blustealer | 967f7296fc850d9a5c810776f910b5ac22dbff3a31f00c7641bdb68b421b7caf

General

Target

b02a63fa9c807c8509341d264e494f99.exe
Size

1.1MB
MD5

b02a63fa9c807c8509341d264e494f99
SHA1

dd9a5cfc7dbe769be5a9edb8f1e6e1a5e17bf8ec
SHA256

967f7296fc850d9a5c810776f910b5ac22dbff3a31f00c7641bdb68b421b7caf
SHA512

e46f85a067aefb3e500e448aec1d878e8cb79f009f3d434e3f25240fc3d50d41ded7abb18845eedcaa03e00f58078a36a4c258ec8bcfdc9fd8f7668dbe3c6b22
SSDEEP

24576:Z/FAjZ1EVMqHj1q0oc163Dwlrp9KyxsuM:YZ1EBHBqakDwlrbKCs

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.sabaint.me
Port:
587
Username:
[email protected]
Password:
regina1983-

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 1 IoCs

pid	Process
2448	PASSWORDSNET4.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	b02a63fa9c807c8509341d264e494f99.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3064	b02a63fa9c807c8509341d264e494f99.exe
3064	b02a63fa9c807c8509341d264e494f99.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2368	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2368	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2404	3064	b02a63fa9c807c8509341d264e494f99.exe	30
PID 3064 wrote to memory of 2404	3064	b02a63fa9c807c8509341d264e494f99.exe	30
PID 3064 wrote to memory of 2404	3064	b02a63fa9c807c8509341d264e494f99.exe	30
PID 3064 wrote to memory of 2404	3064	b02a63fa9c807c8509341d264e494f99.exe	30
PID 3064 wrote to memory of 3032	3064	b02a63fa9c807c8509341d264e494f99.exe	32
PID 3064 wrote to memory of 3032	3064	b02a63fa9c807c8509341d264e494f99.exe	32
PID 3064 wrote to memory of 3032	3064	b02a63fa9c807c8509341d264e494f99.exe	32
PID 3064 wrote to memory of 3032	3064	b02a63fa9c807c8509341d264e494f99.exe	32
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 3064 wrote to memory of 2368	3064	b02a63fa9c807c8509341d264e494f99.exe	33
PID 2368 wrote to memory of 2448	2368	b02a63fa9c807c8509341d264e494f99.exe	34
PID 2368 wrote to memory of 2448	2368	b02a63fa9c807c8509341d264e494f99.exe	34
PID 2368 wrote to memory of 2448	2368	b02a63fa9c807c8509341d264e494f99.exe	34
PID 2368 wrote to memory of 2448	2368	b02a63fa9c807c8509341d264e494f99.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe
"C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pvdzHuv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB2A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe
  "C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe"
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe
  "C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - outlook_office_path
    - outlook_win_path
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEB2A.tmp

Filesize
1KB

MD5
34904aa8c17c7dab6f1c80b69d74255a

SHA1
688d68897d1092dd72d0b6e5094b3e0040b59238

SHA256
a84f601546bd63581c7be8f2ac2cd155667865734d867835d1a0db43391b8347

SHA512
c65c48f540bb1807ff88578a2ed67ad9e7344a3a7826c76f617c56383f94a1731b9c9bf9508fe641af9b75e80c1c25bde5b33d4cf6bd29baa444ee67f0739833

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\UEFSYM~1.ZIP

Filesize
122KB

MD5
37ac88bc53abcc353b3a93f68fb30871

SHA1
f5165c03b5de33db3704d502227bac35eae1c6c5

SHA256
7bc03158a3c0bcb001093d9d40eaf6b9a7adf14e685db68fbd9d0f135d447ebe

SHA512
01c65cbf90c2db90d0563d4a45650d4abd19e1a90bb8467f0e5a57ff1c6c377e3be8216f3324b81af58822b75a22b52f7317df985c11f3a7a45b72843134fc38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

Filesize
156KB

MD5
0c3c728a9b4376e014bc97f7b1da74f0

SHA1
de2253d0c3e02ea9d27ae6f46082cec9d0164a02

SHA256
05f0ac30ce02bc3608d957b40896240ae750da01393f4e26a8951fc7987959ca

SHA512
f610ae81854bc99086f139833b7d16b7e7634f53ef1125dc97d01611ec46c262e1f87dde31aa47a19e17a81334c4f25b4096d8e255460e3446bf45d656f5f81c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\UADPPTXT_Admin.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\UADPPTXT_Admin.zip

Filesize
398B

MD5
50f8bdbf9754e1d81ba99ddc7af9a7e4

SHA1
5275bfc5229e08f6b3db98982e3ff4cf62f7ab41

SHA256
7f46d5e9791edda071c9daedcd84f48356d095e9bfc3027c262e054c306863b7

SHA512
bfe294d4f90d3250c8a4106ad4aab82437180b9324374e77c15ef41061c971a7000005de23a94b05da74ed43a17cba39119d3cbc3ba559e9813648f60cae3d3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

Filesize
311B

MD5
3a6af416d4eb1ca2b09ad7e3c4ecacb7

SHA1
e1ddc71c54be441a2a0878a9be3f606763a2c75a

SHA256
9bb400169fe4d278b63e446b8f6d53533ef4ff254a947bd5d303cef17c8aa1cd

SHA512
830e5d6fa03aab2d98af9c1a33b6fca04c7bfcff87e650c9e545d53802fd9cec4fb9e5eb95c5972faab2f4f202e75cb794b6e98c8bc6bbeda388b1775edbdfc1

Download Submit
memory/2368-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-110-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/2368-130-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/2368-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2448-104-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-97-0x0000000001320000-0x000000000134E000-memory.dmp

Filesize
184KB

Download
memory/2448-98-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-99-0x000000001B990000-0x000000001BA10000-memory.dmp

Filesize
512KB

Download
memory/3064-23-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-7-0x0000000000B90000-0x0000000000BE2000-memory.dmp

Filesize
328KB

Download
memory/3064-0-0x0000000001290000-0x00000000013AC000-memory.dmp

Filesize
1.1MB

Download
memory/3064-6-0x0000000005850000-0x000000000590E000-memory.dmp

Filesize
760KB

Download
memory/3064-5-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/3064-4-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-3-0x0000000000580000-0x0000000000598000-memory.dmp

Filesize
96KB

Download
memory/3064-2-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/3064-1-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads