blustealer | c29f0634bb2b57b4bc461099e76a01682a7132a5b679e22e3235453e02fc14ce

Analysis

max time kernel
142s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request For Quotation.exe
Size

502KB
MD5

e6759016429ab2d38c9a9497325c5746
SHA1

8d4a9bd427e937d523968d57f8bced231189624e
SHA256

20919ab5a667f7a8ef3d7d1e614f3e448bf875a066ac56c257e2e07878f6e336
SHA512

f266a3958d48efc6a9b105c62eb0cfd8d30e810b3f247e065b9b62a0f62f70642b1964a7d570f22f16a64cd1430cfa25c3de53201282773b1bd0b5ef352485b1
SSDEEP

12288:vYqsd1RU0HAn7av42cnY/jVFIegYLTvEOLhPMuOBmO:vYqsd1DZ42ci7lLTsOBMucmO

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
2024	kxlbzxzqy.exe
748	kxlbzxzqy.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	Request For Quotation.exe
1048	Request For Quotation.exe
2024	kxlbzxzqy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 748	2024	kxlbzxzqy.exe	29
PID 748 set thread context of 1860	748	kxlbzxzqy.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2024	kxlbzxzqy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	kxlbzxzqy.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2024	1048	Request For Quotation.exe	27
PID 1048 wrote to memory of 2024	1048	Request For Quotation.exe	27
PID 1048 wrote to memory of 2024	1048	Request For Quotation.exe	27
PID 1048 wrote to memory of 2024	1048	Request For Quotation.exe	27
PID 2024 wrote to memory of 748	2024	kxlbzxzqy.exe	29
PID 2024 wrote to memory of 748	2024	kxlbzxzqy.exe	29
PID 2024 wrote to memory of 748	2024	kxlbzxzqy.exe	29
PID 2024 wrote to memory of 748	2024	kxlbzxzqy.exe	29
PID 2024 wrote to memory of 748	2024	kxlbzxzqy.exe	29
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30
PID 748 wrote to memory of 1860	748	kxlbzxzqy.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe
  "C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe" C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe
    "C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hejrhbntlry.l

Filesize
460KB

MD5
561fea480390545e3b30dc7825feb4eb

SHA1
a14aecc241e739b0cbc29f1fe33efa5dd743c009

SHA256
623769af74fd75af0a5ee02f4421fe9284644d537ad8ede8f590876978748bfd

SHA512
79a2c1b8bf51bf8dfa794f58c70b307afbf830dce9d4578b7d7be91b4732055c2afd503bbb67fa14ec30a8c3b68b5811f5e84e116a0d958ade2450dd34f880cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner

Filesize
5KB

MD5
f89ec267e9fe8ef34e14ed2c3b23bf91

SHA1
d5dae45ea626ce7e951feb4c28d0c904864b1116

SHA256
9e33d6fca153afccda3b06f40d46c7885efccc02cd73a4f651d755d7e2c1ff59

SHA512
da96363bc51b344ebd07c8e3c739b2b41382f56e4efeb030a1f01f572ca74bc7dd703f7157482df39167a5d6a90f47473c9b6365110aa997a1d53d47e6b5d312

Download Submit
\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
memory/748-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-97-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-96-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-95-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-94-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-83-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-84-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-85-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-87-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/748-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1860-82-0x00000000043F0000-0x00000000044AC000-memory.dmp

Filesize
752KB

Download
memory/1860-81-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1860-79-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1860-77-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1860-76-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1860-75-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download