blustealer | 4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 07:15

Target

941ffbcc54a5826dde6e2d35f2fc761d.exe
Size

489KB
MD5

941ffbcc54a5826dde6e2d35f2fc761d
SHA1

fc892954c47237abfc7956450aa13e5ad2d97488
SHA256

4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
SHA512

85327aa14dfdd4f7e8fb8387fc8f47066abd5037cb3d080444d17e40fb7d49803b86c5d971b434f872130a152590ac14df1fc3025954625cd9ec637c71b2e635
SSDEEP

12288:+pxLkSqnEa1yg6PbvF1yC62hkh2pf05T70sZ0XNfM:jaZ1yQC5gXtM

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 1520	748	941ffbcc54a5826dde6e2d35f2fc761d.exe	56

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
748	941ffbcc54a5826dde6e2d35f2fc761d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1520	941ffbcc54a5826dde6e2d35f2fc761d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1520	748	941ffbcc54a5826dde6e2d35f2fc761d.exe	56
PID 748 wrote to memory of 1520	748	941ffbcc54a5826dde6e2d35f2fc761d.exe	56
PID 748 wrote to memory of 1520	748	941ffbcc54a5826dde6e2d35f2fc761d.exe	56
PID 748 wrote to memory of 1520	748	941ffbcc54a5826dde6e2d35f2fc761d.exe	56

C:\Users\Admin\AppData\Local\Temp\941ffbcc54a5826dde6e2d35f2fc761d.exe
"C:\Users\Admin\AppData\Local\Temp\941ffbcc54a5826dde6e2d35f2fc761d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\941ffbcc54a5826dde6e2d35f2fc761d.exe
  "C:\Users\Admin\AppData\Local\Temp\941ffbcc54a5826dde6e2d35f2fc761d.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1520

memory/748-0-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/748-1-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/1520-2-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1520-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1520-7-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download