blustealer | d6390558e6f860877f95e6cf83ebc2fa028da6f469d75f73b27afe92900fbc7f | Triage

Submit
Reports

Overview

overview

Static

static

3

a97ccd364e...bf.exe

windows7-x64

a97ccd364e...bf.exe

windows10-2004-x64

Resubmissions

27-02-2024 15:25

240227-stkjgacg5s 10

27-02-2024 15:21

240227-srp16scc78 10

Sharing

General

Target

a97ccd364ed034769bd7a0e41d823ebf
Size

754KB
Sample

240227-stkjgacg5s
MD5

a97ccd364ed034769bd7a0e41d823ebf
SHA1

ca4e9380a6ac5fe37d204cc055fb7f63cf764383
SHA256

d6390558e6f860877f95e6cf83ebc2fa028da6f469d75f73b27afe92900fbc7f
SHA512

b9c716b17d105a97cd161f9585e3b69a9b4b40091bb07c5e0cef79a257bb26a5076a58a649b4db6bb0a67990d980292df657b4187ff348a66748355a18699770
SSDEEP

12288:Nte7/9xRNdnCGjIz8L4frvaRHELXq24z3P8cUdKFoUU5Czd0/FU1F3:uf9nXIoL4frSELq1LP84dU5CJ0/w

Score

10^/10

blustealer zgrat persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a97ccd364ed034769bd7a0e41d823ebf.exe

Resource

win7-20240221-en

blustealer zgrat persistence rat stealer

windows7-x64

11 signatures

300 seconds

Behavioral task

behavioral2

Sample

a97ccd364ed034769bd7a0e41d823ebf.exe

Resource

win10v2004-20240226-en

blustealer zgrat persistence rat stealer

windows10-2004-x64

12 signatures

300 seconds

Malware Config

Targets

- Target
  
  a97ccd364ed034769bd7a0e41d823ebf
- Size
  
  754KB
- MD5
  
  a97ccd364ed034769bd7a0e41d823ebf
- SHA1
  
  ca4e9380a6ac5fe37d204cc055fb7f63cf764383
- SHA256
  
  d6390558e6f860877f95e6cf83ebc2fa028da6f469d75f73b27afe92900fbc7f
- SHA512
  
  b9c716b17d105a97cd161f9585e3b69a9b4b40091bb07c5e0cef79a257bb26a5076a58a649b4db6bb0a67990d980292df657b4187ff348a66748355a18699770
- SSDEEP
  
  12288:Nte7/9xRNdnCGjIz8L4frvaRHELXq24z3P8cUdKFoUU5Czd0/FU1F3:uf9nXIoL4frSELq1LP84dU5CJ0/w
Score

10^/10

blustealer zgrat persistence rat stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerzgratpersistenceratstealer

behavioral2

blustealerzgratpersistenceratstealer

© 2018-2024

Terms | Privacy