blustealer | 34df71e1c8afa4f4909ee40372ad547fc67d2d7d97ded03b5e0ced87b39b2da4

General

Target

9087c87d6cb74d5c1791f3f27fa68586.exe
Size

1017KB
MD5

9087c87d6cb74d5c1791f3f27fa68586
SHA1

70a0e7d031787ca88aec2dfe355c02e42c9690f4
SHA256

34df71e1c8afa4f4909ee40372ad547fc67d2d7d97ded03b5e0ced87b39b2da4
SHA512

83fbd57e41255277ae479ee81e7040f48da3a89872ea9dce6b71589c54bcf54dd11815dec9f0a62c98164ba4bcbc7ce6fe40b754e1a275d9f37876851b27f1b3
SSDEEP

12288:Gf0/nU4XJmZPSufsmNzXO26VcwWVmIP/bnEK3hc0PoLj4E6SdHjW85m+b3aWClsD:GflZdfJ+2nX7EKOgonrtjFHbqWCKhEY

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
@@@@@@

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	9087c87d6cb74d5c1791f3f27fa68586.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3884 set thread context of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3884	9087c87d6cb74d5c1791f3f27fa68586.exe
3884	9087c87d6cb74d5c1791f3f27fa68586.exe
3884	9087c87d6cb74d5c1791f3f27fa68586.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	9087c87d6cb74d5c1791f3f27fa68586.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3304	9087c87d6cb74d5c1791f3f27fa68586.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 1044	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	97
PID 3884 wrote to memory of 1044	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	97
PID 3884 wrote to memory of 1044	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	97
PID 3884 wrote to memory of 5084	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	99
PID 3884 wrote to memory of 5084	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	99
PID 3884 wrote to memory of 5084	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	99
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100
PID 3884 wrote to memory of 3304	3884	9087c87d6cb74d5c1791f3f27fa68586.exe	100

C:\Users\Admin\AppData\Local\Temp\9087c87d6cb74d5c1791f3f27fa68586.exe
"C:\Users\Admin\AppData\Local\Temp\9087c87d6cb74d5c1791f3f27fa68586.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hLWBntzUjvRwNP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\9087c87d6cb74d5c1791f3f27fa68586.exe
  "{path}"
  2⤵
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\9087c87d6cb74d5c1791f3f27fa68586.exe
  "{path}"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp

Filesize
1KB

MD5
dc423522d92368c70b0cbce3eef9a3f0

SHA1
a2df81838a12e4e40e050064add327f43597abb6

SHA256
be9edbc831905669a7fcd37041745c3234cd3fd41166520dd130a11176e2d9e3

SHA512
98f31960affdcc566c2f06c979c62311fb7fd8bf4445bc84f74566dfbac9de640b56377f2ae29cf7f6b371a1f63ea4cb94e6729ff217f219e7744131417f0906

Download Submit
memory/3304-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3304-18-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3304-15-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3884-4-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3884-5-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/3884-7-0x0000000007520000-0x00000000075BC000-memory.dmp

Filesize
624KB

Download
memory/3884-6-0x0000000004E10000-0x0000000004E18000-memory.dmp

Filesize
32KB

Download
memory/3884-8-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/3884-9-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3884-10-0x00000000078C0000-0x000000000799E000-memory.dmp

Filesize
888KB

Download
memory/3884-11-0x00000000061B0000-0x0000000006244000-memory.dmp

Filesize
592KB

Download
memory/3884-0-0x00000000000B0000-0x00000000001B4000-memory.dmp

Filesize
1.0MB

Download
memory/3884-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/3884-19-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/3884-2-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/3884-1-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads