blustealer | 967f7296fc850d9a5c810776f910b5ac22dbff3a31f00c7641bdb68b421b7caf

General

Target

b02a63fa9c807c8509341d264e494f99.exe
Size

1.1MB
MD5

b02a63fa9c807c8509341d264e494f99
SHA1

dd9a5cfc7dbe769be5a9edb8f1e6e1a5e17bf8ec
SHA256

967f7296fc850d9a5c810776f910b5ac22dbff3a31f00c7641bdb68b421b7caf
SHA512

e46f85a067aefb3e500e448aec1d878e8cb79f009f3d434e3f25240fc3d50d41ded7abb18845eedcaa03e00f58078a36a4c258ec8bcfdc9fd8f7668dbe3c6b22
SSDEEP

24576:Z/FAjZ1EVMqHj1q0oc163Dwlrp9KyxsuM:YZ1EBHBqakDwlrbKCs

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.sabaint.me
Port:
587
Username:
[email protected]
Password:
regina1983-

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	b02a63fa9c807c8509341d264e494f99.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	PASSWORDSNET4.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4136 set thread context of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4136	b02a63fa9c807c8509341d264e494f99.exe
4136	b02a63fa9c807c8509341d264e494f99.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1012	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1012	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1012	b02a63fa9c807c8509341d264e494f99.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2692	4136	b02a63fa9c807c8509341d264e494f99.exe	94
PID 4136 wrote to memory of 2692	4136	b02a63fa9c807c8509341d264e494f99.exe	94
PID 4136 wrote to memory of 2692	4136	b02a63fa9c807c8509341d264e494f99.exe	94
PID 4136 wrote to memory of 2304	4136	b02a63fa9c807c8509341d264e494f99.exe	96
PID 4136 wrote to memory of 2304	4136	b02a63fa9c807c8509341d264e494f99.exe	96
PID 4136 wrote to memory of 2304	4136	b02a63fa9c807c8509341d264e494f99.exe	96
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 4136 wrote to memory of 1012	4136	b02a63fa9c807c8509341d264e494f99.exe	97
PID 1012 wrote to memory of 5028	1012	b02a63fa9c807c8509341d264e494f99.exe	98
PID 1012 wrote to memory of 5028	1012	b02a63fa9c807c8509341d264e494f99.exe	98

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe
"C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pvdzHuv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe
  "C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe"
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe
  "C:\Users\Admin\AppData\Local\Temp\b02a63fa9c807c8509341d264e494f99.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - outlook_office_path
    - outlook_win_path
    PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C9B.tmp

Filesize
1KB

MD5
fd4360c6ec1d931d1701e99ad16b0f4c

SHA1
0b6fe81af02e6d28e83de8b3114ae1c4aa807de4

SHA256
4622b462d9d4ac046095342722756171b3b3031ec7e740fac24f7ef9a1f8dc8f

SHA512
26b2660033887fb2328aa5a9bc332b95e86f5a820895fe4a35bc0d4e4f6b41b7f081f4ff2d93c136f536106e19e1728eebffb0d86701856ed20a67dccfa8d0d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

Filesize
156KB

MD5
0c3c728a9b4376e014bc97f7b1da74f0

SHA1
de2253d0c3e02ea9d27ae6f46082cec9d0164a02

SHA256
05f0ac30ce02bc3608d957b40896240ae750da01393f4e26a8951fc7987959ca

SHA512
f610ae81854bc99086f139833b7d16b7e7634f53ef1125dc97d01611ec46c262e1f87dde31aa47a19e17a81334c4f25b4096d8e255460e3446bf45d656f5f81c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\UMLCWGSL_Admin.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\UMLCWGSL_Admin.zip

Filesize
524B

MD5
8055cd0102dec292f55909bb583b191f

SHA1
8cc704ff950e21066ff6ccb8c3a394760505b2af

SHA256
3eea25d1a14b0bbea5fa0a27157f3dac92f80c4fa745604c45ab070d7b521146

SHA512
e79046fe1f80f2703490c3c49fffb32be7ddcf296ad08377ea897611a32f331968a7f993326106f7de98a25414a5e71fa287baa3ef0a36e94d7680dca7d57bcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\X5BREKZ7NZ.zip

Filesize
122KB

MD5
37ac88bc53abcc353b3a93f68fb30871

SHA1
f5165c03b5de33db3704d502227bac35eae1c6c5

SHA256
7bc03158a3c0bcb001093d9d40eaf6b9a7adf14e685db68fbd9d0f135d447ebe

SHA512
01c65cbf90c2db90d0563d4a45650d4abd19e1a90bb8467f0e5a57ff1c6c377e3be8216f3324b81af58822b75a22b52f7317df985c11f3a7a45b72843134fc38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

Filesize
1KB

MD5
19b9e286a077be227807e5ae6be29127

SHA1
73a51350249ac1f02509e76dbfa4d9c12a873fa5

SHA256
5b526f7aa0b182b9aeac8c1e949da9ea9a5c981bf2e695bd392d6c6e1b436f5c

SHA512
5ab91262f4c00879db5a40ffce90ad18a412364b0a652b09861468846e124dbe2fd7ee2b3249bde1e75d51e1f5d6708596b4e5b5cc6a7be3b3e6d7414c4d84fa

Download Submit
memory/1012-108-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4136-6-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/4136-5-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4136-11-0x00000000066F0000-0x00000000067AE000-memory.dmp

Filesize
760KB

Download
memory/4136-12-0x0000000008D20000-0x0000000008D72000-memory.dmp

Filesize
328KB

Download
memory/4136-9-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4136-8-0x00000000050D0000-0x00000000050E8000-memory.dmp

Filesize
96KB

Download
memory/4136-7-0x0000000005010000-0x0000000005066000-memory.dmp

Filesize
344KB

Download
memory/4136-22-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4136-0-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4136-10-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4136-1-0x0000000000200000-0x000000000031C000-memory.dmp

Filesize
1.1MB

Download
memory/4136-2-0x0000000004C80000-0x0000000004D1C000-memory.dmp

Filesize
624KB

Download
memory/4136-3-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/4136-4-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/5028-107-0x00007FFB5E470000-0x00007FFB5EF31000-memory.dmp

Filesize
10.8MB

Download
memory/5028-98-0x000000001BC50000-0x000000001BC60000-memory.dmp

Filesize
64KB

Download
memory/5028-97-0x00007FFB5E470000-0x00007FFB5EF31000-memory.dmp

Filesize
10.8MB

Download
memory/5028-96-0x0000000000AC0000-0x0000000000AEE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads