blustealer | 35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8bb2ff11646a8e47c1b2a27d475010.exe
Size

727KB
MD5

6f8bb2ff11646a8e47c1b2a27d475010
SHA1

a300b7be64343ce6ab88edb0c71f3052663674d4
SHA256

35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
SHA512

97eb09ab5e244d1e367104efd1a17267390589121a58a1840e282f7ef15ceea933432168dae8caf31d6ca35af3fa9341c9f604b9e944aea86983484ace961e36
SSDEEP

12288:csyxZCYQneRW88If1cmRBPA0nV2sb+xUVWcyN:cjZCr7gf1cIA0nos6Cn

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
[email protected]
Password:
X&Y=[g89L4D/**

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	6f8bb2ff11646a8e47c1b2a27d475010.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3948	powershell.exe
3948	powershell.exe
1848	powershell.exe
1848	powershell.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
4288	6f8bb2ff11646a8e47c1b2a27d475010.exe
4288	6f8bb2ff11646a8e47c1b2a27d475010.exe
4288	6f8bb2ff11646a8e47c1b2a27d475010.exe
4288	6f8bb2ff11646a8e47c1b2a27d475010.exe
4288	6f8bb2ff11646a8e47c1b2a27d475010.exe
4288	6f8bb2ff11646a8e47c1b2a27d475010.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeIncreaseQuotaPrivilege	3948	powershell.exe
Token: SeSecurityPrivilege	3948	powershell.exe
Token: SeTakeOwnershipPrivilege	3948	powershell.exe
Token: SeLoadDriverPrivilege	3948	powershell.exe
Token: SeSystemProfilePrivilege	3948	powershell.exe
Token: SeSystemtimePrivilege	3948	powershell.exe
Token: SeProfSingleProcessPrivilege	3948	powershell.exe
Token: SeIncBasePriorityPrivilege	3948	powershell.exe
Token: SeCreatePagefilePrivilege	3948	powershell.exe
Token: SeBackupPrivilege	3948	powershell.exe
Token: SeRestorePrivilege	3948	powershell.exe
Token: SeShutdownPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeSystemEnvironmentPrivilege	3948	powershell.exe
Token: SeRemoteShutdownPrivilege	3948	powershell.exe
Token: SeUndockPrivilege	3948	powershell.exe
Token: SeManageVolumePrivilege	3948	powershell.exe
Token: 33	3948	powershell.exe
Token: 34	3948	powershell.exe
Token: 35	3948	powershell.exe
Token: 36	3948	powershell.exe
Token: SeIncreaseQuotaPrivilege	3948	powershell.exe
Token: SeSecurityPrivilege	3948	powershell.exe
Token: SeTakeOwnershipPrivilege	3948	powershell.exe
Token: SeLoadDriverPrivilege	3948	powershell.exe
Token: SeSystemProfilePrivilege	3948	powershell.exe
Token: SeSystemtimePrivilege	3948	powershell.exe
Token: SeProfSingleProcessPrivilege	3948	powershell.exe
Token: SeIncBasePriorityPrivilege	3948	powershell.exe
Token: SeCreatePagefilePrivilege	3948	powershell.exe
Token: SeBackupPrivilege	3948	powershell.exe
Token: SeRestorePrivilege	3948	powershell.exe
Token: SeShutdownPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeSystemEnvironmentPrivilege	3948	powershell.exe
Token: SeRemoteShutdownPrivilege	3948	powershell.exe
Token: SeUndockPrivilege	3948	powershell.exe
Token: SeManageVolumePrivilege	3948	powershell.exe
Token: 33	3948	powershell.exe
Token: 34	3948	powershell.exe
Token: 35	3948	powershell.exe
Token: 36	3948	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeIncreaseQuotaPrivilege	1848	powershell.exe
Token: SeSecurityPrivilege	1848	powershell.exe
Token: SeTakeOwnershipPrivilege	1848	powershell.exe
Token: SeLoadDriverPrivilege	1848	powershell.exe
Token: SeSystemProfilePrivilege	1848	powershell.exe
Token: SeSystemtimePrivilege	1848	powershell.exe
Token: SeProfSingleProcessPrivilege	1848	powershell.exe
Token: SeIncBasePriorityPrivilege	1848	powershell.exe
Token: SeCreatePagefilePrivilege	1848	powershell.exe
Token: SeBackupPrivilege	1848	powershell.exe
Token: SeRestorePrivilege	1848	powershell.exe
Token: SeShutdownPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeSystemEnvironmentPrivilege	1848	powershell.exe
Token: SeRemoteShutdownPrivilege	1848	powershell.exe
Token: SeUndockPrivilege	1848	powershell.exe
Token: SeManageVolumePrivilege	1848	powershell.exe
Token: 33	1848	powershell.exe
Token: 34	1848	powershell.exe
Token: 35	1848	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	6f8bb2ff11646a8e47c1b2a27d475010.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3948	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	38
PID 4288 wrote to memory of 3948	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	38
PID 4288 wrote to memory of 3948	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	38
PID 4288 wrote to memory of 1848	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	96
PID 4288 wrote to memory of 1848	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	96
PID 4288 wrote to memory of 1848	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	96
PID 4288 wrote to memory of 4108	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	101
PID 4288 wrote to memory of 4108	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	101
PID 4288 wrote to memory of 4108	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	101
PID 4288 wrote to memory of 4920	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	103
PID 4288 wrote to memory of 4920	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	103
PID 4288 wrote to memory of 4920	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	103
PID 4288 wrote to memory of 3152	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	105
PID 4288 wrote to memory of 3152	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	105
PID 4288 wrote to memory of 3152	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	105
PID 4288 wrote to memory of 3908	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	108
PID 4288 wrote to memory of 3908	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	108
PID 4288 wrote to memory of 3908	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	108
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107
PID 4288 wrote to memory of 2876	4288	6f8bb2ff11646a8e47c1b2a27d475010.exe	107

