blustealer | 20919ab5a667f7a8ef3d7d1e614f3e448bf875a066ac56c257e2e07878f6e336

General

Target

tmp1rfyr84t.exe
Size

502KB
MD5

e6759016429ab2d38c9a9497325c5746
SHA1

8d4a9bd427e937d523968d57f8bced231189624e
SHA256

20919ab5a667f7a8ef3d7d1e614f3e448bf875a066ac56c257e2e07878f6e336
SHA512

f266a3958d48efc6a9b105c62eb0cfd8d30e810b3f247e065b9b62a0f62f70642b1964a7d570f22f16a64cd1430cfa25c3de53201282773b1bd0b5ef352485b1
SSDEEP

12288:vYqsd1RU0HAn7av42cnY/jVFIegYLTvEOLhPMuOBmO:vYqsd1DZ42ci7lLTsOBMucmO

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
4448	kxlbzxzqy.exe
4296	kxlbzxzqy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 4296	4448	kxlbzxzqy.exe	77
PID 4296 set thread context of 5068	4296	kxlbzxzqy.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4448	kxlbzxzqy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4296	kxlbzxzqy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4448	5096	tmp1rfyr84t.exe	75
PID 5096 wrote to memory of 4448	5096	tmp1rfyr84t.exe	75
PID 5096 wrote to memory of 4448	5096	tmp1rfyr84t.exe	75
PID 4448 wrote to memory of 4296	4448	kxlbzxzqy.exe	77
PID 4448 wrote to memory of 4296	4448	kxlbzxzqy.exe	77
PID 4448 wrote to memory of 4296	4448	kxlbzxzqy.exe	77
PID 4448 wrote to memory of 4296	4448	kxlbzxzqy.exe	77
PID 4296 wrote to memory of 5068	4296	kxlbzxzqy.exe	78
PID 4296 wrote to memory of 5068	4296	kxlbzxzqy.exe	78
PID 4296 wrote to memory of 5068	4296	kxlbzxzqy.exe	78
PID 4296 wrote to memory of 5068	4296	kxlbzxzqy.exe	78
PID 4296 wrote to memory of 5068	4296	kxlbzxzqy.exe	78

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmp1rfyr84t.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1rfyr84t.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe
  "C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe" C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe
    "C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hejrhbntlry.l

Filesize
460KB

MD5
561fea480390545e3b30dc7825feb4eb

SHA1
a14aecc241e739b0cbc29f1fe33efa5dd743c009

SHA256
623769af74fd75af0a5ee02f4421fe9284644d537ad8ede8f590876978748bfd

SHA512
79a2c1b8bf51bf8dfa794f58c70b307afbf830dce9d4578b7d7be91b4732055c2afd503bbb67fa14ec30a8c3b68b5811f5e84e116a0d958ade2450dd34f880cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxlbzxzqy.exe

Filesize
57KB

MD5
198a54e108c86535030a7d6cd8710ab3

SHA1
39ec3083766e950fdac8637b83794f92a6df189e

SHA256
29a410e657b881f84fe2d0cf61e5fbb1ba0c308ec614e4d20984840327a41a29

SHA512
9ddc70aeb144958276944b46c5215e7ac52763fd4f76c7db58c8a634532044dbf6359b5833d9a3dd5d8ef6ab5f36dc19cd9671fc19dc2d2d9850931580219539

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwxvofu.ner

Filesize
5KB

MD5
f89ec267e9fe8ef34e14ed2c3b23bf91

SHA1
d5dae45ea626ce7e951feb4c28d0c904864b1116

SHA256
9e33d6fca153afccda3b06f40d46c7885efccc02cd73a4f651d755d7e2c1ff59

SHA512
da96363bc51b344ebd07c8e3c739b2b41382f56e4efeb030a1f01f572ca74bc7dd703f7157482df39167a5d6a90f47473c9b6365110aa997a1d53d47e6b5d312

Download Submit
memory/4296-154-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-167-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-148-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-176-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-175-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-174-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-153-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-164-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-165-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-166-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-169-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-170-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-171-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-172-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-173-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5068-151-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/5068-150-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/5068-149-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing