blustealer | 709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-04-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe
Size

504KB
MD5

76ef6dcc228516addb85969c619845f8
SHA1

ec42d448daf3645b980588f03e4a1d50a068e302
SHA256

709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592
SHA512

4b37f2b3b5977a9d55021c02654095d79125838df1759684a93d08732777fe411841395179198a7c121b1f3ffd59d7c7d31b2ed9387d4e0765265c09716d1f0e
SSDEEP

12288:/YuffiNQGwOEphdUyTd7RqcNEb2SqH4y8jw:/YuffiQGwOERlucuqbv

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 3 IoCs

pid	Process
924	nbagek.exe
552	nbagek.exe
1496	nbagek.exe

Loads dropped DLL 4 IoCs

pid	Process
1532	709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe
1532	709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe
924	nbagek.exe
924	nbagek.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 1496	924	nbagek.exe	30
PID 1496 set thread context of 616	1496	nbagek.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
924	nbagek.exe
924	nbagek.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	nbagek.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 924	1532	709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe	28
PID 1532 wrote to memory of 924	1532	709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe	28
PID 1532 wrote to memory of 924	1532	709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe	28
PID 1532 wrote to memory of 924	1532	709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe	28
PID 924 wrote to memory of 552	924	nbagek.exe	29
PID 924 wrote to memory of 552	924	nbagek.exe	29
PID 924 wrote to memory of 552	924	nbagek.exe	29
PID 924 wrote to memory of 552	924	nbagek.exe	29
PID 924 wrote to memory of 1496	924	nbagek.exe	30
PID 924 wrote to memory of 1496	924	nbagek.exe	30
PID 924 wrote to memory of 1496	924	nbagek.exe	30
PID 924 wrote to memory of 1496	924	nbagek.exe	30
PID 924 wrote to memory of 1496	924	nbagek.exe	30
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31
PID 1496 wrote to memory of 616	1496	nbagek.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe
"C:\Users\Admin\AppData\Local\Temp\709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\nbagek.exe
  "C:\Users\Admin\AppData\Local\Temp\nbagek.exe" C:\Users\Admin\AppData\Local\Temp\usjvx.r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\nbagek.exe
    "C:\Users\Admin\AppData\Local\Temp\nbagek.exe"
    3⤵
    - Executes dropped EXE
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\nbagek.exe
    "C:\Users\Admin\AppData\Local\Temp\nbagek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\geytosefgdo.zh

Filesize
460KB

MD5
9d5bd78f657d9ccef877c3beef82759c

SHA1
539ae458cd7a065d0284223f665a6e8f0ee578a0

SHA256
6de95df699cfe0c0b66493b584345c1c3f469dc9394c3d0405bba8eafdd21ba8

SHA512
7edebc7d46b64253704c95cbce13e1debba75625f17ff370526c8ae78cba000e2badf346cae00d9acbccb4fb1b50974ef10498f995d8f3319f95947eb182ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\usjvx.r

Filesize
5KB

MD5
6bc43682a311227742e5a6dfff67160b

SHA1
36054c3b086af268f3f1274eb66b167fe66712d3

SHA256
882d92f276cfc9c196fe2bf27dd3fbb24b0e5b473791d2d4ac716ec0da17cac8

SHA512
f3b153d2c73662dddf5d8c1bfd342409edfbac6931c6d867928aedef61d7c3ee4511a9da5721843bd78f394be9008f71829cbc16e9f106dadd5f5615faf1b9c2

Download Submit
\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
memory/616-81-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/616-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/616-79-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/616-83-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/616-85-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/616-86-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/616-87-0x0000000004BD0000-0x0000000004C8C000-memory.dmp

Filesize
752KB

Download
memory/1496-75-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1496-78-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1496-71-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1496-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download