blustealer | b080bdfe0c1e6065997164216ff6d7d453da2a92f354805f0b1d7bc0e5d80f07

Analysis

max time kernel
0s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38c7c190f42c9b02e294eb1d2ecdd288.exe
Size

676KB
MD5

38c7c190f42c9b02e294eb1d2ecdd288
SHA1

e3380ec61f592b579f217d26eacc3f18f303bf31
SHA256

b080bdfe0c1e6065997164216ff6d7d453da2a92f354805f0b1d7bc0e5d80f07
SHA512

159becd2a284a934726d3f3ef14363406349216832fa57644345b679e97adcdb88a515ab93d749446bd2f7a704c2e4614856d4b5bb91b297acd736f22b2213d0
SSDEEP

12288:3LhJCf/j8wqDqK+hMJagb0/6vxF5dNrd4n5j8bpItZUzuv:3L7+/jVqOLhgaO0CxvrlbYZUyv

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
@@@@@@

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 2420	2356	38c7c190f42c9b02e294eb1d2ecdd288.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2356	38c7c190f42c9b02e294eb1d2ecdd288.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	38c7c190f42c9b02e294eb1d2ecdd288.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2420	2356	38c7c190f42c9b02e294eb1d2ecdd288.exe	14
PID 2356 wrote to memory of 2420	2356	38c7c190f42c9b02e294eb1d2ecdd288.exe	14
PID 2356 wrote to memory of 2420	2356	38c7c190f42c9b02e294eb1d2ecdd288.exe	14
PID 2356 wrote to memory of 2420	2356	38c7c190f42c9b02e294eb1d2ecdd288.exe	14
PID 2356 wrote to memory of 2420	2356	38c7c190f42c9b02e294eb1d2ecdd288.exe	14

C:\Users\Admin\AppData\Local\Temp\38c7c190f42c9b02e294eb1d2ecdd288.exe
"C:\Users\Admin\AppData\Local\Temp\38c7c190f42c9b02e294eb1d2ecdd288.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Users\Admin\AppData\Local\Temp\38c7c190f42c9b02e294eb1d2ecdd288.exe
"C:\Users\Admin\AppData\Local\Temp\38c7c190f42c9b02e294eb1d2ecdd288.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\7L1I8L~1.ZIP

Filesize
6KB

MD5
875c526b0c636fe2501cea508986a8b8

SHA1
c18c13b5bb55dc71e2f9eca8f668ebe1d0ee02dc

SHA256
ca1d494bd5990b07c1a085b9c8e9fb0a2b2653d3f0943cce4e21ac38b3bc7503

SHA512
344276c8b2d31f2be4889b206c070844caad348ebb22ec52acc4eb34b02b489ae685194d3b2fcbc804ec932dfa4da63507b95a0874f91fdc0974e762b36ae821

Download Submit
memory/2356-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-1-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2356-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-5-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2420-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2420-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download