blustealer | 0204039959ecb84f761dfee54a234bd5a899daefd2769b0093e01517affe2c23

General

Target

369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6.exe
Size

602KB
MD5

f6462aa84dcd781e3ef0398d565d6f7b
SHA1

6b455aa36033be84072c6a353d39ee1fae4e6d41
SHA256

369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6
SHA512

29420eeb155d40a0d86a1f5d2bd27bb708dd0f55d6c64cd79d0f6812744c8ab2b7d9493f32884cbe5a5fa960a90479a7c530dbbc01029e7af458ce3977bc0180
SSDEEP

12288:XfpX2ycT2qM5DF6OLMwSwC8TL5JPGgkd6RZ3HlhV1ygZ5F5RTz6o:sPM5EcM/kLb1O6R9lv4y58o

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 3 IoCs

pid	Process
4316	ddodzyr.exe
1268	ddodzyr.exe
2356	ddodzyr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 2356	4316	ddodzyr.exe	84
PID 2356 set thread context of 2072	2356	ddodzyr.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4316	ddodzyr.exe
4316	ddodzyr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2356	ddodzyr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4316	2276	369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6.exe	82
PID 2276 wrote to memory of 4316	2276	369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6.exe	82
PID 2276 wrote to memory of 4316	2276	369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6.exe	82
PID 4316 wrote to memory of 1268	4316	ddodzyr.exe	83
PID 4316 wrote to memory of 1268	4316	ddodzyr.exe	83
PID 4316 wrote to memory of 1268	4316	ddodzyr.exe	83
PID 4316 wrote to memory of 2356	4316	ddodzyr.exe	84
PID 4316 wrote to memory of 2356	4316	ddodzyr.exe	84
PID 4316 wrote to memory of 2356	4316	ddodzyr.exe	84
PID 4316 wrote to memory of 2356	4316	ddodzyr.exe	84
PID 2356 wrote to memory of 2072	2356	ddodzyr.exe	85
PID 2356 wrote to memory of 2072	2356	ddodzyr.exe	85
PID 2356 wrote to memory of 2072	2356	ddodzyr.exe	85
PID 2356 wrote to memory of 2072	2356	ddodzyr.exe	85
PID 2356 wrote to memory of 2072	2356	ddodzyr.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6.exe
"C:\Users\Admin\AppData\Local\Temp\369f328fcd9ea57d880cbf4d770290b2134fe68a7091fdc27d5da7ec313198e6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe
  "C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe" C:\Users\Admin\AppData\Local\Temp\rlqcdznzw.mgb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe
    "C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe"
    3⤵
    - Executes dropped EXE
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe
    "C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjoqg.o

Filesize
440KB

MD5
16409cdbea87104a3d86627f79415b85

SHA1
b998ce71b0c692e7510e830c599c15220fd8d887

SHA256
92d0994004ead032d9452921e384e60bbd7ac760080735fab5e1bfa9263029ec

SHA512
9f4ff6b3d589165be2b96408e2d68b3f1aa03fcafbb7205b9ca25818db31e533d78c6f2bdb75ee26246e2ed42a816cae2063db46039982564d983186de7c42c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe

Filesize
301KB

MD5
40dbd118d6e4cf278a5dc43da80d4c15

SHA1
94090deb3113f79fcda0595b1eadea9626b89997

SHA256
e059008867b855322e0b0d7abc72dc2c491004d3abb7c21c86fc5ef94d3262a0

SHA512
2b3e232392fab18d24ac5e1a4e2affaee410abd4d39da258790b82d43e60b01142dd82e931d517912440768a3f6840048e80d77d7bc3a936f00eb3bc4218114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe

Filesize
301KB

MD5
40dbd118d6e4cf278a5dc43da80d4c15

SHA1
94090deb3113f79fcda0595b1eadea9626b89997

SHA256
e059008867b855322e0b0d7abc72dc2c491004d3abb7c21c86fc5ef94d3262a0

SHA512
2b3e232392fab18d24ac5e1a4e2affaee410abd4d39da258790b82d43e60b01142dd82e931d517912440768a3f6840048e80d77d7bc3a936f00eb3bc4218114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe

Filesize
301KB

MD5
40dbd118d6e4cf278a5dc43da80d4c15

SHA1
94090deb3113f79fcda0595b1eadea9626b89997

SHA256
e059008867b855322e0b0d7abc72dc2c491004d3abb7c21c86fc5ef94d3262a0

SHA512
2b3e232392fab18d24ac5e1a4e2affaee410abd4d39da258790b82d43e60b01142dd82e931d517912440768a3f6840048e80d77d7bc3a936f00eb3bc4218114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddodzyr.exe

Filesize
301KB

MD5
40dbd118d6e4cf278a5dc43da80d4c15

SHA1
94090deb3113f79fcda0595b1eadea9626b89997

SHA256
e059008867b855322e0b0d7abc72dc2c491004d3abb7c21c86fc5ef94d3262a0

SHA512
2b3e232392fab18d24ac5e1a4e2affaee410abd4d39da258790b82d43e60b01142dd82e931d517912440768a3f6840048e80d77d7bc3a936f00eb3bc4218114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlqcdznzw.mgb

Filesize
5KB

MD5
3c7c968d021bc8382be39f8904214601

SHA1
622969de48f54dcd71bc859c3174c1e5bfbd8d61

SHA256
5f44022d88a213f3d3b863a0fc8761e5e135b50b0727a5b1782c5909f3426386

SHA512
5357e4ad479f4402b8e4505863308c4574e5aab026a9d22933bb15319f203a2daa1a780da7e0e474c53e4a44fdd7a161b0db82d79189b512a258fbc5f6f6cdc1

Download Submit
memory/2072-145-0x0000000000910000-0x0000000000976000-memory.dmp

Filesize
408KB

Download
memory/2072-146-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/2356-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2356-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing