blustealer | 59b231e2140dff56658986b30ecfc13b38c883a911f4345d95d847d9c93795d9

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-12-2023 22:03

Target

0ccdc2943e3e1547431cc0e813bde562.exe
Size

863KB
MD5

0ccdc2943e3e1547431cc0e813bde562
SHA1

d74c378a15dc009b83830c15d0e054c45ca96a22
SHA256

59b231e2140dff56658986b30ecfc13b38c883a911f4345d95d847d9c93795d9
SHA512

0b85770362f70f25b6c8b7ce436d8355a68b13e373583efb935d59e5e0e4eb408b1bae0813495e492bf41d10255f5f19c1e3bf56cb8ca4947f1971454fe36365
SSDEEP

12288:xroIYS+wYxMHYm0KX/A/GBg4MsjNskuEyhq36RnKwQ5t2yq4Qd:xVpXYxMbrkGB5M0Ns7qqtKv3q4Qd

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	0ccdc2943e3e1547431cc0e813bde562.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30
PID 1672 wrote to memory of 2596	1672	0ccdc2943e3e1547431cc0e813bde562.exe	30

C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe
"C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe
  "C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2596

memory/1672-17-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-1-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-2-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/1672-3-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/1672-4-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-5-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/1672-6-0x0000000007EB0000-0x0000000007F46000-memory.dmp

Filesize
600KB

Download
memory/1672-7-0x0000000000800000-0x0000000000862000-memory.dmp

Filesize
392KB

Download
memory/1672-0-0x0000000000F00000-0x0000000000FDE000-memory.dmp

Filesize
888KB

Download
memory/2596-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2596-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2596-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2596-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2596-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2596-20-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download