blustealer | ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a

General

Target

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
Size

662KB
MD5

e0dcd7f63f9be0b02afd9fef0b22dd6a
SHA1

a878243762b08d3a9c128c5b61fd4868a8a9880f
SHA256

ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a
SHA512

459c3ed6d15cfbc583daee0568c759849cf00a403b7bb3d670d9e2c7dd1a156abe10d0e4418193493043f446f221974b6ca7eecc2662d7e59b9aa3721c9b55a1
SSDEEP

12288:4jXaPiEiwf12epBbK0BfYhQOYODuYnsY3shrcUURQ17B6e4:iR2f12MK0BwQODuYnsYuWQ1g

Score

10^/10

blustealer zgrat rat stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
dem6teck@netjul.club
Password:
B~flgiHT==?g

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2312-5-0x0000000005AF0000-0x0000000005B62000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-6-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-7-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-9-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-11-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-15-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-13-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-21-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-19-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-17-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-23-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-27-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-37-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-35-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-33-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-31-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-29-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-25-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-39-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-47-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-49-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-55-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-59-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-63-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-67-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-65-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-61-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-69-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-57-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-53-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-51-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-45-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-43-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-41-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2124 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

description pid process target process

PID 2312 set thread context of 1496 2312 e0dcd7f63f9be0b02afd9fef0b22dd6a.exe e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2124	powershell.exe

description	pid	process	target process
PID 2312 set thread context of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e0dcd7f63f9be0b02afd9fef0b22dd6a.exepowershell.exe

pid	process
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2124	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e0dcd7f63f9be0b02afd9fef0b22dd6a.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2312 e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
Token: SeDebugPrivilege 2124 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

pid process

1496 e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

description	pid	process
Token: SeDebugPrivilege	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
Token: SeDebugPrivilege	2124	powershell.exe

pid	process
1496	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

description	pid	process	target process
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	powershell.exe
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	powershell.exe
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	powershell.exe
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	powershell.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
"C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe" -Force
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1496

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-2237-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1496-2242-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2124-2246-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-2245-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/2124-2244-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/2124-2243-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-2241-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-47-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-63-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-11-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-15-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-13-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-21-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-19-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-17-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-23-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-27-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-37-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-35-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-33-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-31-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-29-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-25-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-39-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-0-0x0000000000890000-0x000000000093C000-memory.dmp

Filesize
688KB

Download
memory/2312-49-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-55-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-59-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-9-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-67-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-65-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-61-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-69-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-57-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-53-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-51-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-45-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-43-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-41-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-752-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2312-2235-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-7-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-6-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-5-0x0000000005AF0000-0x0000000005B62000-memory.dmp

Filesize
456KB

Download
memory/2312-4-0x0000000004B20000-0x0000000004BC8000-memory.dmp

Filesize
672KB

Download
memory/2312-3-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-2-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2312-1-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads