blustealer | 7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 07:52

Target

943244db3bce1498ee39206c5e0f2bbc.exe
Size

2.7MB
MD5

943244db3bce1498ee39206c5e0f2bbc
SHA1

026cf4e2deae460e56675e827b408c17db0b16fe
SHA256

7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3
SHA512

c674637360aae0ea0eeafb773d6befbe5ff43ec93a0201b50731d1d4615b4701810923a5411be531914e92336b28cf43941ab06124a0e8e0cb8e58324925e7e5
SSDEEP

24576:KKVIwZqiBUljqRuth3CSb9F9C14mL0OIntkrUZbnLATHGK2SfRtiHbhwrDzE:LIe/a8UQrUSHGK2Sjr3E

Score

10^/10

Family

blustealer

https://api.telegram.org/bot1838876767:AAEiDKTcT_A4WBwpMo9nnrtBP7OvsmEUnNU/sendMessage?chat_id=1300181783

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3792-9-0x0000000004F30000-0x0000000004F46000-memory.dmp	family_zgrat_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4984	943244db3bce1498ee39206c5e0f2bbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37
PID 3792 wrote to memory of 4984	3792	943244db3bce1498ee39206c5e0f2bbc.exe	37

C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
"C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4984

memory/3792-6-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/3792-1-0x0000000000870000-0x0000000000B26000-memory.dmp

Filesize
2.7MB

Download
memory/3792-2-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/3792-3-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/3792-4-0x00000000055F0000-0x0000000005666000-memory.dmp

Filesize
472KB

Download
memory/3792-5-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/3792-0-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/3792-7-0x0000000005500000-0x000000000551E000-memory.dmp

Filesize
120KB

Download
memory/3792-15-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/3792-9-0x0000000004F30000-0x0000000004F46000-memory.dmp

Filesize
88KB

Download
memory/3792-8-0x00000000057E0000-0x0000000005956000-memory.dmp

Filesize
1.5MB

Download
memory/4984-13-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4984-10-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4984-17-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download