General

  • Target

    Purchase Order.exe

  • Size

    1.3MB

  • Sample

    230416-ntz7psbf9v

  • MD5

    293fdf1a86054e7f7ea5468093a32619

  • SHA1

    556f35a6bc2f99c18eac6efc24772bcaea2c4dc7

  • SHA256

    9966abd2f2239c4ab9ef470ba0a76c3546645666976c45d7294214d283510140

  • SHA512

    dd89c55471e4573b14bc8b15fd5f268bc03f6c47d127bb3a07f70b3ff7ecf6c43f86eae13a2bf70d15baf9df2de198cbb5a18b287dff08027a7dbbb51d6d94df

  • SSDEEP

    24576:dlDz26SjmWjOMnxBZL/gBDTOihq+6yYAJOxyaLYJydD4noK1kY2OdGJ306n2r6L:bDcmWKMx7L/oHOihz6y9JOx2Ig162OL

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Targets

    • Target

      Purchase Order.exe

    • Size

      1.3MB

    • MD5

      293fdf1a86054e7f7ea5468093a32619

    • SHA1

      556f35a6bc2f99c18eac6efc24772bcaea2c4dc7

    • SHA256

      9966abd2f2239c4ab9ef470ba0a76c3546645666976c45d7294214d283510140

    • SHA512

      dd89c55471e4573b14bc8b15fd5f268bc03f6c47d127bb3a07f70b3ff7ecf6c43f86eae13a2bf70d15baf9df2de198cbb5a18b287dff08027a7dbbb51d6d94df

    • SSDEEP

      24576:dlDz26SjmWjOMnxBZL/gBDTOihq+6yYAJOxyaLYJydD4noK1kY2OdGJ306n2r6L:bDcmWKMx7L/oHOihz6y9JOx2Ig162OL

    • BluStealer

      A Modular information stealer written in Visual Basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks