blustealer | ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
Size

662KB
MD5

e0dcd7f63f9be0b02afd9fef0b22dd6a
SHA1

a878243762b08d3a9c128c5b61fd4868a8a9880f
SHA256

ee6e8afc2fea358731c1a7fbe6becfe3e1f9e4d625004802776685ad6d36566a
SHA512

459c3ed6d15cfbc583daee0568c759849cf00a403b7bb3d670d9e2c7dd1a156abe10d0e4418193493043f446f221974b6ca7eecc2662d7e59b9aa3721c9b55a1
SSDEEP

12288:4jXaPiEiwf12epBbK0BfYhQOYODuYnsY3shrcUURQ17B6e4:iR2f12MK0BwQODuYnsYuWQ1g

Score

10^/10

blustealer zgrat rat stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
[email protected]
Password:
B~flgiHT==?g

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2312-5-0x0000000005AF0000-0x0000000005B62000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-6-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-7-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-9-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-11-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-15-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-13-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-21-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-19-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-17-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-23-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-27-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-37-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-35-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-33-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-31-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-29-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-25-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-39-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-47-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-49-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-55-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-59-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-63-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-67-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-65-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-61-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-69-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-57-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-53-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-51-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-45-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-43-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-41-0x0000000005AF0000-0x0000000005B5C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Deletes itself 1 IoCs

pid	Process
2124	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
2124	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
Token: SeDebugPrivilege	2124	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	31
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	31
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	31
PID 2312 wrote to memory of 2124	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	31
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33
PID 2312 wrote to memory of 1496	2312	e0dcd7f63f9be0b02afd9fef0b22dd6a.exe	33

C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
"C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe" -Force
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
  C:\Users\Admin\AppData\Local\Temp\e0dcd7f63f9be0b02afd9fef0b22dd6a.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-2237-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1496-2242-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2124-2246-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-2245-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/2124-2244-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/2124-2243-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-2241-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-47-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-63-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-11-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-15-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-13-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-21-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-19-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-17-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-23-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-27-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-37-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-35-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-33-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-31-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-29-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-25-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-39-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-0-0x0000000000890000-0x000000000093C000-memory.dmp

Filesize
688KB

Download
memory/2312-49-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-55-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-59-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-9-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-67-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-65-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-61-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-69-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-57-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-53-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-51-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-45-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-43-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-41-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-752-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2312-2235-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-7-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-6-0x0000000005AF0000-0x0000000005B5C000-memory.dmp

Filesize
432KB

Download
memory/2312-5-0x0000000005AF0000-0x0000000005B62000-memory.dmp

Filesize
456KB

Download
memory/2312-4-0x0000000004B20000-0x0000000004BC8000-memory.dmp

Filesize
672KB

Download
memory/2312-3-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-2-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2312-1-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download