blustealer | 35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
Size

727KB
MD5

6f8bb2ff11646a8e47c1b2a27d475010
SHA1

a300b7be64343ce6ab88edb0c71f3052663674d4
SHA256

35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
SHA512

97eb09ab5e244d1e367104efd1a17267390589121a58a1840e282f7ef15ceea933432168dae8caf31d6ca35af3fa9341c9f604b9e944aea86983484ace961e36
SSDEEP

12288:csyxZCYQneRW88If1cmRBPA0nV2sb+xUVWcyN:cjZCr7gf1cIA0nos6Cn

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
X&Y=[g89L4D/**

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1612	powershell.exe
1612	powershell.exe
2704	powershell.exe
2704	powershell.exe
1976	powershell.exe
1976	powershell.exe
2552	powershell.exe
2552	powershell.exe
3796	powershell.exe
3796	powershell.exe
900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	powershell.exe
Token: SeRemoteShutdownPrivilege	1612	powershell.exe
Token: SeUndockPrivilege	1612	powershell.exe
Token: SeManageVolumePrivilege	1612	powershell.exe
Token: 33	1612	powershell.exe
Token: 34	1612	powershell.exe
Token: 35	1612	powershell.exe
Token: 36	1612	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	powershell.exe
Token: SeRemoteShutdownPrivilege	1612	powershell.exe
Token: SeUndockPrivilege	1612	powershell.exe
Token: SeManageVolumePrivilege	1612	powershell.exe
Token: 33	1612	powershell.exe
Token: 34	1612	powershell.exe
Token: 35	1612	powershell.exe
Token: 36	1612	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeIncreaseQuotaPrivilege	2704	powershell.exe
Token: SeSecurityPrivilege	2704	powershell.exe
Token: SeTakeOwnershipPrivilege	2704	powershell.exe
Token: SeLoadDriverPrivilege	2704	powershell.exe
Token: SeSystemProfilePrivilege	2704	powershell.exe
Token: SeSystemtimePrivilege	2704	powershell.exe
Token: SeProfSingleProcessPrivilege	2704	powershell.exe
Token: SeIncBasePriorityPrivilege	2704	powershell.exe
Token: SeCreatePagefilePrivilege	2704	powershell.exe
Token: SeBackupPrivilege	2704	powershell.exe
Token: SeRestorePrivilege	2704	powershell.exe
Token: SeShutdownPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeSystemEnvironmentPrivilege	2704	powershell.exe
Token: SeRemoteShutdownPrivilege	2704	powershell.exe
Token: SeUndockPrivilege	2704	powershell.exe
Token: SeManageVolumePrivilege	2704	powershell.exe
Token: 33	2704	powershell.exe
Token: 34	2704	powershell.exe
Token: 35	2704	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
320	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1612	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	83
PID 900 wrote to memory of 1612	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	83
PID 900 wrote to memory of 1612	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	83
PID 900 wrote to memory of 2704	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	87
PID 900 wrote to memory of 2704	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	87
PID 900 wrote to memory of 2704	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	87
PID 900 wrote to memory of 1976	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	91
PID 900 wrote to memory of 1976	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	91
PID 900 wrote to memory of 1976	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	91
PID 900 wrote to memory of 2552	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	95
PID 900 wrote to memory of 2552	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	95
PID 900 wrote to memory of 2552	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	95
PID 900 wrote to memory of 3796	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	97
PID 900 wrote to memory of 3796	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	97
PID 900 wrote to memory of 3796	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	97
PID 900 wrote to memory of 1520	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	100
PID 900 wrote to memory of 1520	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	100
PID 900 wrote to memory of 1520	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	100
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101
PID 900 wrote to memory of 320	900	35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe	101

C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
"C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
  C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
  2⤵
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
  C:\Users\Admin\AppData\Local\Temp\35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
dbfbab667656e080302e39cc2bb800ed

SHA1
8d5a52eb71636bc710a76b915e15f7f6eef01004

SHA256
9c99798fa1882e22477f65800c91cc590787fbf60191f5fdb278201aa7dbab7f

SHA512
785e2279731ced39f4f9034f0e8a0d60ddb396be5cc65d3499ca0c3c72267bd400d06983d54709987b91aed54e34ba1f157819960d55b74fedd56677c2b34f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
dbfbab667656e080302e39cc2bb800ed

SHA1
8d5a52eb71636bc710a76b915e15f7f6eef01004

SHA256
9c99798fa1882e22477f65800c91cc590787fbf60191f5fdb278201aa7dbab7f

SHA512
785e2279731ced39f4f9034f0e8a0d60ddb396be5cc65d3499ca0c3c72267bd400d06983d54709987b91aed54e34ba1f157819960d55b74fedd56677c2b34f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6ec64eca4cf70db4fd83f2e6809e723b

SHA1
fe924716bdc8c358b9926f03fd1dff0d9ea62e20

SHA256
c4d20a14ddc6344cdd78c03046782f3a6220089cf22df0c3e5b67dbaeed246a6

SHA512
544adde6aabea87ecfacc796e0567eda4fa781f9499c1050a548880f116a3b9559bf00a0f684867b688012a64d1878ca26a8f5b35b8ef8d467530e56b06f57e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
10fabe82611b3afc9123bbb1826a1f5c

SHA1
37753a1e0f95c1e4882b8a27297c203e4eb601c2

SHA256
280dd8db6234f07d634586f9f65eb9206f9521140a999d610b0730459e700341

SHA512
f75f215448a63e24a7583491dd7da05585e3bd0105f46cf45b4b9e694a990bb8869f71a396309bf37eaba03abb2ace69f66352bb77cb4abbb49af1eea58c6735

Download Submit
memory/320-167-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/320-164-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/320-162-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/900-132-0x00000000001A0000-0x000000000025C000-memory.dmp

Filesize
752KB

Download
memory/900-157-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/900-156-0x0000000006CD0000-0x0000000006D46000-memory.dmp

Filesize
472KB

Download
memory/900-135-0x0000000004AD0000-0x0000000004ADA000-memory.dmp

Filesize
40KB

Download
memory/900-134-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/900-133-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/1612-140-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/1612-141-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/1612-137-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/1612-138-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/1612-146-0x0000000008620000-0x0000000008C9A000-memory.dmp

Filesize
6.5MB

Download
memory/1612-145-0x00000000066D0000-0x00000000066F2000-memory.dmp

Filesize
136KB

Download
memory/1612-144-0x0000000006680000-0x000000000669A000-memory.dmp

Filesize
104KB

Download
memory/1612-143-0x00000000073A0000-0x0000000007436000-memory.dmp

Filesize
600KB

Download
memory/1612-142-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/1612-139-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download