Overview

overview

10

Static

static

3

e9ae8d2f81...18.exe

windows7-x64

10

e9ae8d2f81...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118

  • Size

    720KB

  • Sample

    240409-lfmcksbf85

  • MD5

    e9ae8d2f81cc2981ae784f3648040a92

  • SHA1

    d9a19d08b817a88feaf08e00eee8a0479663a960

  • SHA256

    1d03149eb8839cefbe072e5fed04a5a775f856b53ffa1373f235a6a5ddceb553

  • SHA512

    f3ec9ededf32237cc22f5e303e00ee422b8e0d16c2ba789224808d069364ea9cbaf51d969e32e2b87086a1566c1528ef3f3d7cbfa494cbdd1d08ecac412fa1eb

  • SSDEEP

    12288:uQWRct2NjFmzP1Wy4ASG3smyH0/X6BDWaozKnaoEe0N:u7RcMNjgWy4ASG3K4KtvcRoE

Score
10/10
blustealerpersistencespywarestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot1802269231:AAELtF2SraPZQTuiNsCQFsNfPKlpc9jYjSk/sendMessage?chat_id=1817981127

Targets

    • Target

      e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118

    • Size

      720KB

    • MD5

      e9ae8d2f81cc2981ae784f3648040a92

    • SHA1

      d9a19d08b817a88feaf08e00eee8a0479663a960

    • SHA256

      1d03149eb8839cefbe072e5fed04a5a775f856b53ffa1373f235a6a5ddceb553

    • SHA512

      f3ec9ededf32237cc22f5e303e00ee422b8e0d16c2ba789224808d069364ea9cbaf51d969e32e2b87086a1566c1528ef3f3d7cbfa494cbdd1d08ecac412fa1eb

    • SSDEEP

      12288:uQWRct2NjFmzP1Wy4ASG3smyH0/X6BDWaozKnaoEe0N:u7RcMNjgWy4ASG3K4KtvcRoE

    Score
    10/10
    blustealerpersistencespywarestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks