blustealer | 07d820312855a56e9165f5986195914a6c5986f8d185eac057f8d2b15a5ce9b2

General

Target

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
432	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a1084ae6826a969e.bin	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1752	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28
PID 1152 wrote to memory of 1752	1152	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	28

C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
"C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
  "C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
74d0b268b3815961973a2e9ee14bc0d7

SHA1
d798937e298ea637b70fa250027244861ad1c582

SHA256
c58de118d594a0b43cceca813eff318d823b8d98e9e5adba6a6ad51b5551515b

SHA512
df9fe872a7dcd309d525c4eaa9efd2e707ee55bc804a0af982720cba67beaf4b578adc65197b75f5e0652652b9ebc72457a405d8c14f5ae43ac5b47b91ec9236

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
74d0b268b3815961973a2e9ee14bc0d7

SHA1
d798937e298ea637b70fa250027244861ad1c582

SHA256
c58de118d594a0b43cceca813eff318d823b8d98e9e5adba6a6ad51b5551515b

SHA512
df9fe872a7dcd309d525c4eaa9efd2e707ee55bc804a0af982720cba67beaf4b578adc65197b75f5e0652652b9ebc72457a405d8c14f5ae43ac5b47b91ec9236

Download Submit
memory/432-93-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/432-90-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/432-84-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/1152-55-0x0000000004540000-0x0000000004580000-memory.dmp

Filesize
256KB

Download
memory/1152-56-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1152-57-0x0000000004540000-0x0000000004580000-memory.dmp

Filesize
256KB

Download
memory/1152-58-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1152-59-0x0000000005F80000-0x00000000060CA000-memory.dmp

Filesize
1.3MB

Download
memory/1152-60-0x0000000007EA0000-0x0000000008062000-memory.dmp

Filesize
1.8MB

Download
memory/1152-54-0x0000000000CD0000-0x0000000000E5A000-memory.dmp

Filesize
1.5MB

Download
memory/1752-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-69-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/1752-74-0x0000000000360000-0x00000000003C6000-memory.dmp

Filesize
408KB

Download
memory/1752-80-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1752-81-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1752-68-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1752-66-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1752-63-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1752-62-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1752-61-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing