blustealer | 1c5e928b5e27daa837d1ba10187397303520f5b18cf9b5da1eaf28b7f2ba0eda

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391130ad385ed32583fd74ab73bb6c8e.exe
Size

746KB
MD5

391130ad385ed32583fd74ab73bb6c8e
SHA1

6c1c0fe4dff3cf10651eac1401217e3534a2bc7f
SHA256

1c5e928b5e27daa837d1ba10187397303520f5b18cf9b5da1eaf28b7f2ba0eda
SHA512

473946f7bc39b5145ff0e16323e54547766fd8e01183a7a0561c99776acd306a327eab17b5aed60736f557985443af8fe4eeb66b57daf7db94faac90dff7e04a
SSDEEP

12288:EPhS40kP3sfC6NezQkqef14elBrs0xdYRqp:EpSX7fCyLof14Qs0xa

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.xyz
Port:
587
Username:
[email protected]
Password:
r[]w2e=V+]AV

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2704	powershell.exe
2608	powershell.exe
2612	powershell.exe
1880	powershell.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe
1244	391130ad385ed32583fd74ab73bb6c8e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeIncreaseQuotaPrivilege	2704	powershell.exe
Token: SeSecurityPrivilege	2704	powershell.exe
Token: SeTakeOwnershipPrivilege	2704	powershell.exe
Token: SeLoadDriverPrivilege	2704	powershell.exe
Token: SeSystemProfilePrivilege	2704	powershell.exe
Token: SeSystemtimePrivilege	2704	powershell.exe
Token: SeProfSingleProcessPrivilege	2704	powershell.exe
Token: SeIncBasePriorityPrivilege	2704	powershell.exe
Token: SeCreatePagefilePrivilege	2704	powershell.exe
Token: SeBackupPrivilege	2704	powershell.exe
Token: SeRestorePrivilege	2704	powershell.exe
Token: SeShutdownPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeSystemEnvironmentPrivilege	2704	powershell.exe
Token: SeRemoteShutdownPrivilege	2704	powershell.exe
Token: SeUndockPrivilege	2704	powershell.exe
Token: SeManageVolumePrivilege	2704	powershell.exe
Token: 33	2704	powershell.exe
Token: 34	2704	powershell.exe
Token: 35	2704	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeIncreaseQuotaPrivilege	2608	powershell.exe
Token: SeSecurityPrivilege	2608	powershell.exe
Token: SeTakeOwnershipPrivilege	2608	powershell.exe
Token: SeLoadDriverPrivilege	2608	powershell.exe
Token: SeSystemProfilePrivilege	2608	powershell.exe
Token: SeSystemtimePrivilege	2608	powershell.exe
Token: SeProfSingleProcessPrivilege	2608	powershell.exe
Token: SeIncBasePriorityPrivilege	2608	powershell.exe
Token: SeCreatePagefilePrivilege	2608	powershell.exe
Token: SeBackupPrivilege	2608	powershell.exe
Token: SeRestorePrivilege	2608	powershell.exe
Token: SeShutdownPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeSystemEnvironmentPrivilege	2608	powershell.exe
Token: SeRemoteShutdownPrivilege	2608	powershell.exe
Token: SeUndockPrivilege	2608	powershell.exe
Token: SeManageVolumePrivilege	2608	powershell.exe
Token: 33	2608	powershell.exe
Token: 34	2608	powershell.exe
Token: 35	2608	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeIncreaseQuotaPrivilege	2612	powershell.exe
Token: SeSecurityPrivilege	2612	powershell.exe
Token: SeTakeOwnershipPrivilege	2612	powershell.exe
Token: SeLoadDriverPrivilege	2612	powershell.exe
Token: SeSystemProfilePrivilege	2612	powershell.exe
Token: SeSystemtimePrivilege	2612	powershell.exe
Token: SeProfSingleProcessPrivilege	2612	powershell.exe
Token: SeIncBasePriorityPrivilege	2612	powershell.exe
Token: SeCreatePagefilePrivilege	2612	powershell.exe
Token: SeBackupPrivilege	2612	powershell.exe
Token: SeRestorePrivilege	2612	powershell.exe
Token: SeShutdownPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeSystemEnvironmentPrivilege	2612	powershell.exe
Token: SeRemoteShutdownPrivilege	2612	powershell.exe
Token: SeUndockPrivilege	2612	powershell.exe
Token: SeManageVolumePrivilege	2612	powershell.exe
Token: 33	2612	powershell.exe
Token: 34	2612	powershell.exe
Token: 35	2612	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	391130ad385ed32583fd74ab73bb6c8e.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2704	1244	391130ad385ed32583fd74ab73bb6c8e.exe	28
PID 1244 wrote to memory of 2704	1244	391130ad385ed32583fd74ab73bb6c8e.exe	28
PID 1244 wrote to memory of 2704	1244	391130ad385ed32583fd74ab73bb6c8e.exe	28
PID 1244 wrote to memory of 2704	1244	391130ad385ed32583fd74ab73bb6c8e.exe	28
PID 1244 wrote to memory of 2608	1244	391130ad385ed32583fd74ab73bb6c8e.exe	32
PID 1244 wrote to memory of 2608	1244	391130ad385ed32583fd74ab73bb6c8e.exe	32
PID 1244 wrote to memory of 2608	1244	391130ad385ed32583fd74ab73bb6c8e.exe	32
PID 1244 wrote to memory of 2608	1244	391130ad385ed32583fd74ab73bb6c8e.exe	32
PID 1244 wrote to memory of 2612	1244	391130ad385ed32583fd74ab73bb6c8e.exe	34
PID 1244 wrote to memory of 2612	1244	391130ad385ed32583fd74ab73bb6c8e.exe	34
PID 1244 wrote to memory of 2612	1244	391130ad385ed32583fd74ab73bb6c8e.exe	34
PID 1244 wrote to memory of 2612	1244	391130ad385ed32583fd74ab73bb6c8e.exe	34
PID 1244 wrote to memory of 2880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	35
PID 1244 wrote to memory of 2880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	35
PID 1244 wrote to memory of 2880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	35
PID 1244 wrote to memory of 2880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	35
PID 1244 wrote to memory of 1880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	38
PID 1244 wrote to memory of 1880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	38
PID 1244 wrote to memory of 1880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	38
PID 1244 wrote to memory of 1880	1244	391130ad385ed32583fd74ab73bb6c8e.exe	38
PID 1244 wrote to memory of 1968	1244	391130ad385ed32583fd74ab73bb6c8e.exe	43
PID 1244 wrote to memory of 1968	1244	391130ad385ed32583fd74ab73bb6c8e.exe	43
PID 1244 wrote to memory of 1968	1244	391130ad385ed32583fd74ab73bb6c8e.exe	43
PID 1244 wrote to memory of 1968	1244	391130ad385ed32583fd74ab73bb6c8e.exe	43
PID 1244 wrote to memory of 1964	1244	391130ad385ed32583fd74ab73bb6c8e.exe	42
PID 1244 wrote to memory of 1964	1244	391130ad385ed32583fd74ab73bb6c8e.exe	42
PID 1244 wrote to memory of 1964	1244	391130ad385ed32583fd74ab73bb6c8e.exe	42
PID 1244 wrote to memory of 1964	1244	391130ad385ed32583fd74ab73bb6c8e.exe	42
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41
PID 1244 wrote to memory of 1956	1244	391130ad385ed32583fd74ab73bb6c8e.exe	41

C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
"C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  PID:2880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  2⤵
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KFK1IVDMG2S1EQ59ZUW.temp

Filesize
7KB

MD5
b7e1de96921d926fdce752a4e54ac2b7

SHA1
5c8b548a79ee81a180c16c88e696f78ec660fee8

SHA256
c290b5bab2d737add845cfc0232cdf9b590146a66c6d4337ac76d10867cdb1c9

SHA512
3b09d51be81e3e7f9f70dfbbb27d28a616e1dae01254d9e4a274b8871d43bf06544690021dadaea25b8c9e789d3043cd9bda42063ea5ca3e991088ced25ca657

Download Submit
memory/1244-72-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-76-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-142-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1244-106-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-49-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-104-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-52-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-54-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-56-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-21-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1244-58-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-60-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-62-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-64-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-66-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-27-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/1244-68-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-70-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-0-0x0000000000260000-0x0000000000322000-memory.dmp

Filesize
776KB

Download
memory/1244-102-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-78-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-80-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-82-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-84-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-86-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-88-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-48-0x0000000005050000-0x00000000050E8000-memory.dmp

Filesize
608KB

Download
memory/1244-50-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-74-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-94-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-112-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-110-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-108-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-121-0x0000000004180000-0x00000000041AA000-memory.dmp

Filesize
168KB

Download
memory/1244-90-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1244-2-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/1244-100-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-98-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-96-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1244-92-0x0000000005050000-0x00000000050E3000-memory.dmp

Filesize
588KB

Download
memory/1880-43-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-45-0x0000000001DE0000-0x0000000001E20000-memory.dmp

Filesize
256KB

Download
memory/1880-128-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-44-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-42-0x0000000001DE0000-0x0000000001E20000-memory.dmp

Filesize
256KB

Download
memory/1880-41-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-46-0x0000000001DE0000-0x0000000001E20000-memory.dmp

Filesize
256KB

Download
memory/1956-145-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1956-146-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2608-14-0x0000000002E90000-0x0000000002ED0000-memory.dmp

Filesize
256KB

Download
memory/2608-127-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-122-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-123-0x0000000002E90000-0x0000000002ED0000-memory.dmp

Filesize
256KB

Download
memory/2608-124-0x0000000002E90000-0x0000000002ED0000-memory.dmp

Filesize
256KB

Download
memory/2608-125-0x0000000002E90000-0x0000000002ED0000-memory.dmp

Filesize
256KB

Download
memory/2608-15-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-13-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-24-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-25-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2612-26-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2612-23-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2612-22-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-126-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-7-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-5-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-47-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-40-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-6-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/2704-28-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-34-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download