C:\Users\Admin\AppData\Local\Temp\6f8bb2ff11646a8e47c1b2a27d475010.exe
"C:\Users\Admin\AppData\Local\Temp\6f8bb2ff11646a8e47c1b2a27d475010.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\6f8bb2ff11646a8e47c1b2a27d475010.exe
  C:\Users\Admin\AppData\Local\Temp\6f8bb2ff11646a8e47c1b2a27d475010.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\6f8bb2ff11646a8e47c1b2a27d475010.exe
  C:\Users\Admin\AppData\Local\Temp\6f8bb2ff11646a8e47c1b2a27d475010.exe
  2⤵
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
85053e3c4003e8b1cd541785834ae602

SHA1
75dd63f195c4cfc647a63767369b39f5185b09e9

SHA256
e7ba5e8bd0f3760e7ebfe56838a88742400d2a879c3128ef7727ea3204b1fd19

SHA512
e679671f737536ceb4f456c62a643cbf489906dfb21b0185ebc6705497b25ac39b301abe2d36658e3163d5b5c2fcd6e3345383a1fef60fd8ea4b569bd7f1f75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8babbe0b9d723a2c483118c6123da09f

SHA1
95b8c612ef5fdbeaca29adcff86cd62903a69577

SHA256
744c6d0f9d652744310abe7dcf99ccba70da09132e7a46faee069bcfcbb53396

SHA512
a183534ec67a6a76a592981eb79fd3bf89cc84a69890ef843953c5b19315697077cebdae22adea1b4d0bddd59fb68fcb99afaf2a52dcad4d372a4d7bab9d7030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
64d3184ae186e25fca663792877f3c4c

SHA1
cdcdc56dfd087f9376564898018ca9a94793b9d8

SHA256
04d3233c52b7369f8babb2677b94276efee8ee63e2f30dc6f361d4497cb47d54

SHA512
bd97f4c8ad143e22ab7a2a8dabddc6851bf20647e4305b8e9dd73a06461da4fbe218eae2e44368bf53c52019763628fd0ff24e7632c61bd1dd0af28a13675d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
d93886a3f2ab950a9f2af1242e44391c

SHA1
20c803f86aa769d4196f570dd5ce84561842d5e0

SHA256
8d15c6adca859021460939dba582473eb701bfdf2082186ac42b2c8ed98451f0

SHA512
a796b5521143cf98234a4617309d249eae87162a91d8d4442bec6a0b49424e00f06e64e5b6c8015c87c8c5022476cefef3be75076596be5d8acc6e10b5245a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tudefeqn.c5p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1848-75-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1848-30-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1848-31-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/1848-37-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/2876-135-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2876-139-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2876-132-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3152-76-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/3152-77-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/3152-130-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/3152-78-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/3948-7-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/3948-24-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/3948-27-0x0000000006A80000-0x0000000006A9A000-memory.dmp

Filesize
104KB

Download
memory/3948-26-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/3948-29-0x00000000089E0000-0x000000000905A000-memory.dmp

Filesize
6.5MB

Download
memory/3948-8-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3948-6-0x0000000002C80000-0x0000000002CB6000-memory.dmp

Filesize
216KB

Download
memory/3948-25-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/3948-12-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/3948-54-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/3948-23-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/3948-9-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3948-28-0x0000000006AD0000-0x0000000006AF2000-memory.dmp

Filesize
136KB

Download
memory/3948-58-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/3948-11-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/3948-10-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/3948-22-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4108-90-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4108-42-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4108-49-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/4108-43-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/4288-103-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-107-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-0-0x00000000001B0000-0x000000000026C000-memory.dmp

Filesize
752KB

Download
memory/4288-2-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/4288-3-0x0000000004B10000-0x0000000004BA2000-memory.dmp

Filesize
584KB

Download
memory/4288-91-0x0000000005CB0000-0x0000000005D46000-memory.dmp

Filesize
600KB

Download
memory/4288-99-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-115-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-123-0x0000000005D90000-0x0000000005DB6000-memory.dmp

Filesize
152KB

Download
memory/4288-124-0x0000000007E70000-0x0000000007E8E000-memory.dmp

Filesize
120KB

Download
memory/4288-122-0x0000000007C60000-0x0000000007CD6000-memory.dmp

Filesize
472KB

Download
memory/4288-121-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-119-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-117-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-113-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-111-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-109-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-59-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4288-105-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-55-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4288-101-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-97-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-95-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-93-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-92-0x0000000005CB0000-0x0000000005D40000-memory.dmp

Filesize
576KB

Download
memory/4288-136-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4288-1-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4288-5-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/4288-4-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4920-127-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4920-61-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4920-63-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4920-62-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download