blustealer | a441f7a3089ad5ceeb0692fcfee7a22a3f0a6a1791c4acaab1de71db23cfb7ee

General

Target

Request For Quotation.exe
Size

520KB
MD5

ac92da6c3c72d2ffd2bcfd2069e2a5ec
SHA1

c0fe0ad6c500e8c147c538491d92f790f4b7852a
SHA256

e0042984cd831b02a7c2b7cb18915c2198302406aabe5c1c3d2decf7c6b252e1
SHA512

0cd6151ce7a17da1843115d8607bc9e0b8102b6a0fda49ba7721d0c3b8a37263096a19a75c774b49bf88d56e391de56893b05bbd501b1424c590de1a2627ded2
SSDEEP

12288:vY7tZQcyX/AYo2cYQxWXn4L0WXOs5R0TybkSffYp99Z4NY4hMg+:vY7t+VXBtQghq7JfYpB4K4hMX

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1944	crvkmc.exe
588	crvkmc.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	Request For Quotation.exe
1944	crvkmc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 588	1944	crvkmc.exe	29
PID 588 set thread context of 2040	588	crvkmc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1944	crvkmc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
588	crvkmc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1944	1992	Request For Quotation.exe	27
PID 1992 wrote to memory of 1944	1992	Request For Quotation.exe	27
PID 1992 wrote to memory of 1944	1992	Request For Quotation.exe	27
PID 1992 wrote to memory of 1944	1992	Request For Quotation.exe	27
PID 1944 wrote to memory of 588	1944	crvkmc.exe	29
PID 1944 wrote to memory of 588	1944	crvkmc.exe	29
PID 1944 wrote to memory of 588	1944	crvkmc.exe	29
PID 1944 wrote to memory of 588	1944	crvkmc.exe	29
PID 1944 wrote to memory of 588	1944	crvkmc.exe	29
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30
PID 588 wrote to memory of 2040	588	crvkmc.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\crvkmc.exe
  "C:\Users\Admin\AppData\Local\Temp\crvkmc.exe" C:\Users\Admin\AppData\Local\Temp\zuelngxpgz.mts
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\crvkmc.exe
    "C:\Users\Admin\AppData\Local\Temp\crvkmc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crvkmc.exe

Filesize
91KB

MD5
fa3f85e115ed69c2d518d5deaa790216

SHA1
ab409d96d10f11df4b1093df159eff0c29aba6cd

SHA256
5698598964222a80225a459bd1cc353d0c3d9ecc9689a547e4d180518c454c1e

SHA512
2cb74cf3f9a3527a081b1de470261c8b273f4357aa708bc446618aeddc55273bf2f1657b515e1462b59498e462015f9264daa3badec2e0eda7a66db5ae9afaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\crvkmc.exe

Filesize
91KB

MD5
fa3f85e115ed69c2d518d5deaa790216

SHA1
ab409d96d10f11df4b1093df159eff0c29aba6cd

SHA256
5698598964222a80225a459bd1cc353d0c3d9ecc9689a547e4d180518c454c1e

SHA512
2cb74cf3f9a3527a081b1de470261c8b273f4357aa708bc446618aeddc55273bf2f1657b515e1462b59498e462015f9264daa3badec2e0eda7a66db5ae9afaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\crvkmc.exe

Filesize
91KB

MD5
fa3f85e115ed69c2d518d5deaa790216

SHA1
ab409d96d10f11df4b1093df159eff0c29aba6cd

SHA256
5698598964222a80225a459bd1cc353d0c3d9ecc9689a547e4d180518c454c1e

SHA512
2cb74cf3f9a3527a081b1de470261c8b273f4357aa708bc446618aeddc55273bf2f1657b515e1462b59498e462015f9264daa3badec2e0eda7a66db5ae9afaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkivp.h

Filesize
460KB

MD5
f6fd8bce9b4240f6a996fb136f9d53a9

SHA1
11b0aaf887de4db05a3d08f5de53abd2fa39f662

SHA256
a116d773246917fae18eec33f1accb7bfa1cfb94c91dad14517b0cee0b84e804

SHA512
980a810661119888a4d083b4daa197d619f787cba4d873e77b47bcf2bccdd197252f724237e760b689ed41dc9a984adc9c0fd8be15c96756795b419295146c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuelngxpgz.mts

Filesize
5KB

MD5
5f73297aa5e05f81b19023e058502420

SHA1
ddcb039e12921c8f5a3039c36bfa3d49a3d33ef5

SHA256
3aaa7dad63af6103a34dc4478e233de3e72e9dcb5a4a623ea4248f957bedabf0

SHA512
19784449b792fd2575639c48b3fa75e7b08bed44755a8701a4fca7465752d86706f5a866fc977c52c1f30c8229bd96603efcc7fc4ee9e04fbc3dcaf0b002d8c3

Download Submit
\Users\Admin\AppData\Local\Temp\crvkmc.exe

Filesize
91KB

MD5
fa3f85e115ed69c2d518d5deaa790216

SHA1
ab409d96d10f11df4b1093df159eff0c29aba6cd

SHA256
5698598964222a80225a459bd1cc353d0c3d9ecc9689a547e4d180518c454c1e

SHA512
2cb74cf3f9a3527a081b1de470261c8b273f4357aa708bc446618aeddc55273bf2f1657b515e1462b59498e462015f9264daa3badec2e0eda7a66db5ae9afaf2

Download Submit
\Users\Admin\AppData\Local\Temp\crvkmc.exe

Filesize
91KB

MD5
fa3f85e115ed69c2d518d5deaa790216

SHA1
ab409d96d10f11df4b1093df159eff0c29aba6cd

SHA256
5698598964222a80225a459bd1cc353d0c3d9ecc9689a547e4d180518c454c1e

SHA512
2cb74cf3f9a3527a081b1de470261c8b273f4357aa708bc446618aeddc55273bf2f1657b515e1462b59498e462015f9264daa3badec2e0eda7a66db5ae9afaf2

Download Submit
memory/588-69-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/588-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/588-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/588-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2040-73-0x00000000001F0000-0x0000000000256000-memory.dmp

Filesize
408KB

Download
memory/2040-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2040-75-0x00000000001F0000-0x0000000000256000-memory.dmp

Filesize
408KB

Download
memory/2040-77-0x00000000001F0000-0x0000000000256000-memory.dmp

Filesize
408KB

Download
memory/2040-79-0x00000000001F0000-0x0000000000256000-memory.dmp

Filesize
408KB

Download
memory/2040-80-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2040-81-0x0000000004BF0000-0x0000000004CAC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing