blustealer | 4fcc150d5a31b78a9a619c62e95fd4a1e4e132a5cf261881b06e2f8a76f84e36

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 07:30

Target

2d7479c7725ea48ef2bde8ac454d2771.exe
Size

916KB
MD5

2d7479c7725ea48ef2bde8ac454d2771
SHA1

cc1ff66ff4cfbf6d9fd68e5544be870047c87f1f
SHA256

4fcc150d5a31b78a9a619c62e95fd4a1e4e132a5cf261881b06e2f8a76f84e36
SHA512

62b052f669ba909a30e1d314c366a56e41e489740efde24faaff305562dfe29b8e6bc23d24b7a50352912a2b2fd6c951cdb822470fd726a5416b19925b06bfd7
SSDEEP

12288:lgBD8VRCxnU7BiGq8F+MJS/euQY7xypq6493RJvw91bo7jzvi2nTn2:tzCUNRq8F+oweuQKc4hRa/boXzvv

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 616 set thread context of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	2d7479c7725ea48ef2bde8ac454d2771.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102
PID 616 wrote to memory of 4656	616	2d7479c7725ea48ef2bde8ac454d2771.exe	102

C:\Users\Admin\AppData\Local\Temp\2d7479c7725ea48ef2bde8ac454d2771.exe
"C:\Users\Admin\AppData\Local\Temp\2d7479c7725ea48ef2bde8ac454d2771.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\2d7479c7725ea48ef2bde8ac454d2771.exe
  "C:\Users\Admin\AppData\Local\Temp\2d7479c7725ea48ef2bde8ac454d2771.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4656

memory/616-8-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/616-7-0x0000000006AA0000-0x0000000006B3C000-memory.dmp

Filesize
624KB

Download
memory/616-3-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/616-0-0x00000000008B0000-0x000000000099C000-memory.dmp

Filesize
944KB

Download
memory/616-1-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/616-5-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/616-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/616-6-0x0000000005620000-0x000000000563C000-memory.dmp

Filesize
112KB

Download
memory/616-4-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/616-9-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/616-10-0x0000000006A00000-0x0000000006A9A000-memory.dmp

Filesize
616KB

Download
memory/616-11-0x00000000091E0000-0x0000000009246000-memory.dmp

Filesize
408KB

Download
memory/616-17-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/4656-15-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4656-12-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4656-19-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download