blustealer | 0783b26e505f18dcdba2894411cfd4eae3a39123e62f7a4e55d34a7d90a90a81

General

Target

new order 152421.exe
Size

501KB
MD5

460bdbbe5a6b8bd3f887c8b6fd4128a2
SHA1

891099bcbf82de10e1b197d2c42b2044dc0bed46
SHA256

58d5286e5694f883d2452a81e5f6e77413292ba388300a6e44dd0f91e217aff1
SHA512

b741e4bc33762adc9dee71f7a348ec9e7615bd4631bb73c39e4d69a01e8d469a3eb1aa303c691e2671aa939c223c6fc4a5bc05b2dea23b40f3e5422e2b4b3c6c
SSDEEP

12288:/YFfpyLOuydXBmm+vie9mUX1NqRBchWc6P0vMLxJRg0ExsOPn7jhPhl9iqo+/:/YFhyCuCoie9nFNqgL6P0vlLxVP7FT93

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
764	zabwn.exe
268	zabwn.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	new order 152421.exe
764	zabwn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 764 set thread context of 268	764	zabwn.exe	30
PID 268 set thread context of 520	268	zabwn.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
764	zabwn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
268	zabwn.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 764	1724	new order 152421.exe	28
PID 1724 wrote to memory of 764	1724	new order 152421.exe	28
PID 1724 wrote to memory of 764	1724	new order 152421.exe	28
PID 1724 wrote to memory of 764	1724	new order 152421.exe	28
PID 764 wrote to memory of 268	764	zabwn.exe	30
PID 764 wrote to memory of 268	764	zabwn.exe	30
PID 764 wrote to memory of 268	764	zabwn.exe	30
PID 764 wrote to memory of 268	764	zabwn.exe	30
PID 764 wrote to memory of 268	764	zabwn.exe	30
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31
PID 268 wrote to memory of 520	268	zabwn.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\new order 152421.exe
"C:\Users\Admin\AppData\Local\Temp\new order 152421.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\zabwn.exe
  "C:\Users\Admin\AppData\Local\Temp\zabwn.exe" C:\Users\Admin\AppData\Local\Temp\mcyherebmfy.ki
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\zabwn.exe
    "C:\Users\Admin\AppData\Local\Temp\zabwn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvdgluqjpl.lu

Filesize
460KB

MD5
8a6178215aecfc693a8c1ed6b603c9ed

SHA1
48c3dcdd96aaf16f6b23678730659ecffb608800

SHA256
79e70faf30babd56571cb125d18aeeb004cd672e7564f982cd266635921a8540

SHA512
4615144dd37bcb20e3668ac317d3ef49495fe3d83d237ff85297b638c7231c0021d75ed50bfc195406d886ebd4098efb5a2b4847eceaa8dc1370834657fcc36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcyherebmfy.ki

Filesize
5KB

MD5
4f7e253adbf25df53a7a3f74981cf3c0

SHA1
a4ac4ee5bfa12232dc7e5eaae5bbbd3be42f9831

SHA256
e37eee65e86f850c12436f581065ae185612e30ed4fbe9ae4cf4e9c9d6e65fa0

SHA512
7a0839e7daff273466e7a3e411f2aebe2c57ecb80a10246ea091dacda2dc67e30b0c30c93571a6ea870a057f726de1c10845c2307ee121b2d23c9ecf3ae258c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zabwn.exe

Filesize
54KB

MD5
62b62b17b3e2090607d52c9fb1fd304a

SHA1
9b52577f421ed09935b71b8d4dee2b38276f6b64

SHA256
e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b

SHA512
a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zabwn.exe

Filesize
54KB

MD5
62b62b17b3e2090607d52c9fb1fd304a

SHA1
9b52577f421ed09935b71b8d4dee2b38276f6b64

SHA256
e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b

SHA512
a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zabwn.exe

Filesize
54KB

MD5
62b62b17b3e2090607d52c9fb1fd304a

SHA1
9b52577f421ed09935b71b8d4dee2b38276f6b64

SHA256
e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b

SHA512
a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0

Download Submit
\Users\Admin\AppData\Local\Temp\zabwn.exe

Filesize
54KB

MD5
62b62b17b3e2090607d52c9fb1fd304a

SHA1
9b52577f421ed09935b71b8d4dee2b38276f6b64

SHA256
e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b

SHA512
a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0

Download Submit
\Users\Admin\AppData\Local\Temp\zabwn.exe

Filesize
54KB

MD5
62b62b17b3e2090607d52c9fb1fd304a

SHA1
9b52577f421ed09935b71b8d4dee2b38276f6b64

SHA256
e331eecc8dd8dc9ef2352e5bf24948f7f763a5785f6f778d292b30ecf1fc695b

SHA512
a51c60a8d5ed4acf96c73000d971e6b8f00ff7021f5263b508dc89d089d71e1a7ab974f23228cb713ced638088021b878891f39cf094ce5f6438b2a416ba2ec0

Download Submit
memory/268-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-96-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-95-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-94-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-83-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-84-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-85-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-87-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/268-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/520-81-0x00000000043E0000-0x000000000449C000-memory.dmp

Filesize
752KB

Download
memory/520-80-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/520-79-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/520-77-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/520-75-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/520-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/520-73-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing