blustealer | ca43187a938211fe07ce02306e744c6c41b10fb12129d5e9b3c083a23541066f

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07487299.exe
Size

57KB
MD5

f40a160dfddf79de154ad448c33c2e45
SHA1

6edf15758a6618a0e357cf220225c54c10f4fc9f
SHA256

ca43187a938211fe07ce02306e744c6c41b10fb12129d5e9b3c083a23541066f
SHA512

b3f3e333995c946f8902915919da0a0e01866c75f3df577b0706734a65dff783398c2a33876b5b07d8267f5b48eabb3bd1e31ef37ab49f4bf5322c3a0847b503
SSDEEP

1536:UwlxZCBDfbP7W71uMVV1GMeaDySRImGzaref9uT:UwlxZQfbP7WbV1xeuySRIm4ayf9uT

Score

10^/10

blustealer persistence stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.dphe.gov.bd
Port:
587
Username:
[email protected]
Password:
@DphE20#

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 1 IoCs

pid	Process
800	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1844	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	07487299.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 1612	800	svchost.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1208	1612	WerFault.exe	40

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1616	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1888	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1240	07487299.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe
800	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	07487299.exe
Token: SeDebugPrivilege	800	svchost.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 632	1240	07487299.exe	27
PID 1240 wrote to memory of 632	1240	07487299.exe	27
PID 1240 wrote to memory of 632	1240	07487299.exe	27
PID 1240 wrote to memory of 1844	1240	07487299.exe	29
PID 1240 wrote to memory of 1844	1240	07487299.exe	29
PID 1240 wrote to memory of 1844	1240	07487299.exe	29
PID 1844 wrote to memory of 1888	1844	cmd.exe	31
PID 1844 wrote to memory of 1888	1844	cmd.exe	31
PID 1844 wrote to memory of 1888	1844	cmd.exe	31
PID 632 wrote to memory of 1616	632	cmd.exe	32
PID 632 wrote to memory of 1616	632	cmd.exe	32
PID 632 wrote to memory of 1616	632	cmd.exe	32
PID 1844 wrote to memory of 800	1844	cmd.exe	33
PID 1844 wrote to memory of 800	1844	cmd.exe	33
PID 1844 wrote to memory of 800	1844	cmd.exe	33
PID 800 wrote to memory of 1908	800	svchost.exe	34
PID 800 wrote to memory of 1908	800	svchost.exe	34
PID 800 wrote to memory of 1908	800	svchost.exe	34
PID 800 wrote to memory of 1600	800	svchost.exe	35
PID 800 wrote to memory of 1600	800	svchost.exe	35
PID 800 wrote to memory of 1600	800	svchost.exe	35
PID 800 wrote to memory of 1980	800	svchost.exe	36
PID 800 wrote to memory of 1980	800	svchost.exe	36
PID 800 wrote to memory of 1980	800	svchost.exe	36
PID 800 wrote to memory of 2016	800	svchost.exe	37
PID 800 wrote to memory of 2016	800	svchost.exe	37
PID 800 wrote to memory of 2016	800	svchost.exe	37
PID 800 wrote to memory of 1700	800	svchost.exe	38
PID 800 wrote to memory of 1700	800	svchost.exe	38
PID 800 wrote to memory of 1700	800	svchost.exe	38
PID 800 wrote to memory of 272	800	svchost.exe	39
PID 800 wrote to memory of 272	800	svchost.exe	39
PID 800 wrote to memory of 272	800	svchost.exe	39
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 800 wrote to memory of 1612	800	svchost.exe	40
PID 1612 wrote to memory of 1208	1612	Setup.exe	41
PID 1612 wrote to memory of 1208	1612	Setup.exe	41
PID 1612 wrote to memory of 1208	1612	Setup.exe	41
PID 1612 wrote to memory of 1208	1612	Setup.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\07487299.exe
"C:\Users\Admin\AppData\Local\Temp\07487299.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3D01.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1888
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      4⤵
      PID:1908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:1600
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
      4⤵
      PID:1980
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
      4⤵
      PID:2016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
      4⤵
      PID:1700
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
      4⤵
      PID:272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 304
        5⤵
        Program crash
        
        PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3D01.tmp.bat

Filesize
151B

MD5
158bbc75d060ade4ccdb829a1177678d

SHA1
4a450a32ff5dd52e988b16c8d4f292069f778af7

SHA256
ebeab47164bbf13506442bf29b8f81c4524839cbbb3be1a51791afc718add6b5

SHA512
c42519c658efe00d38d1607e593e8802c0c8da0ed7c90e7fbb129ff3ae734faa507dbbbff6b1d5132d032e86f176239157b4eeae3bc874528b0abbc40910cdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D01.tmp.bat

Filesize
151B

MD5
158bbc75d060ade4ccdb829a1177678d

SHA1
4a450a32ff5dd52e988b16c8d4f292069f778af7

SHA256
ebeab47164bbf13506442bf29b8f81c4524839cbbb3be1a51791afc718add6b5

SHA512
c42519c658efe00d38d1607e593e8802c0c8da0ed7c90e7fbb129ff3ae734faa507dbbbff6b1d5132d032e86f176239157b4eeae3bc874528b0abbc40910cdd1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
57KB

MD5
f40a160dfddf79de154ad448c33c2e45

SHA1
6edf15758a6618a0e357cf220225c54c10f4fc9f

SHA256
ca43187a938211fe07ce02306e744c6c41b10fb12129d5e9b3c083a23541066f

SHA512
b3f3e333995c946f8902915919da0a0e01866c75f3df577b0706734a65dff783398c2a33876b5b07d8267f5b48eabb3bd1e31ef37ab49f4bf5322c3a0847b503

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
57KB

MD5
f40a160dfddf79de154ad448c33c2e45

SHA1
6edf15758a6618a0e357cf220225c54c10f4fc9f

SHA256
ca43187a938211fe07ce02306e744c6c41b10fb12129d5e9b3c083a23541066f

SHA512
b3f3e333995c946f8902915919da0a0e01866c75f3df577b0706734a65dff783398c2a33876b5b07d8267f5b48eabb3bd1e31ef37ab49f4bf5322c3a0847b503

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
57KB

MD5
f40a160dfddf79de154ad448c33c2e45

SHA1
6edf15758a6618a0e357cf220225c54c10f4fc9f

SHA256
ca43187a938211fe07ce02306e744c6c41b10fb12129d5e9b3c083a23541066f

SHA512
b3f3e333995c946f8902915919da0a0e01866c75f3df577b0706734a65dff783398c2a33876b5b07d8267f5b48eabb3bd1e31ef37ab49f4bf5322c3a0847b503

Download Submit
memory/800-70-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/800-71-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download
memory/1240-54-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/1240-55-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/1240-56-0x000000001BE40000-0x000000001BEF2000-memory.dmp

Filesize
712KB

Download
memory/1612-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download