blustealer | b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 04:57

Target

9aceea76f4ccb33286e37aa91e15cb44.exe
Size

957KB
MD5

9aceea76f4ccb33286e37aa91e15cb44
SHA1

c01c60f47bfabda0c99f6d434e6bf772e54fa9a8
SHA256

b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2
SHA512

b341e4b9ad1ea41119016cbda2e6a75e3c4531827553eaeaf3e92b2c5a7cac90aefcd8b525bd0be239433719229aa11a05f6b064c064759f4fd92ebf7d3c6a78
SSDEEP

24576:ebb58UKrHWcxaW7lSR7BJkmjw2tjy1JiVJHPi:25+rWKaW5Stkmj381g

Score

10^/10

Family

blustealer

Credentials

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	9aceea76f4ccb33286e37aa91e15cb44.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	9aceea76f4ccb33286e37aa91e15cb44.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2660	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	30
PID 2172 wrote to memory of 2660	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	30
PID 2172 wrote to memory of 2660	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	30
PID 2172 wrote to memory of 2660	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	30
PID 2172 wrote to memory of 2820	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	31
PID 2172 wrote to memory of 2820	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	31
PID 2172 wrote to memory of 2820	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	31
PID 2172 wrote to memory of 2820	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	31
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32
PID 2172 wrote to memory of 2608	2172	9aceea76f4ccb33286e37aa91e15cb44.exe	32

C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe
"C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe
  "C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe"
  2⤵
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe
  "C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe"
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe
  "C:\Users\Admin\AppData\Local\Temp\9aceea76f4ccb33286e37aa91e15cb44.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2608

memory/2172-19-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-2-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/2172-3-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/2172-4-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-5-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/2172-6-0x0000000008000000-0x00000000080CE000-memory.dmp

Filesize
824KB

Download
memory/2172-7-0x00000000043D0000-0x0000000004432000-memory.dmp

Filesize
392KB

Download
memory/2172-0-0x0000000000120000-0x0000000000216000-memory.dmp

Filesize
984KB

Download
memory/2608-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2608-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2608-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2608-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2608-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2608-20-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download