blustealer | 582741317b53c32600953ffc2daf7f02f32f9153f90a1f0ff6166f3791b52404

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d10f518c4de138b5c18d2f4dbd895bc.exe
Size

727KB
MD5

6d10f518c4de138b5c18d2f4dbd895bc
SHA1

24eaf3a15a15111d304992b6a7a934610c6d28dc
SHA256

582741317b53c32600953ffc2daf7f02f32f9153f90a1f0ff6166f3791b52404
SHA512

68dd265f8b47289e71439217c457be7507d59f618a1630e94f13ed585c1d6febe8b3c8ced735810cf39b9b74d52affd64c382d73566c21fa5f0e7d171f1c97e5
SSDEEP

12288:csyxZCYQneRW88If1cmRBPA0nV2sb+xUVWcyNc:cjZCr7gf1cIA0nos6Cn/

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
X&Y=[g89L4D/**

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	6d10f518c4de138b5c18d2f4dbd895bc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3372	powershell.exe
3372	powershell.exe
408	powershell.exe
408	powershell.exe
408	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
1780	powershell.exe
1780	powershell.exe
2460	6d10f518c4de138b5c18d2f4dbd895bc.exe
2460	6d10f518c4de138b5c18d2f4dbd895bc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3372	powershell.exe
Token: SeSecurityPrivilege	3372	powershell.exe
Token: SeTakeOwnershipPrivilege	3372	powershell.exe
Token: SeLoadDriverPrivilege	3372	powershell.exe
Token: SeSystemProfilePrivilege	3372	powershell.exe
Token: SeSystemtimePrivilege	3372	powershell.exe
Token: SeProfSingleProcessPrivilege	3372	powershell.exe
Token: SeIncBasePriorityPrivilege	3372	powershell.exe
Token: SeCreatePagefilePrivilege	3372	powershell.exe
Token: SeBackupPrivilege	3372	powershell.exe
Token: SeRestorePrivilege	3372	powershell.exe
Token: SeShutdownPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeSystemEnvironmentPrivilege	3372	powershell.exe
Token: SeRemoteShutdownPrivilege	3372	powershell.exe
Token: SeUndockPrivilege	3372	powershell.exe
Token: SeManageVolumePrivilege	3372	powershell.exe
Token: 33	3372	powershell.exe
Token: 34	3372	powershell.exe
Token: 35	3372	powershell.exe
Token: 36	3372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3372	powershell.exe
Token: SeSecurityPrivilege	3372	powershell.exe
Token: SeTakeOwnershipPrivilege	3372	powershell.exe
Token: SeLoadDriverPrivilege	3372	powershell.exe
Token: SeSystemProfilePrivilege	3372	powershell.exe
Token: SeSystemtimePrivilege	3372	powershell.exe
Token: SeProfSingleProcessPrivilege	3372	powershell.exe
Token: SeIncBasePriorityPrivilege	3372	powershell.exe
Token: SeCreatePagefilePrivilege	3372	powershell.exe
Token: SeBackupPrivilege	3372	powershell.exe
Token: SeRestorePrivilege	3372	powershell.exe
Token: SeShutdownPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeSystemEnvironmentPrivilege	3372	powershell.exe
Token: SeRemoteShutdownPrivilege	3372	powershell.exe
Token: SeUndockPrivilege	3372	powershell.exe
Token: SeManageVolumePrivilege	3372	powershell.exe
Token: 33	3372	powershell.exe
Token: 34	3372	powershell.exe
Token: 35	3372	powershell.exe
Token: 36	3372	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeIncreaseQuotaPrivilege	408	powershell.exe
Token: SeSecurityPrivilege	408	powershell.exe
Token: SeTakeOwnershipPrivilege	408	powershell.exe
Token: SeLoadDriverPrivilege	408	powershell.exe
Token: SeSystemProfilePrivilege	408	powershell.exe
Token: SeSystemtimePrivilege	408	powershell.exe
Token: SeProfSingleProcessPrivilege	408	powershell.exe
Token: SeIncBasePriorityPrivilege	408	powershell.exe
Token: SeCreatePagefilePrivilege	408	powershell.exe
Token: SeBackupPrivilege	408	powershell.exe
Token: SeRestorePrivilege	408	powershell.exe
Token: SeShutdownPrivilege	408	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeSystemEnvironmentPrivilege	408	powershell.exe
Token: SeRemoteShutdownPrivilege	408	powershell.exe
Token: SeUndockPrivilege	408	powershell.exe
Token: SeManageVolumePrivilege	408	powershell.exe
Token: 33	408	powershell.exe
Token: 34	408	powershell.exe
Token: 35	408	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1832	6d10f518c4de138b5c18d2f4dbd895bc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3372	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	92
PID 2460 wrote to memory of 3372	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	92
PID 2460 wrote to memory of 3372	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	92
PID 2460 wrote to memory of 408	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	97
PID 2460 wrote to memory of 408	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	97
PID 2460 wrote to memory of 408	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	97
PID 2460 wrote to memory of 1924	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	99
PID 2460 wrote to memory of 1924	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	99
PID 2460 wrote to memory of 1924	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	99
PID 2460 wrote to memory of 4584	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	101
PID 2460 wrote to memory of 4584	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	101
PID 2460 wrote to memory of 4584	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	101
PID 2460 wrote to memory of 1780	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	103
PID 2460 wrote to memory of 1780	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	103
PID 2460 wrote to memory of 1780	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	103
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107
PID 2460 wrote to memory of 1832	2460	6d10f518c4de138b5c18d2f4dbd895bc.exe	107

C:\Users\Admin\AppData\Local\Temp\6d10f518c4de138b5c18d2f4dbd895bc.exe
"C:\Users\Admin\AppData\Local\Temp\6d10f518c4de138b5c18d2f4dbd895bc.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\6d10f518c4de138b5c18d2f4dbd895bc.exe
  C:\Users\Admin\AppData\Local\Temp\6d10f518c4de138b5c18d2f4dbd895bc.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
2c6fa11e394d51ec51c12fd7957a8bb5

SHA1
2c0f3aab85591ef79e0e209ba4d9a4a291074137

SHA256
eccf81b8209467e3468303b502ab2b1d3f4dd453d0508675f914d2be17472f72

SHA512
fcbd9722674176acf0252be617a083b74eb987306944ee8349f0f3f5a85a3265b7c47b8d596998e718b7c6c8d5937510fa54ac65996d726a65d614a7c859da49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
1761578add6ca31324af9c85f2b7450a

SHA1
bcae94b12c02397b44062acddc253afe0ee62d99

SHA256
7f5660a337e7e05d72383d19fd359f3135ca10e6a1c958bf5ad8fe0ed2efd0fb

SHA512
746060d98fecacfe56c138b0eb74f6a3591e4def2abbe0fb910b9a91b32107d664ea950d1ec9a0af5392c1f0e4d583b4e7bc0b082096a246cd7f06c7000bb2b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
e276d17eca4a36e75a936956baf01ab8

SHA1
ef81ea8921297a89e3145d9de56461ad7edec82d

SHA256
1f4b61c914194273f6c93cef3f012289e69ea2aea7e7961ec7d4c24f2d483447

SHA512
037b04389c03f803b361ac01dc9f9b9f533483eaf38e07742a8ad91e7895b38f36eaf484ce035100d701638c5ed4dcd623bc80002e7ddb49115214437f27c353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
f03fc1f521f3a3ed369f0e563ba66b9a

SHA1
7626b9cc4b8896fbe220b3fd162b6a94b0cf6118

SHA256
6c00e094e45d3ca04db354139e86200f3f4cc11e7a143d637e30fcb152d01f2c

SHA512
41450318f93b062bafd111d18d1cfeb237deb768ed2deb924f8aeec381d851810ac47fa762451cd38c9b752b8f420aafb4300adc26f27b8865f93adb61f3889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndaq0gtw.10f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/408-31-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/408-30-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/408-32-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/408-72-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1780-127-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1780-74-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1780-75-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1780-73-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1832-129-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1832-132-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1832-136-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1924-87-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1924-42-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/1924-44-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/1924-43-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/2460-108-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-96-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-1-0x0000000000ED0000-0x0000000000F8C000-memory.dmp

Filesize
752KB

Download
memory/2460-133-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2460-2-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/2460-3-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/2460-4-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/2460-54-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2460-5-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/2460-58-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/2460-88-0x0000000006BB0000-0x0000000006C46000-memory.dmp

Filesize
600KB

Download
memory/2460-89-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-90-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-94-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-98-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-100-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-102-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-0-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2460-110-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-92-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-106-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-104-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-114-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-120-0x0000000006C90000-0x0000000006CB6000-memory.dmp

Filesize
152KB

Download
memory/2460-121-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/2460-119-0x0000000006D00000-0x0000000006D76000-memory.dmp

Filesize
472KB

Download
memory/2460-118-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-116-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/2460-112-0x0000000006BB0000-0x0000000006C40000-memory.dmp

Filesize
576KB

Download
memory/3372-57-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3372-10-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/3372-11-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/3372-6-0x00000000009D0000-0x0000000000A06000-memory.dmp

Filesize
216KB

Download
memory/3372-13-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/3372-29-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/3372-12-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download
memory/3372-23-0x0000000005660000-0x00000000059B4000-memory.dmp

Filesize
3.3MB

Download
memory/3372-26-0x0000000006080000-0x0000000006116000-memory.dmp

Filesize
600KB

Download
memory/3372-8-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3372-7-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3372-27-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/3372-9-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3372-24-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/3372-25-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/3372-28-0x0000000006050000-0x0000000006072000-memory.dmp

Filesize
136KB

Download
memory/4584-124-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/4584-60-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download