blustealer | 6b747506cd4c9f9807084784cc5c67b5b134258c059d8089c6406e3585db5275

General

Target

54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe
Size

2.3MB
MD5

54fd4c25a6a9bfa5f54a6b77fb1a8de3
SHA1

3ef6347026b0269bffa572f41a0c8f666d5ab5c1
SHA256

6b747506cd4c9f9807084784cc5c67b5b134258c059d8089c6406e3585db5275
SHA512

34ad184a3bbbae4a6dc063b9d38cbd69156ea8eb5546344c8b7b05aa08053f06e7c322e28022f2712953497ae7f1d4564f7832a39e4176ab06be7113d7c6172e
SSDEEP

24576:6K1ZYe0/8W5p9NIaP7jefuYXeT7IPulgxXN/odo:PB00kpgaPaDpPulgxO+

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
[email protected]
Password:
E^6666?VJo99/*

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe

Executes dropped EXE 1 IoCs

pid	Process
4772	noot.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2412	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3936	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1172	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	92
PID 3036 wrote to memory of 1172	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	92
PID 3036 wrote to memory of 1172	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	92
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 3936	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	90
PID 3036 wrote to memory of 4692	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	103
PID 3036 wrote to memory of 4692	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	103
PID 3036 wrote to memory of 4692	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	103
PID 3036 wrote to memory of 548	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	105
PID 3036 wrote to memory of 548	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	105
PID 3036 wrote to memory of 548	3036	54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe	105
PID 4692 wrote to memory of 2412	4692	cmd.exe	107
PID 4692 wrote to memory of 2412	4692	cmd.exe	107
PID 4692 wrote to memory of 2412	4692	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe
"C:\Users\Admin\AppData\Local\Temp\54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  PID:1172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\54fd4c25a6a9bfa5f54a6b77fb1a8de3.exe" "C:\Users\Admin\AppData\Roaming\noot\noot.exe"
  2⤵
  PID:548

C:\Users\Admin\AppData\Roaming\noot\noot.exe
C:\Users\Admin\AppData\Roaming\noot\noot.exe
1⤵
- Executes dropped EXE
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\noot\noot.exe

Filesize
1.3MB

MD5
3b8bc982aaa0a43db977095bf5fe2c6d

SHA1
c77e9c8915e2a81104ff2b0d65e396c5132c7e01

SHA256
05cfa1ec7ca7cd91a34f7b7a73d0c7352957bc38378a5ef4d34403681bc767ca

SHA512
8d18201430a2ba39611f6f3529921bc065357b40606ae3669aec67dc69a6ef6374e4d7f9006c38bea122b98ac26c9eebf9feacc76a2249eb9c6508998dd8a1ce

Download Submit
C:\Users\Admin\AppData\Roaming\noot\noot.exe

Filesize
1.1MB

MD5
0f1cbf0398fb9930ddf5639df5045ec1

SHA1
0b9005117d19d688ea5de5830d4769b1f0e0de87

SHA256
01dbbd65a96aafdb326f6ce58a754cfbe3a99beed61244d94ad0fc42e99f23da

SHA512
2ee4e3c0eaeecc1d4285b9a163a788631a2d68463bf766dddcd375e9b0fe2a5385819b10994ded0275f7c0686014a30edc7cdde724454b0391ab319caba4530b

Download Submit
memory/3036-3-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/3036-0-0x0000000000BF0000-0x0000000000E4A000-memory.dmp

Filesize
2.4MB

Download
memory/3036-1-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/3036-5-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/3036-4-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/3036-2-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/3036-13-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/3036-12-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-11-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3936-6-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3936-8-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4772-18-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/4772-19-0x0000000000290000-0x00000000004EA000-memory.dmp

Filesize
2.4MB

Download
memory/4772-20-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads