blustealer | 02e0e775684e9c702ea3467fb12c7ac5c819c5baf7b3a4c0aedb53d24336da23

General

Target

PO_NOD361640407.exe
Size

507KB
MD5

36ee10e6a66f23f15c8f22f3a446facb
SHA1

9ec9c892f375abc10508b5db565ab959d48bd127
SHA256

d6ae7fc8b53cc5e38e27e5c364806ddab33fb6a2b3339ecb8e79cce57839c21d
SHA512

85db305b945f2f6a14c04d0b30e59643ccce5f8b0f214614c6b58d032f47f181a6a45498ea6e1fec23a24fbc7e8cbc7ea9cec7d402d894fc9e3b088bfa8d4e09
SSDEEP

12288:/YyvATUqd2XlTTuFa0uJ1iku0efT1l4gsz26VXPSjzRaWsVLwsJP:/Yyv5I2X4FiJu0al4gsz26wzYt91

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
1944	sdymllnxzv.exe
736	sdymllnxzv.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	PO_NOD361640407.exe
1944	sdymllnxzv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 736	1944	sdymllnxzv.exe	30
PID 736 set thread context of 692	736	sdymllnxzv.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1944	sdymllnxzv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
736	sdymllnxzv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1944	2040	PO_NOD361640407.exe	28
PID 2040 wrote to memory of 1944	2040	PO_NOD361640407.exe	28
PID 2040 wrote to memory of 1944	2040	PO_NOD361640407.exe	28
PID 2040 wrote to memory of 1944	2040	PO_NOD361640407.exe	28
PID 1944 wrote to memory of 736	1944	sdymllnxzv.exe	30
PID 1944 wrote to memory of 736	1944	sdymllnxzv.exe	30
PID 1944 wrote to memory of 736	1944	sdymllnxzv.exe	30
PID 1944 wrote to memory of 736	1944	sdymllnxzv.exe	30
PID 1944 wrote to memory of 736	1944	sdymllnxzv.exe	30
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31
PID 736 wrote to memory of 692	736	sdymllnxzv.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PO_NOD361640407.exe
"C:\Users\Admin\AppData\Local\Temp\PO_NOD361640407.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe
  "C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe" C:\Users\Admin\AppData\Local\Temp\kbwxt.nub
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe
    "C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kbwxt.nub

Filesize
5KB

MD5
798fa71d9de653cad7e62856687cb823

SHA1
fe71de33abed9ba908a7cc1086e3fdfabecd4509

SHA256
557c5524818d8cb3e6dd21b21fd82a2d0b7ab2495c83b39617cbed58e3c78089

SHA512
50a821dfc8d1c3ded252188c7b0ed98a658d6aa8a44902a3595a3808c315b67a48104b9b464998cad1592cee7d07a8c081d283ee800b39638b18dfea1b5e1b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngmqnc.mzy

Filesize
460KB

MD5
c4c3a8ff3d816daa20e00ecacaf1d862

SHA1
9b88079891990b8192e45572c4ef05659b9459b3

SHA256
18a0eabfd76f0e73c826c72c302bccc3f94242512f062b039d9c8ab3fc907ad8

SHA512
22c1d3b6c84d4f25a8254178127b8bad5cc6094403a7e81c772571a36d0b181eca408308307bb9ae47dd43ba7df49dd2f33e7fd7a1da24c442acf1411b036a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe

Filesize
67KB

MD5
b6d78b022e8043e4317996800c98ed5a

SHA1
cec80af50f8d16a654a56d15566bf9a410e1ce4b

SHA256
d9ba82c00169376684f0cb251bdddba0a0888f6594b7b99ea24a0900ff4d250e

SHA512
e1a8a79b976304eb48cb4063ce7ee34fa3e35e10641d2681d0b26f7c1915cbdd6e7c9106bddbd8656744a5e4fc76a9f242892041bdcdd1845d3dfe0cfcc41c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe

Filesize
67KB

MD5
b6d78b022e8043e4317996800c98ed5a

SHA1
cec80af50f8d16a654a56d15566bf9a410e1ce4b

SHA256
d9ba82c00169376684f0cb251bdddba0a0888f6594b7b99ea24a0900ff4d250e

SHA512
e1a8a79b976304eb48cb4063ce7ee34fa3e35e10641d2681d0b26f7c1915cbdd6e7c9106bddbd8656744a5e4fc76a9f242892041bdcdd1845d3dfe0cfcc41c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe

Filesize
67KB

MD5
b6d78b022e8043e4317996800c98ed5a

SHA1
cec80af50f8d16a654a56d15566bf9a410e1ce4b

SHA256
d9ba82c00169376684f0cb251bdddba0a0888f6594b7b99ea24a0900ff4d250e

SHA512
e1a8a79b976304eb48cb4063ce7ee34fa3e35e10641d2681d0b26f7c1915cbdd6e7c9106bddbd8656744a5e4fc76a9f242892041bdcdd1845d3dfe0cfcc41c72

Download Submit
\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe

Filesize
67KB

MD5
b6d78b022e8043e4317996800c98ed5a

SHA1
cec80af50f8d16a654a56d15566bf9a410e1ce4b

SHA256
d9ba82c00169376684f0cb251bdddba0a0888f6594b7b99ea24a0900ff4d250e

SHA512
e1a8a79b976304eb48cb4063ce7ee34fa3e35e10641d2681d0b26f7c1915cbdd6e7c9106bddbd8656744a5e4fc76a9f242892041bdcdd1845d3dfe0cfcc41c72

Download Submit
\Users\Admin\AppData\Local\Temp\sdymllnxzv.exe

Filesize
67KB

MD5
b6d78b022e8043e4317996800c98ed5a

SHA1
cec80af50f8d16a654a56d15566bf9a410e1ce4b

SHA256
d9ba82c00169376684f0cb251bdddba0a0888f6594b7b99ea24a0900ff4d250e

SHA512
e1a8a79b976304eb48cb4063ce7ee34fa3e35e10641d2681d0b26f7c1915cbdd6e7c9106bddbd8656744a5e4fc76a9f242892041bdcdd1845d3dfe0cfcc41c72

Download Submit
memory/692-81-0x0000000004F80000-0x0000000004FC0000-memory.dmp

Filesize
256KB

Download
memory/692-79-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/692-80-0x0000000000E50000-0x0000000000F0C000-memory.dmp

Filesize
752KB

Download
memory/692-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/692-73-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/692-75-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/692-77-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/736-69-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-82-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-83-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-84-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-85-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-87-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-72-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-94-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-95-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/736-96-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing