blustealer | 2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d

General

Target

2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
Size

1.1MB
MD5

03ce9015af0ef971e98d2dba83a3afd6
SHA1

1cf9797ff0f5c61dbb7efa4c6ed3e5cd10bca40c
SHA256

2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d
SHA512

7bff23a60fe8d6535a796a2f31398d333ca7bd0be84ba19c7c5c96af6c067b11fec94a648fc80fa442f4c96e79ad6e62e308c2086ce894296f86ae9941d9316b
SSDEEP

24576:DYSY2O/D45coTCaQkN4NUlPDYI5Qqu7JFZvJY:USDO/mcoCaQSl7A/9

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.adm.tools
Port:
587
Username:
[email protected]
Password:
18iF5VUdC9xf

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Loads dropped DLL 2 IoCs

pid	Process
760	vbc.exe
760	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 760 set thread context of 616	760	vbc.exe	29

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
760	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
760	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 788 wrote to memory of 760	788	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	27
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29
PID 760 wrote to memory of 616	760	vbc.exe	29

C:\Users\Admin\AppData\Local\Temp\2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
"C:\Users\Admin\AppData\Local\Temp\2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    3⤵
    PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\4246454246424646303030323036443742464246463030303230\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\424645~1\SQLITE~1.ZIP

Filesize
31KB

MD5
e91150a120a7d0b90c9541ddc35df2da

SHA1
8b218f7653cba01cd73a818de380e5b1018d1d40

SHA256
e96c6c2d75c1af719909fac9cbf1a63441052c0acc5bfff8e53d663dd0d7ee89

SHA512
3a796d7556799dee2bf2c0ee402b5ad39908ee2572f6e3a9dd78229d0f4e9d3f5236d0e1af08b6a0866189e219df03b0ed428a4b5dfb4ebdf585436615e66e28

Download Submit
C:\Users\Public\424645~1\sqlite3.zip

Filesize
295KB

MD5
21765a296b37c1b074bc14316dc9d6cd

SHA1
c99c541d528ad6defe78970e90361d86ad5fa6ae

SHA256
c5a7d1d5f61a535aa511fc9b8119ff5103be48f97f89e123a138453c4aa5fc66

SHA512
5d3392d0f9ee7ed8d9471375ff5333554ca80b7dbe436c2bacb42c1ffe8a5c687835d58ae8425029f83500f43c19268b3315a5c43edb12b707df367e6b86ea0a

Download Submit
\Users\Public\4246454246424646303030323036443742464246463030303230\SQLite3_StdCall.dll

Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
\Users\Public\4246454246424646303030323036443742464246463030303230\sqlite3.dll

Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/616-117-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/616-115-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/616-113-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/616-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/616-111-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/760-60-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/760-126-0x0000000060900000-0x0000000060989000-memory.dmp

Filesize
548KB

Download
memory/760-70-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/760-65-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/760-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/760-62-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/760-61-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/760-67-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/760-127-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/788-54-0x00000000012C0000-0x00000000013E8000-memory.dmp

Filesize
1.2MB

Download
memory/788-57-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/788-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/788-55-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/788-58-0x0000000005AD0000-0x0000000005B9C000-memory.dmp

Filesize
816KB

Download
memory/788-59-0x000000000A0D0000-0x000000000A16A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing