Malware Analysis Report

2025-01-03 07:39

Sample ID 230501-tpjbaaca36
Target 3d695f1b4db5a0635d43e1cd1b9d48ae.bin.bin
SHA256 f4537ab3fdeb176d352dca40facb96f493d634f7d03140e2275be2ea33678e33
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4537ab3fdeb176d352dca40facb96f493d634f7d03140e2275be2ea33678e33

Threat Level: Known bad

The file 3d695f1b4db5a0635d43e1cd1b9d48ae.bin.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

outlook_office_path

outlook_win_path

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 16:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 16:13

Reported

2023-05-01 16:42

Platform

win10v2004-20230220-en

Max time kernel

154s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe

"C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe"

C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe

"C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 52.168.117.170:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
NL 8.238.22.126:80 tcp

Files

memory/1064-133-0x0000000000FB0000-0x000000000108C000-memory.dmp

memory/1064-134-0x0000000006190000-0x0000000006734000-memory.dmp

memory/1064-135-0x0000000005AA0000-0x0000000005B32000-memory.dmp

memory/1064-136-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/1064-137-0x0000000003600000-0x000000000360A000-memory.dmp

memory/1064-138-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/1064-139-0x0000000001A00000-0x0000000001A9C000-memory.dmp

memory/2772-140-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2772-142-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2772-146-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2924-147-0x0000000000700000-0x0000000000766000-memory.dmp

memory/2924-148-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2772-150-0x0000000000400000-0x000000000046E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 16:13

Reported

2023-05-01 16:41

Platform

win7-20230220-en

Max time kernel

68s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 1648 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 560 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe

"C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe"

C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe

"C:\Users\Admin\AppData\Local\Temp\a83688213da481b066908e16d7a2206180627bcef8c69e4fe756dc06c5c35ec0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Network

N/A

Files

memory/1648-54-0x00000000000A0000-0x000000000017C000-memory.dmp

memory/1648-55-0x00000000023A0000-0x00000000023E0000-memory.dmp

memory/1648-56-0x0000000000560000-0x0000000000574000-memory.dmp

memory/1648-57-0x0000000000570000-0x000000000057C000-memory.dmp

memory/1648-58-0x0000000005DC0000-0x0000000005E6C000-memory.dmp

memory/1648-59-0x0000000005C30000-0x0000000005CA6000-memory.dmp

memory/560-60-0x0000000000400000-0x000000000046E000-memory.dmp

memory/560-61-0x0000000000400000-0x000000000046E000-memory.dmp

memory/560-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/560-65-0x0000000000400000-0x000000000046E000-memory.dmp

memory/560-62-0x0000000000400000-0x000000000046E000-memory.dmp

memory/560-67-0x0000000000400000-0x000000000046E000-memory.dmp

memory/520-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/520-72-0x0000000000200000-0x0000000000266000-memory.dmp

memory/560-73-0x0000000000400000-0x000000000046E000-memory.dmp

memory/520-75-0x0000000000200000-0x0000000000266000-memory.dmp

memory/520-77-0x0000000000200000-0x0000000000266000-memory.dmp

memory/520-70-0x0000000000200000-0x0000000000266000-memory.dmp

memory/520-78-0x0000000001150000-0x000000000120C000-memory.dmp

memory/560-79-0x0000000000400000-0x000000000046E000-memory.dmp