blustealer | 87554a4dd27618fd878d5a4e87564c07d104d02205e9915a09def1faa511d836

Analysis

max time kernel
127s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

343aa62ee222dbd3ca597a201b35bd4a.exe
Size

2.3MB
MD5

343aa62ee222dbd3ca597a201b35bd4a
SHA1

59ee3af3a680b11d36d6db44499fa7614cda09a1
SHA256

87554a4dd27618fd878d5a4e87564c07d104d02205e9915a09def1faa511d836
SHA512

d310519d378b84ecfc5b1c838f45d2eab9508ec2b25758dd593265cfd4ee825001728b8662e57df16b878835527dd661f68c0748d80eb7247c5982f6b2469980
SSDEEP

12288:WbWKPiw4bMYaWNTk9qkSa6CB/feiDgC4o9iTHhtNmVdEj1hyJ2eXNPnrEdrE:FErtYa4YlSyfDT+Hm8j1hyJxXN/odo

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.xyz
Port:
587
Username:
[email protected]
Password:
E6uOyau@R_(Q

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 1 IoCs

pid	Process
1668	noot.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
980	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	343aa62ee222dbd3ca597a201b35bd4a.exe
Token: SeDebugPrivilege	1668	noot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	vbc.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2448	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	28
PID 2136 wrote to memory of 2448	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	28
PID 2136 wrote to memory of 2448	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	28
PID 2136 wrote to memory of 2448	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	28
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 2364	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	29
PID 2136 wrote to memory of 572	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	34
PID 2136 wrote to memory of 572	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	34
PID 2136 wrote to memory of 572	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	34
PID 2136 wrote to memory of 572	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	34
PID 2136 wrote to memory of 688	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	36
PID 2136 wrote to memory of 688	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	36
PID 2136 wrote to memory of 688	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	36
PID 2136 wrote to memory of 688	2136	343aa62ee222dbd3ca597a201b35bd4a.exe	36
PID 572 wrote to memory of 980	572	cmd.exe	38
PID 572 wrote to memory of 980	572	cmd.exe	38
PID 572 wrote to memory of 980	572	cmd.exe	38
PID 572 wrote to memory of 980	572	cmd.exe	38
PID 876 wrote to memory of 1668	876	taskeng.exe	40
PID 876 wrote to memory of 1668	876	taskeng.exe	40
PID 876 wrote to memory of 1668	876	taskeng.exe	40
PID 876 wrote to memory of 1668	876	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\343aa62ee222dbd3ca597a201b35bd4a.exe
"C:\Users\Admin\AppData\Local\Temp\343aa62ee222dbd3ca597a201b35bd4a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\343aa62ee222dbd3ca597a201b35bd4a.exe" "C:\Users\Admin\AppData\Roaming\noot\noot.exe"
  2⤵
  PID:688

C:\Windows\system32\taskeng.exe
taskeng.exe {AB2F9352-4FAD-49E9-884B-8062B23D9A56} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Roaming\noot\noot.exe
  C:\Users\Admin\AppData\Roaming\noot\noot.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\noot\noot.exe

Filesize
324KB

MD5
042e0e9b3d2b53d30c841da68bdb3eac

SHA1
70bebdd654466a3d584c5d2741d7bf3e32000923

SHA256
fb42593f9544daf427588bcd85e7d6b74263592596f93d82ab6e0c5fae90443d

SHA512
3e25f84afab442f6c365bed427df650adff015fcc35cd0f8fcd30879491eb90a83983761210efbac125cd00dde0606870acc9cb44965ed01540d0bb38700a38e

Download Submit
C:\Users\Admin\AppData\Roaming\noot\noot.exe

Filesize
704KB

MD5
47c9a6e42c1bfa2eb80baad4c06818ac

SHA1
a4de7c0167591efdf1dc4ebc781f0e5b004443b6

SHA256
7b5a02dd40ec60b5fccdabf625e8203e7a6a72c6115d20c7bd52ce4afc10dee3

SHA512
1fbd3bba3f2b69835c46ee53d272270bc811d8acaaba08f79fb00bad604e6aa481a548eaaea70b4b1810b71e6e363f46c762fe98080d853e122ff6713f09dc69

Download Submit
memory/1668-28-0x0000000000960000-0x00000000009A0000-memory.dmp

Filesize
256KB

Download
memory/1668-27-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-26-0x0000000000960000-0x00000000009A0000-memory.dmp

Filesize
256KB

Download
memory/1668-25-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-24-0x0000000000070000-0x00000000002CE000-memory.dmp

Filesize
2.4MB

Download
memory/2136-0-0x0000000000BE0000-0x0000000000E3E000-memory.dmp

Filesize
2.4MB

Download
memory/2136-2-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2136-1-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-18-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-19-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2364-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2364-17-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2364-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2364-14-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2364-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2364-7-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2364-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads