blustealer | 6f166bd961214455803a5d9656fc2a70837df425936a87ed0f88bd58a06b3be9

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 12:36

Target

9971813b73d9822149d699f592f7d958.exe
Size

2.6MB
MD5

9971813b73d9822149d699f592f7d958
SHA1

79d1b057a523addc7adc4d305d4df54d35cd923b
SHA256

6f166bd961214455803a5d9656fc2a70837df425936a87ed0f88bd58a06b3be9
SHA512

6559c25827037f9a6550f2c5582eca563c167fee4c2a63150210c81b3834f249270f15dd7938028e2d21a095ceba8588223394179053c024ff83d6ef07f128cf
SSDEEP

24576:5yvaeTFag6WbUonU6ZJOlbWfwnHVPi9QBTZdIauBhHv5ZGMAJ0PHJi:svavh76ByQmlIRPXA

Score

10^/10

Family

blustealer

https://api.telegram.org/bot1943133814:AAGel7Cna1V4ds4YJL4kPgVVqKEmYV09C7I/sendMessage?chat_id=1518974695

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2172-4-0x0000000000210000-0x0000000000226000-memory.dmp	family_zgrat_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	9971813b73d9822149d699f592f7d958.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28
PID 2172 wrote to memory of 2856	2172	9971813b73d9822149d699f592f7d958.exe	28

C:\Users\Admin\AppData\Local\Temp\9971813b73d9822149d699f592f7d958.exe
"C:\Users\Admin\AppData\Local\Temp\9971813b73d9822149d699f592f7d958.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\9971813b73d9822149d699f592f7d958.exe
  "C:\Users\Admin\AppData\Local\Temp\9971813b73d9822149d699f592f7d958.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2856

memory/2172-0-0x0000000000BE0000-0x0000000000E86000-memory.dmp

Filesize
2.6MB

Download
memory/2172-1-0x0000000073D00000-0x00000000743EE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2172-3-0x0000000004E20000-0x0000000004F96000-memory.dmp

Filesize
1.5MB

Download
memory/2172-4-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/2172-15-0x0000000073D00000-0x00000000743EE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-6-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-7-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2856-11-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-13-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-5-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-17-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download