blustealer | 1c5e928b5e27daa837d1ba10187397303520f5b18cf9b5da1eaf28b7f2ba0eda

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391130ad385ed32583fd74ab73bb6c8e.exe
Size

746KB
MD5

391130ad385ed32583fd74ab73bb6c8e
SHA1

6c1c0fe4dff3cf10651eac1401217e3534a2bc7f
SHA256

1c5e928b5e27daa837d1ba10187397303520f5b18cf9b5da1eaf28b7f2ba0eda
SHA512

473946f7bc39b5145ff0e16323e54547766fd8e01183a7a0561c99776acd306a327eab17b5aed60736f557985443af8fe4eeb66b57daf7db94faac90dff7e04a
SSDEEP

12288:EPhS40kP3sfC6NezQkqef14elBrs0xdYRqp:EpSX7fCyLof14Qs0xa

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.xyz
Port:
587
Username:
[email protected]
Password:
r[]w2e=V+]AV

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	391130ad385ed32583fd74ab73bb6c8e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3320 set thread context of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4308	powershell.exe
4308	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
3320	391130ad385ed32583fd74ab73bb6c8e.exe
3320	391130ad385ed32583fd74ab73bb6c8e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeIncreaseQuotaPrivilege	4308	powershell.exe
Token: SeSecurityPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	powershell.exe
Token: SeLoadDriverPrivilege	4308	powershell.exe
Token: SeSystemProfilePrivilege	4308	powershell.exe
Token: SeSystemtimePrivilege	4308	powershell.exe
Token: SeProfSingleProcessPrivilege	4308	powershell.exe
Token: SeIncBasePriorityPrivilege	4308	powershell.exe
Token: SeCreatePagefilePrivilege	4308	powershell.exe
Token: SeBackupPrivilege	4308	powershell.exe
Token: SeRestorePrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeSystemEnvironmentPrivilege	4308	powershell.exe
Token: SeRemoteShutdownPrivilege	4308	powershell.exe
Token: SeUndockPrivilege	4308	powershell.exe
Token: SeManageVolumePrivilege	4308	powershell.exe
Token: 33	4308	powershell.exe
Token: 34	4308	powershell.exe
Token: 35	4308	powershell.exe
Token: 36	4308	powershell.exe
Token: SeIncreaseQuotaPrivilege	4308	powershell.exe
Token: SeSecurityPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	powershell.exe
Token: SeLoadDriverPrivilege	4308	powershell.exe
Token: SeSystemProfilePrivilege	4308	powershell.exe
Token: SeSystemtimePrivilege	4308	powershell.exe
Token: SeProfSingleProcessPrivilege	4308	powershell.exe
Token: SeIncBasePriorityPrivilege	4308	powershell.exe
Token: SeCreatePagefilePrivilege	4308	powershell.exe
Token: SeBackupPrivilege	4308	powershell.exe
Token: SeRestorePrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeSystemEnvironmentPrivilege	4308	powershell.exe
Token: SeRemoteShutdownPrivilege	4308	powershell.exe
Token: SeUndockPrivilege	4308	powershell.exe
Token: SeManageVolumePrivilege	4308	powershell.exe
Token: 33	4308	powershell.exe
Token: 34	4308	powershell.exe
Token: 35	4308	powershell.exe
Token: 36	4308	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeIncreaseQuotaPrivilege	2468	powershell.exe
Token: SeSecurityPrivilege	2468	powershell.exe
Token: SeTakeOwnershipPrivilege	2468	powershell.exe
Token: SeLoadDriverPrivilege	2468	powershell.exe
Token: SeSystemProfilePrivilege	2468	powershell.exe
Token: SeSystemtimePrivilege	2468	powershell.exe
Token: SeProfSingleProcessPrivilege	2468	powershell.exe
Token: SeIncBasePriorityPrivilege	2468	powershell.exe
Token: SeCreatePagefilePrivilege	2468	powershell.exe
Token: SeBackupPrivilege	2468	powershell.exe
Token: SeRestorePrivilege	2468	powershell.exe
Token: SeShutdownPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeSystemEnvironmentPrivilege	2468	powershell.exe
Token: SeRemoteShutdownPrivilege	2468	powershell.exe
Token: SeUndockPrivilege	2468	powershell.exe
Token: SeManageVolumePrivilege	2468	powershell.exe
Token: 33	2468	powershell.exe
Token: 34	2468	powershell.exe
Token: 35	2468	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3848	391130ad385ed32583fd74ab73bb6c8e.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4308	3320	391130ad385ed32583fd74ab73bb6c8e.exe	92
PID 3320 wrote to memory of 4308	3320	391130ad385ed32583fd74ab73bb6c8e.exe	92
PID 3320 wrote to memory of 4308	3320	391130ad385ed32583fd74ab73bb6c8e.exe	92
PID 3320 wrote to memory of 2468	3320	391130ad385ed32583fd74ab73bb6c8e.exe	95
PID 3320 wrote to memory of 2468	3320	391130ad385ed32583fd74ab73bb6c8e.exe	95
PID 3320 wrote to memory of 2468	3320	391130ad385ed32583fd74ab73bb6c8e.exe	95
PID 3320 wrote to memory of 3096	3320	391130ad385ed32583fd74ab73bb6c8e.exe	97
PID 3320 wrote to memory of 3096	3320	391130ad385ed32583fd74ab73bb6c8e.exe	97
PID 3320 wrote to memory of 3096	3320	391130ad385ed32583fd74ab73bb6c8e.exe	97
PID 3320 wrote to memory of 4900	3320	391130ad385ed32583fd74ab73bb6c8e.exe	102
PID 3320 wrote to memory of 4900	3320	391130ad385ed32583fd74ab73bb6c8e.exe	102
PID 3320 wrote to memory of 4900	3320	391130ad385ed32583fd74ab73bb6c8e.exe	102
PID 3320 wrote to memory of 4816	3320	391130ad385ed32583fd74ab73bb6c8e.exe	106
PID 3320 wrote to memory of 4816	3320	391130ad385ed32583fd74ab73bb6c8e.exe	106
PID 3320 wrote to memory of 4816	3320	391130ad385ed32583fd74ab73bb6c8e.exe	106
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109
PID 3320 wrote to memory of 3848	3320	391130ad385ed32583fd74ab73bb6c8e.exe	109

C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
"C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  C:\Users\Admin\AppData\Local\Temp\391130ad385ed32583fd74ab73bb6c8e.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
memory/2468-32-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/2468-31-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/2468-30-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2468-87-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/2468-192-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2468-86-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/2468-85-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3096-186-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3096-168-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3096-167-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3096-166-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3096-42-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3096-44-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3096-43-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3320-163-0x0000000008BE0000-0x0000000008C56000-memory.dmp

Filesize
472KB

Download
memory/3320-96-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-198-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3320-0-0x0000000000FA0000-0x0000000001062000-memory.dmp

Filesize
776KB

Download
memory/3320-1-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3320-2-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/3320-3-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/3320-54-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3320-55-0x0000000003580000-0x0000000003590000-memory.dmp

Filesize
64KB

Download
memory/3320-4-0x0000000003580000-0x0000000003590000-memory.dmp

Filesize
64KB

Download
memory/3320-88-0x0000000006C60000-0x0000000006CF8000-memory.dmp

Filesize
608KB

Download
memory/3320-90-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-92-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-94-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-98-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-100-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-102-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-104-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-108-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-110-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-112-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-116-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-118-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-120-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-124-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-126-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-89-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-106-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-122-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-136-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-150-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-5-0x0000000005C20000-0x0000000005C2A000-memory.dmp

Filesize
40KB

Download
memory/3320-164-0x0000000006D20000-0x0000000006D4A000-memory.dmp

Filesize
168KB

Download
memory/3320-165-0x0000000008C80000-0x0000000008C9E000-memory.dmp

Filesize
120KB

Download
memory/3320-154-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-152-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-148-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-146-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-144-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-142-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-140-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-138-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-134-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-132-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-130-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3320-128-0x0000000006C60000-0x0000000006CF3000-memory.dmp

Filesize
588KB

Download
memory/3848-202-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3848-201-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4308-57-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4308-56-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4308-8-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4308-10-0x0000000004E50000-0x0000000005478000-memory.dmp

Filesize
6.2MB

Download
memory/4308-71-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4308-24-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/4308-25-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/4308-11-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/4308-9-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4308-18-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4308-12-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/4308-29-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/4308-27-0x0000000005F70000-0x0000000005F8A000-memory.dmp

Filesize
104KB

Download
memory/4308-28-0x0000000006C50000-0x0000000006C72000-memory.dmp

Filesize
136KB

Download
memory/4308-26-0x0000000005FE0000-0x0000000006076000-memory.dmp

Filesize
600KB

Download
memory/4308-6-0x0000000002140000-0x0000000002176000-memory.dmp

Filesize
216KB

Download
memory/4308-23-0x00000000055F0000-0x0000000005944000-memory.dmp

Filesize
3.3MB

Download
memory/4308-7-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4308-171-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4816-179-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4816-178-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4816-177-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4816-183-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4816-73-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4816-72-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4900-175-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/4900-174-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4900-176-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/4900-60-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/4900-189-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4900-59-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/4900-58-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download