blustealer | 8275d18cde9c9cbf71a4aa7a8dd068d85a7699fcc9f4d49bc285466b1e4f9d49

General

Target

New Order.exe
Size

499KB
MD5

ffa979499187908e3abd52a5eb23ba98
SHA1

313c4451e3e5473732c9b2cef7c943060a91f452
SHA256

1cd904a688c0d0f13f06c5c113ad638649ab10c1ed756dc65933f34bbf22014b
SHA512

1861e3b2593934611181c71c31d2237bb8df839d555f003e8b4110a9d1ab4612180fd59af97349be0cf416a2e7fc455f7f39e62f4785deb2c94bc503985ed31f
SSDEEP

12288:/Ysz65It6fQFY4LvtsnEdCBl5cll3rVLDHqFS:/YszDt6fQnGnGWilt5DHqFS

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
2528	mffvxezi.exe
2624	mffvxezi.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2624	2528	mffvxezi.exe	83
PID 2624 set thread context of 2136	2624	mffvxezi.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2528	mffvxezi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	mffvxezi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2528	4420	New Order.exe	81
PID 4420 wrote to memory of 2528	4420	New Order.exe	81
PID 4420 wrote to memory of 2528	4420	New Order.exe	81
PID 2528 wrote to memory of 2624	2528	mffvxezi.exe	83
PID 2528 wrote to memory of 2624	2528	mffvxezi.exe	83
PID 2528 wrote to memory of 2624	2528	mffvxezi.exe	83
PID 2528 wrote to memory of 2624	2528	mffvxezi.exe	83
PID 2624 wrote to memory of 2136	2624	mffvxezi.exe	84
PID 2624 wrote to memory of 2136	2624	mffvxezi.exe	84
PID 2624 wrote to memory of 2136	2624	mffvxezi.exe	84
PID 2624 wrote to memory of 2136	2624	mffvxezi.exe	84
PID 2624 wrote to memory of 2136	2624	mffvxezi.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe
  "C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe" C:\Users\Admin\AppData\Local\Temp\snifuco.iq
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe
    "C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe

Filesize
51KB

MD5
2134ed2666a31230c9bd0585df9108c5

SHA1
e2d6f04a2f7a501156039d171811b4040fc61b88

SHA256
3cd705626487ded747739f6198aa83c194a88b39272ee0301cb8c2c1c51cc7c0

SHA512
a64453fedc9cc8ea6c0feb6e0bc1fa5a122fc7c134209a99e0b09f9b39427c12d7adf8e0027e5e77ed09d7e771c4011f47517c46781d7ce1f0c7da3835682eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe

Filesize
51KB

MD5
2134ed2666a31230c9bd0585df9108c5

SHA1
e2d6f04a2f7a501156039d171811b4040fc61b88

SHA256
3cd705626487ded747739f6198aa83c194a88b39272ee0301cb8c2c1c51cc7c0

SHA512
a64453fedc9cc8ea6c0feb6e0bc1fa5a122fc7c134209a99e0b09f9b39427c12d7adf8e0027e5e77ed09d7e771c4011f47517c46781d7ce1f0c7da3835682eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mffvxezi.exe

Filesize
51KB

MD5
2134ed2666a31230c9bd0585df9108c5

SHA1
e2d6f04a2f7a501156039d171811b4040fc61b88

SHA256
3cd705626487ded747739f6198aa83c194a88b39272ee0301cb8c2c1c51cc7c0

SHA512
a64453fedc9cc8ea6c0feb6e0bc1fa5a122fc7c134209a99e0b09f9b39427c12d7adf8e0027e5e77ed09d7e771c4011f47517c46781d7ce1f0c7da3835682eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\snifuco.iq

Filesize
5KB

MD5
b0ab93399d2027f55cdf6f38c81acc5a

SHA1
f7fccc5c607ab7d7f79c4cc218c25a2220875c23

SHA256
de91d22e23487e5adf49b443ef5bccad801e5d1e76dbb6cf3506dce6bb18f810

SHA512
8c443d4b5bd4c2909bea4a3c975d0fa7c528119ab7ee422d99f4a23c759c747d333dee46d594febcd503774d4c82984ba0ae164470e30e8cc62532dc9f8f96a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxylzlmbxk.wj

Filesize
460KB

MD5
665d5cd0268ed15a92a888ce3e9e72d3

SHA1
cdb279ae18f5514f568bdb9cd535285094cc0013

SHA256
666bd98e8a6a2fab060d810f0cb81e3e2bdaf1b0c2a8c5c950afa9018ebeaa82

SHA512
cb2d73efab3a14266cb4d7837ad31fbd06e94253546140c1ba92103c7aa7b7e006a6a8e47e80372ad34079f1da960166a760e0b1bd9a7328682aa930ed8a4d79

Download Submit
memory/2136-149-0x0000000000D70000-0x0000000000DD6000-memory.dmp

Filesize
408KB

Download
memory/2136-150-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/2624-165-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-169-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-152-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-153-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-166-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-167-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-148-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-170-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-171-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-172-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-173-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-174-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-175-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-176-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-177-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing