blustealer | 5820d2d9198e0f6ac65879bf61d8e3d3018ddfef8c6d8ae62ac32b4b8e3201c8

General

Target

Request for quotation.exe
Size

561KB
MD5

e3572363055d9070ca4fd376822e6c7d
SHA1

9ea70096aa52e63a4c9a8cbf9ac762cd5bab4e3c
SHA256

5820d2d9198e0f6ac65879bf61d8e3d3018ddfef8c6d8ae62ac32b4b8e3201c8
SHA512

2129d7c8ea635f06e1ef420c07a6875d081ebbd9cc41fe025ebb041ee5f3608fb54fe4b8ea7cc841f6afc3c41512f6cc55bbb1504350e4d96df11ad01889c1a8
SSDEEP

12288:QWk9HkeZxrHKJOG23BSDLjy9wtLFaWuehkvTh0l5:BGkKxzKJOd3BSHjXFv010P

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1684	fqdyg.exe
388	fqdyg.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 388	1684	fqdyg.exe	83
PID 388 set thread context of 4408	388	fqdyg.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1684	fqdyg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
388	fqdyg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 1684	3640	Request for quotation.exe	82
PID 3640 wrote to memory of 1684	3640	Request for quotation.exe	82
PID 3640 wrote to memory of 1684	3640	Request for quotation.exe	82
PID 1684 wrote to memory of 388	1684	fqdyg.exe	83
PID 1684 wrote to memory of 388	1684	fqdyg.exe	83
PID 1684 wrote to memory of 388	1684	fqdyg.exe	83
PID 1684 wrote to memory of 388	1684	fqdyg.exe	83
PID 388 wrote to memory of 4408	388	fqdyg.exe	86
PID 388 wrote to memory of 4408	388	fqdyg.exe	86
PID 388 wrote to memory of 4408	388	fqdyg.exe	86
PID 388 wrote to memory of 4408	388	fqdyg.exe	86
PID 388 wrote to memory of 4408	388	fqdyg.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for quotation.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\fqdyg.exe
  "C:\Users\Admin\AppData\Local\Temp\fqdyg.exe" C:\Users\Admin\AppData\Local\Temp\crhikvp.g
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\fqdyg.exe
    "C:\Users\Admin\AppData\Local\Temp\fqdyg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crhikvp.g

Filesize
5KB

MD5
95d4a83ee6fdc841e52ca7cc7282b346

SHA1
ee78821f676035ae07a6d42505e2215fa9ad48e3

SHA256
57af54fdd277f0895b194290e360e3ddf5dfd868737715e2ead51776d1a7c72e

SHA512
1a0532bd80503110c3dfe2bf8ada9a2b58f9b657e9358dada6026743c76fa668426c82cee5c4a49262ec0646cc3da5235aee52056820ed5a23b078497355c982

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqdyg.exe

Filesize
276KB

MD5
2db6841da65384789a619009aa217a2e

SHA1
14376e587cb259ada5e6a631890d959d82679546

SHA256
ef06d0fc4dbe45f70381e4068d6cf12323af71fccf9b15eec3910af3bfe2a11e

SHA512
96c858b3424ba806fe8e78f6e5f815123a3e320cd630572a79c6a3f117a509f7c6141e08f6800408b0198ca0b5de277937e51d7b8102fc54f3547e54a989c7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqdyg.exe

Filesize
276KB

MD5
2db6841da65384789a619009aa217a2e

SHA1
14376e587cb259ada5e6a631890d959d82679546

SHA256
ef06d0fc4dbe45f70381e4068d6cf12323af71fccf9b15eec3910af3bfe2a11e

SHA512
96c858b3424ba806fe8e78f6e5f815123a3e320cd630572a79c6a3f117a509f7c6141e08f6800408b0198ca0b5de277937e51d7b8102fc54f3547e54a989c7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqdyg.exe

Filesize
276KB

MD5
2db6841da65384789a619009aa217a2e

SHA1
14376e587cb259ada5e6a631890d959d82679546

SHA256
ef06d0fc4dbe45f70381e4068d6cf12323af71fccf9b15eec3910af3bfe2a11e

SHA512
96c858b3424ba806fe8e78f6e5f815123a3e320cd630572a79c6a3f117a509f7c6141e08f6800408b0198ca0b5de277937e51d7b8102fc54f3547e54a989c7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\srcwndbrfh.szp

Filesize
440KB

MD5
0afddcba0c5fca89ce610775331426bb

SHA1
c74680857ec6ab3695fbefbe3efb899f0af91781

SHA256
2d71a51146bd9aae481aa0108c44b1337380bacab0f4d38a8efd4ba6e71bfe29

SHA512
1b6a1732b1f045598553c6eff50f849955bb9e0302d7f81e311196862ff74081396866d0378c8febd95640d041827569c9214f0d8fc88764542920090a182bf9

Download Submit
memory/388-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/388-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4408-143-0x00000000004B0000-0x0000000000516000-memory.dmp

Filesize
408KB

Download
memory/4408-144-0x0000000004E80000-0x0000000004F1C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing