blustealer | 61660da7d55fa8074c7d4ed0a26f3ae021321dee8bf5d7651c394bccde2748c7

General

Target

Invoice and packing list.exe
Size

512KB
MD5

7c6e72138a75a71d10bcb10eab3e17fc
SHA1

2846f854795ead06fc2f551c101c6047e02c279a
SHA256

61660da7d55fa8074c7d4ed0a26f3ae021321dee8bf5d7651c394bccde2748c7
SHA512

b7d046ce70c4d4e8f044659162baf19656ca82c7585c8028322075912ea86b4e43043aead2d02c54d9d2a7c7004f10ea4e822851d297ac7ee0b741d6a8873820
SSDEEP

12288:qDqx3btvdiCWUJUKsqvIwuycqABZ7jGZZFR3+J+Ei:qWx3ldRWUawbABZOzFZw+Ei

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5982631795:AAFe1A7BEPv_6ExMz851LxdOAjr_9gqH8zY/sendMessage?chat_id=5968311109

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1160	fkjqvzwtc.exe
880	fkjqvzwtc.exe

Loads dropped DLL 2 IoCs

pid	Process
1576	Invoice and packing list.exe
1160	fkjqvzwtc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 880	1160	fkjqvzwtc.exe	29
PID 880 set thread context of 856	880	fkjqvzwtc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1160	fkjqvzwtc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
880	fkjqvzwtc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1160	1576	Invoice and packing list.exe	28
PID 1576 wrote to memory of 1160	1576	Invoice and packing list.exe	28
PID 1576 wrote to memory of 1160	1576	Invoice and packing list.exe	28
PID 1576 wrote to memory of 1160	1576	Invoice and packing list.exe	28
PID 1160 wrote to memory of 880	1160	fkjqvzwtc.exe	29
PID 1160 wrote to memory of 880	1160	fkjqvzwtc.exe	29
PID 1160 wrote to memory of 880	1160	fkjqvzwtc.exe	29
PID 1160 wrote to memory of 880	1160	fkjqvzwtc.exe	29
PID 1160 wrote to memory of 880	1160	fkjqvzwtc.exe	29
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30
PID 880 wrote to memory of 856	880	fkjqvzwtc.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice and packing list.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe
  "C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe" C:\Users\Admin\AppData\Local\Temp\aomwuxjay.t
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe
    "C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aomwuxjay.t

Filesize
5KB

MD5
22f4864b905e28e8e55f8b829216afe5

SHA1
9984a7ba317032c49d229ff39206ceec1e3bacc9

SHA256
58f1f591728775f3c167ed6955edd7074a679020db5331c9b609620597555bd0

SHA512
06bac7e75e6bde8368e133237eaa4ef3147c9c2b5dc1117ea95d7a1f073f39dfa0979810074d65f728e4d8b4b446d96f551b8f2929c817807a5304ec94e0d280

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

Filesize
101KB

MD5
04b559383d304def354e6092f35220ac

SHA1
0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

SHA256
7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

SHA512
48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

Filesize
101KB

MD5
04b559383d304def354e6092f35220ac

SHA1
0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

SHA256
7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

SHA512
48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

Filesize
101KB

MD5
04b559383d304def354e6092f35220ac

SHA1
0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

SHA256
7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

SHA512
48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsyjoilbdtf.wyt

Filesize
456KB

MD5
9b3501063583bed6e9b13955b10c9d60

SHA1
a4a0aefb36323199f47c729a0573d245d5e79633

SHA256
81b1884c6a9d199ce2e561c78327a98caa05b68b7c2de5e700502cf405600d11

SHA512
e15317a6c416f775b99bae42a38ebeb8907b4ef48700e0d700176ac55c2a130928ab135fd4fb545d462e1fc0662d0dbba1396cf57f0e921fd7ce703d82202950

Download Submit
\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

Filesize
101KB

MD5
04b559383d304def354e6092f35220ac

SHA1
0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

SHA256
7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

SHA512
48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

Download Submit
\Users\Admin\AppData\Local\Temp\fkjqvzwtc.exe

Filesize
101KB

MD5
04b559383d304def354e6092f35220ac

SHA1
0c89ecc9550e8b015c25a4201b1b86a9ed1d1e85

SHA256
7c34ef3edfec5377d08f899545100836b71c2d303dcfe0efcfbf4e328819f0cf

SHA512
48ab647bbc94e150f0922e14b20f4022c706a455944018b82c4bbe2f69d35360b9864a299123a7e4c55417176de46a1dcf6273faedbffc4345af68b3282f8ca9

Download Submit
memory/856-71-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/856-69-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/856-74-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/856-76-0x0000000000250000-0x00000000002B6000-memory.dmp

Filesize
408KB

Download
memory/856-78-0x0000000000D30000-0x0000000000DEC000-memory.dmp

Filesize
752KB

Download
memory/880-68-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/880-79-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1576-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing