blustealer | 65bcb96689030a956d477cd74e7c8ab7639e36240c1330de4b29e0c78029ce45

Analysis

max time kernel
142s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ# 6000263267.exe
Size

526KB
MD5

56c8f58ad43f6d3ceedcb459c984cbb0
SHA1

941132c99e72829e3d1447caaa938dc69599c00c
SHA256

71d546589ef99e38123b2fb807bb3e9b2ae88341c1d384e7603a6f867d57b87b
SHA512

a3673469158800abf217751360e39feed141623218275e049f8a3fe152497840f9e423f21e6a91e03e521afe5a8f11c8fb28a7daed38d9ff9273e8cb16d27532
SSDEEP

12288:PYZDn64onVzlCkdx0vbwvbzWLvdUuRvb7E1RBdDWCibbQ+:PYZAZXT0jyPCvb5HEJdKfbc+

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 2 IoCs

pid	Process
280	qlcdh.exe
592	qlcdh.exe

Loads dropped DLL 3 IoCs

pid	Process
1264	RFQ# 6000263267.exe
1264	RFQ# 6000263267.exe
280	qlcdh.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 280 set thread context of 592	280	qlcdh.exe	28
PID 592 set thread context of 1844	592	qlcdh.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
280	qlcdh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
592	qlcdh.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 280	1264	RFQ# 6000263267.exe	27
PID 1264 wrote to memory of 280	1264	RFQ# 6000263267.exe	27
PID 1264 wrote to memory of 280	1264	RFQ# 6000263267.exe	27
PID 1264 wrote to memory of 280	1264	RFQ# 6000263267.exe	27
PID 280 wrote to memory of 592	280	qlcdh.exe	28
PID 280 wrote to memory of 592	280	qlcdh.exe	28
PID 280 wrote to memory of 592	280	qlcdh.exe	28
PID 280 wrote to memory of 592	280	qlcdh.exe	28
PID 280 wrote to memory of 592	280	qlcdh.exe	28
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29
PID 592 wrote to memory of 1844	592	qlcdh.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\RFQ# 6000263267.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ# 6000263267.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\qlcdh.exe
  "C:\Users\Admin\AppData\Local\Temp\qlcdh.exe" C:\Users\Admin\AppData\Local\Temp\uyxiqi.gse
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Users\Admin\AppData\Local\Temp\qlcdh.exe
    "C:\Users\Admin\AppData\Local\Temp\qlcdh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmzec.ato

Filesize
460KB

MD5
a80267a8e74cfccd1a993f037b00cee8

SHA1
f4c77c885a176803da22b740730e92255fc5ccf8

SHA256
2841683a44b448e25b19d510f53725c9c643b8e2964616d7a79aeeaa11b4f210

SHA512
26037aa4a5f623463c9c95f4fec92332c3fcdffc33516ff41011c04bd9d8264d1e4817c1a4a3aa6f45b71047dd554cd97aad728d1710865fba89d2df8c8d3b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyxiqi.gse

Filesize
5KB

MD5
f4efe05c3bc2b0414148642570fdfdd0

SHA1
981f8baa739364dacf10876b7727a4fceaccea57

SHA256
9a4f93f219d672ed41564c7b9bc6c8218ee2f38de3e9cc1bc61b72e2bfb45b73

SHA512
1572d52452fc7643072bbbbfcde260860f6d8bdc31c6ea4ff710c19920a2dbd2ef3e6d266afe0244e275856cb85483e03d85e021800dfe036291d0d522ca55c9

Download Submit
\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
\Users\Admin\AppData\Local\Temp\qlcdh.exe

Filesize
103KB

MD5
297c0dbdbd58367b70427c8a97a2c7f8

SHA1
64f11000bed769c1d7caef3fb977a7f2a8c61a60

SHA256
6ee7360992738ffecd0dd2ee66489e435f56ad3ee8d4a0c752281302fa7d685b

SHA512
8218558fc9d317f14d05099a4fe409770c4d7c9d2c88bce7c30a546dd7f0b8f24fb46258fa945b0dca105196babb89106279a3454fc815d4e52de572332e82f9

Download Submit
memory/280-68-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/592-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-95-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-100-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-99-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-98-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-80-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-97-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-96-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-73-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-94-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-87-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-88-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-89-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-69-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-91-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/592-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1844-85-0x0000000004A20000-0x0000000004ADC000-memory.dmp

Filesize
752KB

Download
memory/1844-84-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/1844-83-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1844-81-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1844-78-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download
memory/1844-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1844-76-0x0000000000230000-0x0000000000296000-memory.dmp

Filesize
408KB

Download