blustealer | e29247ccbd64ef5da34a09b073f1f638c23bd7d280724feabf900e6ac786af52

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 07:15

Target

6f0df16188d51b39c387df210a1077df.exe
Size

671KB
MD5

6f0df16188d51b39c387df210a1077df
SHA1

abe98a6755bab5b01c2becd90a586829afcb9336
SHA256

e29247ccbd64ef5da34a09b073f1f638c23bd7d280724feabf900e6ac786af52
SHA512

9a2441c332a605893f8b192e42ef61a68d395cc86358d7f4d96dbd592668cbcdf3701bb3a581f011632e66c33a58c7235ec433011bb1c092603457efed84973e
SSDEEP

12288:ZDmzAbVSux7iVK+G2L4SkX8CzdBTAKl2cEGff3kvZp1FXbd4Ga/pzP:0QVSuAVK+G2pkDdBT7l3EW4Trtah

Score

10^/10

Family

blustealer

https://api.telegram.org/bot1838876767:AAEiDKTcT_A4WBwpMo9nnrtBP7OvsmEUnNU/sendMessage?chat_id=1300181783

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 2840	2392	6f0df16188d51b39c387df210a1077df.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2392	6f0df16188d51b39c387df210a1077df.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	MSBuild.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2840	2392	6f0df16188d51b39c387df210a1077df.exe	28
PID 2392 wrote to memory of 2840	2392	6f0df16188d51b39c387df210a1077df.exe	28
PID 2392 wrote to memory of 2840	2392	6f0df16188d51b39c387df210a1077df.exe	28
PID 2392 wrote to memory of 2840	2392	6f0df16188d51b39c387df210a1077df.exe	28
PID 2392 wrote to memory of 2840	2392	6f0df16188d51b39c387df210a1077df.exe	28

C:\Users\Admin\AppData\Local\Temp\6f0df16188d51b39c387df210a1077df.exe
"C:\Users\Admin\AppData\Local\Temp\6f0df16188d51b39c387df210a1077df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\6f0df16188d51b39c387df210a1077df.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2840

memory/2392-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2392-2-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2840-3-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2840-5-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2840-8-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download