blustealer | ab6fe5e7101c50804c400d96dca43a6083c7df4e90b4997c05864773405f34c1

General

Target

Purchase-Order-7313 2023-02.exe
Size

597KB
MD5

ce8d75a492249b0aff8b6f54e618bc5b
SHA1

50957aa6adc9258523375e69d20dd48b8e56c44e
SHA256

ab6fe5e7101c50804c400d96dca43a6083c7df4e90b4997c05864773405f34c1
SHA512

f92faca2a8cab563d54386ead54f64387302db7788e0b03be7ca4886e3dc20029d9f70c17ff71a0b7e0e8a64970bda6f29f007dcf7d22bf65bc9843ff0bf6377
SSDEEP

12288:/Y6WFJdOlrIy2FwYxV5cVLPP2E+pugVnmsa1u/0AtJ6NX8NVYAau5e:/Y6WhOywYZcVLX2vppnEeJ+XFAaf

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1420	rzagxfxsku.exe
1948	rzagxfxsku.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	Purchase-Order-7313 2023-02.exe
1420	rzagxfxsku.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 1948	1420	rzagxfxsku.exe	30
PID 1948 set thread context of 1216	1948	rzagxfxsku.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1420	rzagxfxsku.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	rzagxfxsku.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1420	1932	Purchase-Order-7313 2023-02.exe	28
PID 1932 wrote to memory of 1420	1932	Purchase-Order-7313 2023-02.exe	28
PID 1932 wrote to memory of 1420	1932	Purchase-Order-7313 2023-02.exe	28
PID 1932 wrote to memory of 1420	1932	Purchase-Order-7313 2023-02.exe	28
PID 1420 wrote to memory of 1948	1420	rzagxfxsku.exe	30
PID 1420 wrote to memory of 1948	1420	rzagxfxsku.exe	30
PID 1420 wrote to memory of 1948	1420	rzagxfxsku.exe	30
PID 1420 wrote to memory of 1948	1420	rzagxfxsku.exe	30
PID 1420 wrote to memory of 1948	1420	rzagxfxsku.exe	30
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31
PID 1948 wrote to memory of 1216	1948	rzagxfxsku.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase-Order-7313 2023-02.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase-Order-7313 2023-02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe
  "C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe" C:\Users\Admin\AppData\Local\Temp\snvvmklm.r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe
    "C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bspbgeeg.e

Filesize
460KB

MD5
4f8041e2005c4e6c561d9e0a219f266f

SHA1
89bb26a89d6f91b05cbbeca4f133fc41206be48e

SHA256
924186e69031c49e994c015957440eb8201601b31be68cbbb14edfa563355030

SHA512
bb578b4b4201f9819f0686d0ad66cd62a482771e7856f89074e2b4868e4d50925b06ba50aec8f473180c42b708017633bacd2e2f84178d02dd7c9eb4894f18ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe

Filesize
296KB

MD5
759d318a050b6c76fde3263640604559

SHA1
1b4eef994aeb3aa0cffb7ede3a4a521a705c036e

SHA256
21f969b6030a00e4a0cd7bfceb3b4cd79f151d5927a63d3504b1bde980838a4d

SHA512
344552f5dded8e67a0d3ee52652fbc93f34fc125a9e10e9cd263b101f7e2646df38219ea6ca96740d894cce4003b5b8ce5638501b651717c5385099890466833

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe

Filesize
296KB

MD5
759d318a050b6c76fde3263640604559

SHA1
1b4eef994aeb3aa0cffb7ede3a4a521a705c036e

SHA256
21f969b6030a00e4a0cd7bfceb3b4cd79f151d5927a63d3504b1bde980838a4d

SHA512
344552f5dded8e67a0d3ee52652fbc93f34fc125a9e10e9cd263b101f7e2646df38219ea6ca96740d894cce4003b5b8ce5638501b651717c5385099890466833

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe

Filesize
296KB

MD5
759d318a050b6c76fde3263640604559

SHA1
1b4eef994aeb3aa0cffb7ede3a4a521a705c036e

SHA256
21f969b6030a00e4a0cd7bfceb3b4cd79f151d5927a63d3504b1bde980838a4d

SHA512
344552f5dded8e67a0d3ee52652fbc93f34fc125a9e10e9cd263b101f7e2646df38219ea6ca96740d894cce4003b5b8ce5638501b651717c5385099890466833

Download Submit
C:\Users\Admin\AppData\Local\Temp\snvvmklm.r

Filesize
5KB

MD5
ee619fde530b225d204a2ea7d445cdf5

SHA1
01b26e6d8bcbd6fa753da60f397c7692ffb5fba7

SHA256
0896ce722346e25794be5f5e6516377346bdb1d70e363200d19879d1e19ec90e

SHA512
a53c1f317b87f9cfdd389d66a2b7813f097c14d805ab366643da0c57ccf2164c88e9c464c87f6f7507674d06b70bf1fabc0ff2c085b4a881890b93504f63f701

Download Submit
\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe

Filesize
296KB

MD5
759d318a050b6c76fde3263640604559

SHA1
1b4eef994aeb3aa0cffb7ede3a4a521a705c036e

SHA256
21f969b6030a00e4a0cd7bfceb3b4cd79f151d5927a63d3504b1bde980838a4d

SHA512
344552f5dded8e67a0d3ee52652fbc93f34fc125a9e10e9cd263b101f7e2646df38219ea6ca96740d894cce4003b5b8ce5638501b651717c5385099890466833

Download Submit
\Users\Admin\AppData\Local\Temp\rzagxfxsku.exe

Filesize
296KB

MD5
759d318a050b6c76fde3263640604559

SHA1
1b4eef994aeb3aa0cffb7ede3a4a521a705c036e

SHA256
21f969b6030a00e4a0cd7bfceb3b4cd79f151d5927a63d3504b1bde980838a4d

SHA512
344552f5dded8e67a0d3ee52652fbc93f34fc125a9e10e9cd263b101f7e2646df38219ea6ca96740d894cce4003b5b8ce5638501b651717c5385099890466833

Download Submit
memory/1216-79-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1216-77-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1216-80-0x00000000049C0000-0x0000000004A7C000-memory.dmp

Filesize
752KB

Download
memory/1216-73-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1216-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1216-75-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/1948-83-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-87-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-81-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-69-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-84-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-85-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-94-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1948-95-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing