blustealer | 35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0

Analysis

max time kernel
91s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
Size

727KB
MD5

6f8bb2ff11646a8e47c1b2a27d475010
SHA1

a300b7be64343ce6ab88edb0c71f3052663674d4
SHA256

35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
SHA512

97eb09ab5e244d1e367104efd1a17267390589121a58a1840e282f7ef15ceea933432168dae8caf31d6ca35af3fa9341c9f604b9e944aea86983484ace961e36
SSDEEP

12288:csyxZCYQneRW88If1cmRBPA0nV2sb+xUVWcyN:cjZCr7gf1cIA0nos6Cn

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
X&Y=[g89L4D/**

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1828	powershell.exe
1524	powershell.exe
1516	powershell.exe
1520	powershell.exe
1348	powershell.exe
2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeIncreaseQuotaPrivilege	1828	powershell.exe
Token: SeSecurityPrivilege	1828	powershell.exe
Token: SeTakeOwnershipPrivilege	1828	powershell.exe
Token: SeLoadDriverPrivilege	1828	powershell.exe
Token: SeSystemProfilePrivilege	1828	powershell.exe
Token: SeSystemtimePrivilege	1828	powershell.exe
Token: SeProfSingleProcessPrivilege	1828	powershell.exe
Token: SeIncBasePriorityPrivilege	1828	powershell.exe
Token: SeCreatePagefilePrivilege	1828	powershell.exe
Token: SeBackupPrivilege	1828	powershell.exe
Token: SeRestorePrivilege	1828	powershell.exe
Token: SeShutdownPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeSystemEnvironmentPrivilege	1828	powershell.exe
Token: SeRemoteShutdownPrivilege	1828	powershell.exe
Token: SeUndockPrivilege	1828	powershell.exe
Token: SeManageVolumePrivilege	1828	powershell.exe
Token: 33	1828	powershell.exe
Token: 34	1828	powershell.exe
Token: 35	1828	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeIncreaseQuotaPrivilege	1524	powershell.exe
Token: SeSecurityPrivilege	1524	powershell.exe
Token: SeTakeOwnershipPrivilege	1524	powershell.exe
Token: SeLoadDriverPrivilege	1524	powershell.exe
Token: SeSystemProfilePrivilege	1524	powershell.exe
Token: SeSystemtimePrivilege	1524	powershell.exe
Token: SeProfSingleProcessPrivilege	1524	powershell.exe
Token: SeIncBasePriorityPrivilege	1524	powershell.exe
Token: SeCreatePagefilePrivilege	1524	powershell.exe
Token: SeBackupPrivilege	1524	powershell.exe
Token: SeRestorePrivilege	1524	powershell.exe
Token: SeShutdownPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeSystemEnvironmentPrivilege	1524	powershell.exe
Token: SeRemoteShutdownPrivilege	1524	powershell.exe
Token: SeUndockPrivilege	1524	powershell.exe
Token: SeManageVolumePrivilege	1524	powershell.exe
Token: 33	1524	powershell.exe
Token: 34	1524	powershell.exe
Token: 35	1524	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeIncreaseQuotaPrivilege	1516	powershell.exe
Token: SeSecurityPrivilege	1516	powershell.exe
Token: SeTakeOwnershipPrivilege	1516	powershell.exe
Token: SeLoadDriverPrivilege	1516	powershell.exe
Token: SeSystemProfilePrivilege	1516	powershell.exe
Token: SeSystemtimePrivilege	1516	powershell.exe
Token: SeProfSingleProcessPrivilege	1516	powershell.exe
Token: SeIncBasePriorityPrivilege	1516	powershell.exe
Token: SeCreatePagefilePrivilege	1516	powershell.exe
Token: SeBackupPrivilege	1516	powershell.exe
Token: SeRestorePrivilege	1516	powershell.exe
Token: SeShutdownPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeSystemEnvironmentPrivilege	1516	powershell.exe
Token: SeRemoteShutdownPrivilege	1516	powershell.exe
Token: SeUndockPrivilege	1516	powershell.exe
Token: SeManageVolumePrivilege	1516	powershell.exe
Token: 33	1516	powershell.exe
Token: 34	1516	powershell.exe
Token: 35	1516	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1828	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	28
PID 2040 wrote to memory of 1828	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	28
PID 2040 wrote to memory of 1828	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	28
PID 2040 wrote to memory of 1828	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	28
PID 2040 wrote to memory of 1524	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	31
PID 2040 wrote to memory of 1524	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	31
PID 2040 wrote to memory of 1524	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	31
PID 2040 wrote to memory of 1524	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	31
PID 2040 wrote to memory of 1516	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	33
PID 2040 wrote to memory of 1516	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	33
PID 2040 wrote to memory of 1516	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	33
PID 2040 wrote to memory of 1516	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	33
PID 2040 wrote to memory of 1520	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	35
PID 2040 wrote to memory of 1520	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	35
PID 2040 wrote to memory of 1520	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	35
PID 2040 wrote to memory of 1520	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	35
PID 2040 wrote to memory of 1348	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	37
PID 2040 wrote to memory of 1348	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	37
PID 2040 wrote to memory of 1348	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	37
PID 2040 wrote to memory of 1348	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	37
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39
PID 2040 wrote to memory of 1704	2040	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	39

C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
"C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
  C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e4ffcaf3d2ffff9289b2da0e0a046663

SHA1
bf15483d5090b2e3f4c6c6fa5de5f0ae1134f7ff

SHA256
86638d6be8902dc0b69ee77be9335c53a2b0d65c082759b4de8269ddc12d3fb3

SHA512
cee627e8a592992a4548928803de2a9289d0923229959e70c7eacbe67a7db3a5d81eabc170fdd5b9fb39f3ebab86b6a5e05fb41104d7717b87fb5b8a80a53d8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e4ffcaf3d2ffff9289b2da0e0a046663

SHA1
bf15483d5090b2e3f4c6c6fa5de5f0ae1134f7ff

SHA256
86638d6be8902dc0b69ee77be9335c53a2b0d65c082759b4de8269ddc12d3fb3

SHA512
cee627e8a592992a4548928803de2a9289d0923229959e70c7eacbe67a7db3a5d81eabc170fdd5b9fb39f3ebab86b6a5e05fb41104d7717b87fb5b8a80a53d8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e4ffcaf3d2ffff9289b2da0e0a046663

SHA1
bf15483d5090b2e3f4c6c6fa5de5f0ae1134f7ff

SHA256
86638d6be8902dc0b69ee77be9335c53a2b0d65c082759b4de8269ddc12d3fb3

SHA512
cee627e8a592992a4548928803de2a9289d0923229959e70c7eacbe67a7db3a5d81eabc170fdd5b9fb39f3ebab86b6a5e05fb41104d7717b87fb5b8a80a53d8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e4ffcaf3d2ffff9289b2da0e0a046663

SHA1
bf15483d5090b2e3f4c6c6fa5de5f0ae1134f7ff

SHA256
86638d6be8902dc0b69ee77be9335c53a2b0d65c082759b4de8269ddc12d3fb3

SHA512
cee627e8a592992a4548928803de2a9289d0923229959e70c7eacbe67a7db3a5d81eabc170fdd5b9fb39f3ebab86b6a5e05fb41104d7717b87fb5b8a80a53d8d

Download Submit
memory/1348-86-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-85-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-77-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-79-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-66-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-80-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-83-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-71-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-84-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-78-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-76-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-62-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-99-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1704-88-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1704-96-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1704-93-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1704-90-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1704-87-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1828-72-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-58-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-70-0x000000006F5F0000-0x000000006FB9B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-55-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/2040-54-0x0000000000A80000-0x0000000000B3C000-memory.dmp

Filesize
752KB

Download
memory/2040-82-0x0000000004180000-0x00000000041A6000-memory.dmp

Filesize
152KB

Download
memory/2040-81-0x0000000005DA0000-0x0000000005E36000-memory.dmp

Filesize
600KB

Download