blustealer | ff067dcb1df6837231a965295ce09eb39ddc7856b72f23c59f8bd950bcc8c3f8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 08:59

Target

dec7bbc61e5fac7b9dcc798e85c6cffc.exe
Size

2.6MB
MD5

dec7bbc61e5fac7b9dcc798e85c6cffc
SHA1

353315e4cf6cd85aa6cf574761f7b5e706b35597
SHA256

ff067dcb1df6837231a965295ce09eb39ddc7856b72f23c59f8bd950bcc8c3f8
SHA512

4edb7b2028045a70dc95ff3956904c19499f5442b87f402d7e3f8e0b861c0bb7e25ee906774d8a25e6ee92c428dad8db35881f401e426985e80914fb0129bbfa
SSDEEP

24576:lVe3u2JKwQ1rDRYgkCL9m9YgYXr0hLzwMTR3jllk+x0a2XQFsZxhoED:f9pqOyeMxlpYr

Score

10^/10

Family

blustealer

https://api.telegram.org/bot1949235546:AAFJ8hWHynuHinrzOjcAE-TQlS6bYGcf8J8/sendMessage?chat_id=1947722068

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1920-4-0x0000000000330000-0x0000000000346000-memory.dmp	family_zgrat_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1624	dec7bbc61e5fac7b9dcc798e85c6cffc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28
PID 1920 wrote to memory of 1624	1920	dec7bbc61e5fac7b9dcc798e85c6cffc.exe	28

C:\Users\Admin\AppData\Local\Temp\dec7bbc61e5fac7b9dcc798e85c6cffc.exe
"C:\Users\Admin\AppData\Local\Temp\dec7bbc61e5fac7b9dcc798e85c6cffc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\dec7bbc61e5fac7b9dcc798e85c6cffc.exe
  "C:\Users\Admin\AppData\Local\Temp\dec7bbc61e5fac7b9dcc798e85c6cffc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1624

memory/1624-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1920-0-0x0000000001080000-0x0000000001324000-memory.dmp

Filesize
2.6MB

Download
memory/1920-2-0x0000000000DF0000-0x0000000000E30000-memory.dmp

Filesize
256KB

Download
memory/1920-3-0x0000000005000000-0x000000000517A000-memory.dmp

Filesize
1.5MB

Download
memory/1920-4-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/1920-1-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1920-15-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download