blustealer | 03101293ef6b23593c4ff95a36528316a1d72c75568a9e9812a100dda87dead2

General

Target

INVOICE_.exe
Size

1.0MB
MD5

d01af08af1935589ed6974734f764f5a
SHA1

75d31c4f55e98d500abac8a5ab304a559283e9e5
SHA256

f7c5b46a0b80bd17ec7af21458bbc2cd7c0873f81218475013b50953a72a887f
SHA512

958a8efa7867077c7dbf66b21090d9186d4757e9f71895ed04ea48d6ba0f79b1a2d7789710921a15f0cdc5d83bf1d5d10260445982555e58bf96101aed026e7c
SSDEEP

24576:vXOGXrxgZIYdflxH28iLJ6fLOscta6VQz5CZporN2OtOzy:vX3rx43g8iLJkLOjs6VkCZ2x1

Score

10^/10

blustealer redline infostealer spyware stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot6246601421:AAFrAwaqm-G2V9ysvgyBq2dzNs5Gp-CKwaw/sendMessage?chat_id=5523238206

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detects Redline Stealer samples 2 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3828-145-0x0000000005690000-0x0000000005CB8000-memory.dmp	redline_stealer
behavioral2/memory/3828-156-0x0000000005CC0000-0x0000000005D26000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	INVOICE_.exe

Loads dropped DLL 2 IoCs

pid	Process
3636	INVOICE_.exe
3636	INVOICE_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 756 set thread context of 3636	756	INVOICE_.exe	95
PID 3636 set thread context of 2964	3636	INVOICE_.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	powershell.exe
3828	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3636	INVOICE_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3636	INVOICE_.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 3828	756	INVOICE_.exe	91
PID 756 wrote to memory of 3828	756	INVOICE_.exe	91
PID 756 wrote to memory of 3828	756	INVOICE_.exe	91
PID 756 wrote to memory of 3872	756	INVOICE_.exe	93
PID 756 wrote to memory of 3872	756	INVOICE_.exe	93
PID 756 wrote to memory of 3872	756	INVOICE_.exe	93
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 756 wrote to memory of 3636	756	INVOICE_.exe	95
PID 3636 wrote to memory of 2964	3636	INVOICE_.exe	96
PID 3636 wrote to memory of 2964	3636	INVOICE_.exe	96
PID 3636 wrote to memory of 2964	3636	INVOICE_.exe	96
PID 3636 wrote to memory of 2964	3636	INVOICE_.exe	96
PID 3636 wrote to memory of 2964	3636	INVOICE_.exe	96

C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PqhyBiwUgJm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PqhyBiwUgJm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44E4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3872
- C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe
  "C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:2964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ny4xbtlg.od1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44E4.tmp

Filesize
1KB

MD5
e65b66301402c6b5181b514c24294e9e

SHA1
34374960f7472885faccc95f675bfd706a130c09

SHA256
90d4370fcdeb76cc14b6a0bed14ab8f4532044bf6b296093d173fda591e3092c

SHA512
711a8a5dc33d252730c6d2f72a220ef49438736d14017fdc8a33c98c94b50b6b383715f952db4fc0177da1d85e9e7ded5f25a42426c0b29b0388312592a82cb6

Download Submit
C:\Users\Public\4246454246424646303030393036373242464246463030303930\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\4246454246424646303030393036373242464246463030303930\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\4246454246424646303030393036373242464246463030303930\SQLite3_StdCall.zip

Filesize
31KB

MD5
e91150a120a7d0b90c9541ddc35df2da

SHA1
8b218f7653cba01cd73a818de380e5b1018d1d40

SHA256
e96c6c2d75c1af719909fac9cbf1a63441052c0acc5bfff8e53d663dd0d7ee89

SHA512
3a796d7556799dee2bf2c0ee402b5ad39908ee2572f6e3a9dd78229d0f4e9d3f5236d0e1af08b6a0866189e219df03b0ed428a4b5dfb4ebdf585436615e66e28

Download Submit
C:\Users\Public\4246454246424646303030393036373242464246463030303930\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
C:\Users\Public\4246454246424646303030393036373242464246463030303930\sqlite3.zip

Filesize
295KB

MD5
21765a296b37c1b074bc14316dc9d6cd

SHA1
c99c541d528ad6defe78970e90361d86ad5fa6ae

SHA256
c5a7d1d5f61a535aa511fc9b8119ff5103be48f97f89e123a138453c4aa5fc66

SHA512
5d3392d0f9ee7ed8d9471375ff5333554ca80b7dbe436c2bacb42c1ffe8a5c687835d58ae8425029f83500f43c19268b3315a5c43edb12b707df367e6b86ea0a

Download Submit
memory/756-138-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/756-135-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/756-133-0x00000000008D0000-0x00000000009DE000-memory.dmp

Filesize
1.1MB

Download
memory/756-139-0x0000000006F90000-0x000000000702C000-memory.dmp

Filesize
624KB

Download
memory/756-134-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/756-136-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/756-137-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/2964-237-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/2964-249-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/3636-152-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3636-149-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3636-163-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3636-192-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3636-250-0x0000000060900000-0x0000000060989000-memory.dmp

Filesize
548KB

Download
memory/3828-169-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3828-190-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/3828-181-0x0000000006B30000-0x0000000006B4E000-memory.dmp

Filesize
120KB

Download
memory/3828-182-0x000000007F4B0000-0x000000007F4C0000-memory.dmp

Filesize
64KB

Download
memory/3828-183-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/3828-184-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/3828-185-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3828-186-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/3828-187-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3828-188-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3828-189-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

Filesize
56KB

Download
memory/3828-171-0x0000000070120000-0x000000007016C000-memory.dmp

Filesize
304KB

Download
memory/3828-191-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

Filesize
32KB

Download
memory/3828-170-0x0000000006B50000-0x0000000006B82000-memory.dmp

Filesize
200KB

Download
memory/3828-168-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/3828-156-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/3828-155-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/3828-153-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/3828-148-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3828-147-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/3828-145-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/3828-144-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads