blustealer | c29f0634bb2b57b4bc461099e76a01682a7132a5b679e22e3235453e02fc14ce

General

Target

Request For Quotation.exe
Size

502KB
MD5

e6759016429ab2d38c9a9497325c5746
SHA1

8d4a9bd427e937d523968d57f8bced231189624e
SHA256

20919ab5a667f7a8ef3d7d1e614f3e448bf875a066ac56c257e2e07878f6e336
SHA512

f266a3958d48efc6a9b105c62eb0cfd8d30e810b3f247e065b9b62a0f62f70642b1964a7d570f22f16a64cd1430cfa25c3de53201282773b1bd0b5ef352485b1
SSDEEP

12288:vYqsd1RU0HAn7av42cnY/jVFIegYLTvEOLhPMuOBmO:vYqsd1DZ42ci7lLTsOBMucmO

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
4392	kxlbzxzqy.exe
452	kxlbzxzqy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 452	4392	kxlbzxzqy.exe	83
PID 452 set thread context of 684	452	kxlbzxzqy.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4392	kxlbzxzqy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
452	kxlbzxzqy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4392	4960	Request For Quotation.exe	81
PID 4960 wrote to memory of 4392	4960	Request For Quotation.exe	81
PID 4960 wrote to memory of 4392	4960	Request For Quotation.exe	81
PID 4392 wrote to memory of 452	4392	kxlbzxzqy.exe	83
PID 4392 wrote to memory of 452	4392	kxlbzxzqy.exe	83
PID 4392 wrote to memory of 452	4392	kxlbzxzqy.exe	83
PID 4392 wrote to memory of 452	4392	kxlbzxzqy.exe	83
PID 452 wrote to memory of 684	452	kxlbzxzqy.exe	84
PID 452 wrote to memory of 684	452	kxlbzxzqy.exe	84
PID 452 wrote to memory of 684	452	kxlbzxzqy.exe	84
PID 452 wrote to memory of 684	452	kxlbzxzqy.exe	84
PID 452 wrote to memory of 684	452	kxlbzxzqy.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe
  "C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe" C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe
    "C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hejrhbntlry.l

Filesize
460KB

MD5
561fea480390545e3b30dc7825feb4eb

SHA1
a14aecc241e739b0cbc29f1fe33efa5dd743c009

SHA256
623769af74fd75af0a5ee02f4421fe9284644d537ad8ede8f590876978748bfd

SHA512
79a2c1b8bf51bf8dfa794f58c70b307afbf830dce9d4578b7d7be91b4732055c2afd503bbb67fa14ec30a8c3b68b5811f5e84e116a0d958ade2450dd34f880cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner

Filesize
5KB

MD5
f89ec267e9fe8ef34e14ed2c3b23bf91

SHA1
d5dae45ea626ce7e951feb4c28d0c904864b1116

SHA256
9e33d6fca153afccda3b06f40d46c7885efccc02cd73a4f651d755d7e2c1ff59

SHA512
da96363bc51b344ebd07c8e3c739b2b41382f56e4efeb030a1f01f572ca74bc7dd703f7157482df39167a5d6a90f47473c9b6365110aa997a1d53d47e6b5d312

Download Submit
memory/452-166-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-172-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-149-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-178-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-177-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-176-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-167-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-169-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-170-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-171-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-175-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-173-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/452-174-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/684-153-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/684-152-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/684-151-0x0000000000F00000-0x0000000000F66000-memory.dmp

Filesize
408KB

Download
memory/4392-142-0x0000000000880000-0x0000000000882000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing