blustealer | 59b231e2140dff56658986b30ecfc13b38c883a911f4345d95d847d9c93795d9

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2023 22:03

Target

0ccdc2943e3e1547431cc0e813bde562.exe
Size

863KB
MD5

0ccdc2943e3e1547431cc0e813bde562
SHA1

d74c378a15dc009b83830c15d0e054c45ca96a22
SHA256

59b231e2140dff56658986b30ecfc13b38c883a911f4345d95d847d9c93795d9
SHA512

0b85770362f70f25b6c8b7ce436d8355a68b13e373583efb935d59e5e0e4eb408b1bae0813495e492bf41d10255f5f19c1e3bf56cb8ca4947f1971454fe36365
SSDEEP

12288:xroIYS+wYxMHYm0KX/A/GBg4MsjNskuEyhq36RnKwQ5t2yq4Qd:xVpXYxMbrkGB5M0Ns7qqtKv3q4Qd

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1228	0ccdc2943e3e1547431cc0e813bde562.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93
PID 2892 wrote to memory of 1228	2892	0ccdc2943e3e1547431cc0e813bde562.exe	93

C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe
"C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe
  "C:\Users\Admin\AppData\Local\Temp\0ccdc2943e3e1547431cc0e813bde562.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1228

memory/1228-12-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1228-19-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1228-15-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2892-4-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2892-1-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2892-5-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/2892-6-0x0000000005120000-0x000000000513C000-memory.dmp

Filesize
112KB

Download
memory/2892-7-0x000000000B700000-0x000000000B79C000-memory.dmp

Filesize
624KB

Download
memory/2892-8-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2892-9-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2892-10-0x000000000B660000-0x000000000B6F6000-memory.dmp

Filesize
600KB

Download
memory/2892-11-0x000000000E290000-0x000000000E2F2000-memory.dmp

Filesize
392KB

Download
memory/2892-3-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/2892-2-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/2892-17-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2892-0-0x00000000003C0000-0x000000000049E000-memory.dmp

Filesize
888KB

Download