blustealer | c7b62d2eddca1acf1d394dc03808ecb370c2125ae55786628ad856f55c71b9f8

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2023 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Product Spec.exe
Size

112KB
MD5

d59c27e2eb8d505a78b0d57801750df5
SHA1

947335b0768c0e6c63d6b3185785ebbe71538511
SHA256

d8dc20517ab9336ee7bbfee1416a5c6ec0cb2cf63400c803858c7c1db4f4f837
SHA512

b3a568be8db5d6edf098a7157cb53782e84efcc81ed8ba5cf0f5ee60e51dccc0343bff580c2c066c95a61ba2c1656819b4b52b3974de44e4531518b972ab3842
SSDEEP

1536:AiiHA0C/fLKpoTNxrNnubIq59PdTvdl5PAaZ/Sv93Q28FHDd:NiiLKpS/Ni59P1tfhAP8tDd

Score

10^/10

blustealer persistence spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5518827253:AAGOg42FA-LTJl6MOuvPuukxFyV4dUBJ5rM/sendMessage?chat_id=1223462240

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Euxqnrcx = "C:\\Users\\Admin\\AppData\\Roaming\\Euxqnrcx.exe"	Product Spec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2560	2700	Product Spec.exe	89
PID 2560 set thread context of 1612	2560	MSBuild.exe	90

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	Product Spec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2560	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2700 wrote to memory of 2560	2700	Product Spec.exe	89
PID 2560 wrote to memory of 1612	2560	MSBuild.exe	90
PID 2560 wrote to memory of 1612	2560	MSBuild.exe	90
PID 2560 wrote to memory of 1612	2560	MSBuild.exe	90
PID 2560 wrote to memory of 1612	2560	MSBuild.exe	90
PID 2560 wrote to memory of 1612	2560	MSBuild.exe	90

C:\Users\Admin\AppData\Local\Temp\Product Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Product Spec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-1228-0x0000000001100000-0x0000000001166000-memory.dmp

Filesize
408KB

Download
memory/1612-1229-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/1612-1230-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1612-1231-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/1612-1233-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/2560-1223-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2560-1234-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2700-164-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-172-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-137-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2700-138-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/2700-139-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-140-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-142-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-144-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-146-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-148-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-150-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-152-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-154-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-156-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-158-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-160-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-162-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-135-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/2700-166-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-168-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-170-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-136-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/2700-174-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-176-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-178-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-180-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-182-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-184-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-186-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-188-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-190-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-192-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-194-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-196-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-198-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-200-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-134-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/2700-133-0x0000000000910000-0x0000000000932000-memory.dmp

Filesize
136KB

Download
memory/2700-202-0x0000000007D40000-0x0000000007E4E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-360-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/2700-597-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2700-1217-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/2700-1225-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads