blustealer | 1d03149eb8839cefbe072e5fed04a5a775f856b53ffa1373f235a6a5ddceb553

General

Target

e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
Size

720KB
MD5

e9ae8d2f81cc2981ae784f3648040a92
SHA1

d9a19d08b817a88feaf08e00eee8a0479663a960
SHA256

1d03149eb8839cefbe072e5fed04a5a775f856b53ffa1373f235a6a5ddceb553
SHA512

f3ec9ededf32237cc22f5e303e00ee422b8e0d16c2ba789224808d069364ea9cbaf51d969e32e2b87086a1566c1528ef3f3d7cbfa494cbdd1d08ecac412fa1eb
SSDEEP

12288:uQWRct2NjFmzP1Wy4ASG3smyH0/X6BDWaozKnaoEe0N:u7RcMNjgWy4ASG3K4KtvcRoE

Score

10^/10

blustealer persistence spyware stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot1802269231:AAELtF2SraPZQTuiNsCQFsNfPKlpc9jYjSk/sendMessage?chat_id=1817981127

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rRajA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe"	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

description	pid	process	target process
PID 1052 set thread context of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

pid process

2568 e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

pid	process
2568	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

description	pid	process	target process
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
PID 1052 wrote to memory of 2568	1052	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe	e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9ae8d2f81cc2981ae784f3648040a92_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2568

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-18-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-2-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/1052-1-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-0-0x00000000001A0000-0x000000000025A000-memory.dmp

Filesize
744KB

Download
memory/1052-4-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-5-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/1052-6-0x00000000056A0000-0x0000000005726000-memory.dmp

Filesize
536KB

Download
memory/1052-7-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/1052-3-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2568-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2568-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads