blustealer | 54ccc28b6adc020ce06f485e2e8d300b1871b52d55a280f2a06ec405dd9b5184

General

Target

Request for quotation.exe
Size

504KB
MD5

3db74116bfd3320ecf106e9143260cea
SHA1

fa3b311a33b9f903f570494561c5c5a679d14808
SHA256

54ccc28b6adc020ce06f485e2e8d300b1871b52d55a280f2a06ec405dd9b5184
SHA512

a9210243e6679cffaf296f6e11a49ee75d80fe1b5400a38a2a18e5b17fc5b13680c4b00b9942130d281353b9c7265b96c3d22216eb1c21635ca22357018dfa05
SSDEEP

12288:3+Mp3mHUy1aI4LIvYfk9bADwcYHcSTWy3mE7v:/EHahfwADXS6y17v

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1360	knzhddpp.exe
3036	knzhddpp.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 3036	1360	knzhddpp.exe	80
PID 3036 set thread context of 4196	3036	knzhddpp.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1360	knzhddpp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	knzhddpp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1360	904	Request for quotation.exe	79
PID 904 wrote to memory of 1360	904	Request for quotation.exe	79
PID 904 wrote to memory of 1360	904	Request for quotation.exe	79
PID 1360 wrote to memory of 3036	1360	knzhddpp.exe	80
PID 1360 wrote to memory of 3036	1360	knzhddpp.exe	80
PID 1360 wrote to memory of 3036	1360	knzhddpp.exe	80
PID 1360 wrote to memory of 3036	1360	knzhddpp.exe	80
PID 3036 wrote to memory of 4196	3036	knzhddpp.exe	86
PID 3036 wrote to memory of 4196	3036	knzhddpp.exe	86
PID 3036 wrote to memory of 4196	3036	knzhddpp.exe	86
PID 3036 wrote to memory of 4196	3036	knzhddpp.exe	86
PID 3036 wrote to memory of 4196	3036	knzhddpp.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for quotation.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe
  "C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe" C:\Users\Admin\AppData\Local\Temp\epodusdsv.w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe
    "C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epodusdsv.w

Filesize
5KB

MD5
63db17335228e9957674a96386aaf594

SHA1
d5b80eaea459296d826f51da66224a1a71245ebf

SHA256
5115219c17e22472e7beabcec42473f6664d298861392e8c9ade2bb4a5c993ad

SHA512
c143ad2aac1e87d4af16adeebeda6621c02993040dcb027720e34ec68c565c804278a8c88f94a800d7254f0566a072a8c4124c5b1555fa226a7ec9b46011c01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe

Filesize
140KB

MD5
f4e41bb1555cac3a0e50c767bb33e3f4

SHA1
d3fc5838cbfd19b0a87c4cf0d97e996f2f4bbb1f

SHA256
a775f89f0096915619274272f644de6589ce4078fa965c3ed5a6bef2ca7fca99

SHA512
0c4f28e1298307ab5c4b09445458760d95fc700c556e06eab9d3bab33036c93d57c46d97e66652f685ec6db198e7f7a87d3350632c34197644a990fe9838248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe

Filesize
140KB

MD5
f4e41bb1555cac3a0e50c767bb33e3f4

SHA1
d3fc5838cbfd19b0a87c4cf0d97e996f2f4bbb1f

SHA256
a775f89f0096915619274272f644de6589ce4078fa965c3ed5a6bef2ca7fca99

SHA512
0c4f28e1298307ab5c4b09445458760d95fc700c556e06eab9d3bab33036c93d57c46d97e66652f685ec6db198e7f7a87d3350632c34197644a990fe9838248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\knzhddpp.exe

Filesize
140KB

MD5
f4e41bb1555cac3a0e50c767bb33e3f4

SHA1
d3fc5838cbfd19b0a87c4cf0d97e996f2f4bbb1f

SHA256
a775f89f0096915619274272f644de6589ce4078fa965c3ed5a6bef2ca7fca99

SHA512
0c4f28e1298307ab5c4b09445458760d95fc700c556e06eab9d3bab33036c93d57c46d97e66652f685ec6db198e7f7a87d3350632c34197644a990fe9838248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsthnkx.mkj

Filesize
440KB

MD5
3c604d47b665956372a9c26cffb191a4

SHA1
c0df794dbc2598fbb3653a3d9a266a320f1eb47e

SHA256
074979ac8c77e9982622819203b25682a87df748323c5b9f50ce53fd59ba8ced

SHA512
40fa74db61abb51db868563f9aa316fd0d04c4c5f18d1cefd11b155d74f50070faff3328ba911d159fb4603be4abe46456e414729f63e7b20938bf9ba4ea7771

Download Submit
memory/3036-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4196-143-0x0000000001120000-0x0000000001186000-memory.dmp

Filesize
408KB

Download
memory/4196-144-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing