blustealer | ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a | Triage

Submit
Reports

Overview

overview

Static

static

3

e0dcd7f63f...6a.exe

windows7-x64

e0dcd7f63f...6a.exe

windows10-2004-x64

Sharing

General

Target

e0dcd7f63f9be0b02afd9fef0b22dd6a
Size

662KB
Sample

240327-fy8qmsde32
MD5

e0dcd7f63f9be0b02afd9fef0b22dd6a
SHA1

a878243762b08d3a9c128c5b61fd4868a8a9880f
SHA256

ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a
SHA512

459c3ed6d15cfbc583daee0568c759849cf00a403b7bb3d670d9e2c7dd1a156abe10d0e4418193493043f446f221974b6ca7eecc2662d7e59b9aa3721c9b55a1
SSDEEP

12288:4jXaPiEiwf12epBbK0BfYhQOYODuYnsY3shrcUURQ17B6e4:iR2f12MK0BwQODuYnsYuWQ1g

Score

10^/10

blustealer zgrat rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

Resource

win7-20240221-en

blustealer zgrat rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

Resource

win10v2004-20240226-en

blustealer zgrat rat stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
[email protected]
Password:
B~flgiHT==?g

Targets

- Target
  
  e0dcd7f63f9be0b02afd9fef0b22dd6a
- Size
  
  662KB
- MD5
  
  e0dcd7f63f9be0b02afd9fef0b22dd6a
- SHA1
  
  a878243762b08d3a9c128c5b61fd4868a8a9880f
- SHA256
  
  ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a
- SHA512
  
  459c3ed6d15cfbc583daee0568c759849cf00a403b7bb3d670d9e2c7dd1a156abe10d0e4418193493043f446f221974b6ca7eecc2662d7e59b9aa3721c9b55a1
- SSDEEP
  
  12288:4jXaPiEiwf12epBbK0BfYhQOYODuYnsY3shrcUURQ17B6e4:iR2f12MK0BwQODuYnsYuWQ1g
Score

10^/10

blustealer zgrat rat stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blustealerzgratratstealer

behavioral2

blustealerzgratratstealer

© 2018-2024

Terms | Privacy