blustealer | f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd

General

Target

f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe
Size

523KB
MD5

cac4348fb51dea6158f27b0f8b7a79bb
SHA1

402740d268dde6b07e9855b85e9cefd1abd712d1
SHA256

f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd
SHA512

f13bcf56612fff85b2dee304fa622aeacfca2dd745fab79ddc0acd80352cc43f228df22fa6e74bf3840f7d1d88a3c7ddaa3c7ffa5f95f84e27ef8b33d11853c7
SSDEEP

12288:/YFYF0yZC++1vwE721swz90NsT6JIR/sXOcYQK6EqxapW:/YFOC5IP0+T6yRkXJKfOp

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
2024	zxqfgpaz.exe
884	zxqfgpaz.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe
2024	zxqfgpaz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 884	2024	zxqfgpaz.exe	27
PID 884 set thread context of 1692	884	zxqfgpaz.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2024	zxqfgpaz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	zxqfgpaz.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2024	1048	f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe	26
PID 1048 wrote to memory of 2024	1048	f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe	26
PID 1048 wrote to memory of 2024	1048	f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe	26
PID 1048 wrote to memory of 2024	1048	f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe	26
PID 2024 wrote to memory of 884	2024	zxqfgpaz.exe	27
PID 2024 wrote to memory of 884	2024	zxqfgpaz.exe	27
PID 2024 wrote to memory of 884	2024	zxqfgpaz.exe	27
PID 2024 wrote to memory of 884	2024	zxqfgpaz.exe	27
PID 2024 wrote to memory of 884	2024	zxqfgpaz.exe	27
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28
PID 884 wrote to memory of 1692	884	zxqfgpaz.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe
"C:\Users\Admin\AppData\Local\Temp\f2bf8ee81960e00ff117376675a5b662b18ca10d58164de0f5fbb560aa4199fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe
  "C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe" C:\Users\Admin\AppData\Local\Temp\odawqbyia.ahw
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe
    "C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\odawqbyia.ahw

Filesize
5KB

MD5
21761e60350efbe540e06efe70e5a778

SHA1
2bcbfe31f98cde18eae54354bd4c7c0214f72fc7

SHA256
aa2a8cbd219071ae0f6c1ac89ffa17bda1ba46e7118c54b7fd944c693d50355e

SHA512
1eecd2a151ab1d52b70bf152f35a97d0af05d223d46a127d9257ab6057fef70954db200098ff5aa34bc702653446cf01f3d6e3e5ddffe8d7805ffad7361b931e

Download Submit
C:\Users\Admin\AppData\Local\Temp\phusgmfylug.z

Filesize
460KB

MD5
551b36d99045bd8dd1b2024e9cb29196

SHA1
80a4a057df9ba3baa237555089df124ec9b4f332

SHA256
09815be9c7d57ebfb580f871986f0a84e1b0a306e1a9c6728b952cc9b845534a

SHA512
87c6a4ce8112598cc67e3aa99e80ef6bf713100ab16c9dda739ed5ac402b50d3d411b7f49c17ed3e975fbc1b07e5a8c69f34df0638b18b65fa7f718ef492e5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe

Filesize
98KB

MD5
ebeae598ab6a10ddca67dee57a71a7bd

SHA1
16f3d99b6d822130bd59fc1d7cdfb772ec0d0314

SHA256
6d0677f44b72d41fedbf3b766023378951fc1a21aba3cf32be57596e74feee9d

SHA512
d029c4817f996f6f3f4aaa6628e5733546ea2bd40950dbf5e7f4393a1d1d0ca01394167eab2c6521866a52144a74e40d514203c74dbed9152eb32e96a16dd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe

Filesize
98KB

MD5
ebeae598ab6a10ddca67dee57a71a7bd

SHA1
16f3d99b6d822130bd59fc1d7cdfb772ec0d0314

SHA256
6d0677f44b72d41fedbf3b766023378951fc1a21aba3cf32be57596e74feee9d

SHA512
d029c4817f996f6f3f4aaa6628e5733546ea2bd40950dbf5e7f4393a1d1d0ca01394167eab2c6521866a52144a74e40d514203c74dbed9152eb32e96a16dd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe

Filesize
98KB

MD5
ebeae598ab6a10ddca67dee57a71a7bd

SHA1
16f3d99b6d822130bd59fc1d7cdfb772ec0d0314

SHA256
6d0677f44b72d41fedbf3b766023378951fc1a21aba3cf32be57596e74feee9d

SHA512
d029c4817f996f6f3f4aaa6628e5733546ea2bd40950dbf5e7f4393a1d1d0ca01394167eab2c6521866a52144a74e40d514203c74dbed9152eb32e96a16dd5b3

Download Submit
\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe

Filesize
98KB

MD5
ebeae598ab6a10ddca67dee57a71a7bd

SHA1
16f3d99b6d822130bd59fc1d7cdfb772ec0d0314

SHA256
6d0677f44b72d41fedbf3b766023378951fc1a21aba3cf32be57596e74feee9d

SHA512
d029c4817f996f6f3f4aaa6628e5733546ea2bd40950dbf5e7f4393a1d1d0ca01394167eab2c6521866a52144a74e40d514203c74dbed9152eb32e96a16dd5b3

Download Submit
\Users\Admin\AppData\Local\Temp\zxqfgpaz.exe

Filesize
98KB

MD5
ebeae598ab6a10ddca67dee57a71a7bd

SHA1
16f3d99b6d822130bd59fc1d7cdfb772ec0d0314

SHA256
6d0677f44b72d41fedbf3b766023378951fc1a21aba3cf32be57596e74feee9d

SHA512
d029c4817f996f6f3f4aaa6628e5733546ea2bd40950dbf5e7f4393a1d1d0ca01394167eab2c6521866a52144a74e40d514203c74dbed9152eb32e96a16dd5b3

Download Submit
memory/884-69-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/884-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/884-75-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/884-81-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1692-74-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1692-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1692-72-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1692-77-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1692-79-0x0000000000210000-0x0000000000276000-memory.dmp

Filesize
408KB

Download
memory/1692-80-0x00000000009F0000-0x0000000000AAC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing