blustealer | 03101293ef6b23593c4ff95a36528316a1d72c75568a9e9812a100dda87dead2

General

Target

INVOICE_.exe
Size

1.0MB
MD5

d01af08af1935589ed6974734f764f5a
SHA1

75d31c4f55e98d500abac8a5ab304a559283e9e5
SHA256

f7c5b46a0b80bd17ec7af21458bbc2cd7c0873f81218475013b50953a72a887f
SHA512

958a8efa7867077c7dbf66b21090d9186d4757e9f71895ed04ea48d6ba0f79b1a2d7789710921a15f0cdc5d83bf1d5d10260445982555e58bf96101aed026e7c
SSDEEP

24576:vXOGXrxgZIYdflxH28iLJ6fLOscta6VQz5CZporN2OtOzy:vX3rx43g8iLJkLOjs6VkCZ2x1

Score

10^/10

blustealer redline infostealer stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot6246601421:AAFrAwaqm-G2V9ysvgyBq2dzNs5Gp-CKwaw/sendMessage?chat_id=5523238206

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detects Redline Stealer samples 2 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2568-146-0x0000000005030000-0x0000000005658000-memory.dmp	redline_stealer
behavioral2/memory/2568-156-0x00000000057C0000-0x0000000005826000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	INVOICE_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1448	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2568	5012	INVOICE_.exe	88
PID 5012 wrote to memory of 2568	5012	INVOICE_.exe	88
PID 5012 wrote to memory of 2568	5012	INVOICE_.exe	88
PID 5012 wrote to memory of 1448	5012	INVOICE_.exe	90
PID 5012 wrote to memory of 1448	5012	INVOICE_.exe	90
PID 5012 wrote to memory of 1448	5012	INVOICE_.exe	90

C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PqhyBiwUgJm.exe"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PqhyBiwUgJm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFA2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe
  "C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe"
  2⤵
  PID:460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k1fcho4j.c3k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDFA2.tmp

Filesize
1KB

MD5
7f295d8e26c85c3b26162ca4de2f1b95

SHA1
fa0cbe55a142b6ce2fe217a47f00156ea2768d02

SHA256
491c01677acd2df85dbbc6c3aad6ecebc33380fff4facd042c1bdc41f483d984

SHA512
8599717332725ff9aa363ca6f093f312d07aaa5b6ff3006e0bf22217f67bca1f6521fb4bebb96dc92216a3838db97eba1e25fb49799973370227fdb9597bee8f

Download Submit
memory/460-152-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/460-148-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-147-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2568-153-0x0000000004E50000-0x0000000004E72000-memory.dmp

Filesize
136KB

Download
memory/2568-156-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/2568-144-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/2568-155-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/2568-146-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/2568-149-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/5012-137-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/5012-133-0x0000000000B00000-0x0000000000C0E000-memory.dmp

Filesize
1.1MB

Download
memory/5012-135-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/5012-136-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/5012-138-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/5012-134-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/5012-139-0x00000000074B0000-0x000000000754C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads