8a1810cb19ec86e72d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfcnynaz.exe

Filesize
140KB

MD5
e4e4098ef1cb747baeb9794442225177

SHA1
7aaa12bd5167e08c1c3fa350b8e418efb231961c

SHA256
ee85282c43a4d2a3a6ed42ca82c137332a0b3fcc3c33590768857a1ee3ab53aa

SHA512
c27e48b0bff0b8b177d4ee52040458698dd84963a33430f8b77ea749c9099b8d771cac033720f7bd3543534140063f64392db7b0307e8a1810cb19ec86e72d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqmvvbgx.fvf

Filesize
5KB

MD5
8d47dafcdb4d03626dd4cb337764e3c9

SHA1
a6f45bca5897f809f184faa315e81ded1db6b171

SHA256
fa5198390b5d7c0e46e44dfb7d172218123e1c11b9d696cf6cf745636380d8d9

SHA512
2a2ccd9b4d8154db786065a2be984b8ec0e50c22b9cef1eb5c606e20da12727cdd81824f72d773ad322c98df1904f0db213f4d35368051ac1381e70bdcb0c7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmdrrsvg.noa

Filesize
440KB

MD5
a9ec842e0558bb89621a7c750ed6225f

SHA1
9689b641c5a71de6c6e88dc0a300349717ec02ff

SHA256
3830e00d61be253e05d3aa809ddf28ca1f860f458e828adc4b6f875b6a116c84

SHA512
c03379aa4b3551015c1fe4113ab8b996d089a7f6412193b69d06f849fa78944aaa9d16bc5d85828b6971d0bec3f703cdcd4abb4c2fa28d95332d0e75df50f806

Download Submit
\Users\Admin\AppData\Local\Temp\dfcnynaz.exe

Filesize
140KB

MD5
e4e4098ef1cb747baeb9794442225177

SHA1
7aaa12bd5167e08c1c3fa350b8e418efb231961c

SHA256
ee85282c43a4d2a3a6ed42ca82c137332a0b3fcc3c33590768857a1ee3ab53aa

SHA512
c27e48b0bff0b8b177d4ee52040458698dd84963a33430f8b77ea749c9099b8d771cac033720f7bd3543534140063f64392db7b0307e8a1810cb19ec86e72d57

Download Submit
\Users\Admin\AppData\Local\Temp\dfcnynaz.exe

Filesize
140KB

MD5
e4e4098ef1cb747baeb9794442225177

SHA1
7aaa12bd5167e08c1c3fa350b8e418efb231961c

SHA256
ee85282c43a4d2a3a6ed42ca82c137332a0b3fcc3c33590768857a1ee3ab53aa

SHA512
c27e48b0bff0b8b177d4ee52040458698dd84963a33430f8b77ea749c9099b8d771cac033720f7bd3543534140063f64392db7b0307e8a1810cb19ec86e72d57

Download Submit
memory/388-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/388-79-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/660-69-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/660-71-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/660-74-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/660-76-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/660-78-0x0000000000AD0000-0x0000000000B8C000-memory.dmp

Filesize
752KB

Download
memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing