Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
6f0df16188d51b39c387df210a1077df.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6f0df16188d51b39c387df210a1077df.exe
Resource
win10v2004-20231215-en
General
-
Target
6f0df16188d51b39c387df210a1077df.exe
-
Size
671KB
-
MD5
6f0df16188d51b39c387df210a1077df
-
SHA1
abe98a6755bab5b01c2becd90a586829afcb9336
-
SHA256
e29247ccbd64ef5da34a09b073f1f638c23bd7d280724feabf900e6ac786af52
-
SHA512
9a2441c332a605893f8b192e42ef61a68d395cc86358d7f4d96dbd592668cbcdf3701bb3a581f011632e66c33a58c7235ec433011bb1c092603457efed84973e
-
SSDEEP
12288:ZDmzAbVSux7iVK+G2L4SkX8CzdBTAKl2cEGff3kvZp1FXbd4Ga/pzP:0QVSuAVK+G2pkDdBT7l3EW4Trtah
Malware Config
Extracted
blustealer
https://api.telegram.org/bot1838876767:AAEiDKTcT_A4WBwpMo9nnrtBP7OvsmEUnNU/sendMessage?chat_id=1300181783
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2052 set thread context of 1324 2052 6f0df16188d51b39c387df210a1077df.exe 87 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2052 6f0df16188d51b39c387df210a1077df.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1324 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1324 2052 6f0df16188d51b39c387df210a1077df.exe 87 PID 2052 wrote to memory of 1324 2052 6f0df16188d51b39c387df210a1077df.exe 87 PID 2052 wrote to memory of 1324 2052 6f0df16188d51b39c387df210a1077df.exe 87 PID 2052 wrote to memory of 1324 2052 6f0df16188d51b39c387df210a1077df.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f0df16188d51b39c387df210a1077df.exe"C:\Users\Admin\AppData\Local\Temp\6f0df16188d51b39c387df210a1077df.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\6f0df16188d51b39c387df210a1077df.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1324
-