blustealer | 78a20f7c54434dd382b55ca3256778ef987ba1035d5e91c9d0d25c9d801f8add

General

Target

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
Size

683KB
MD5

f1ec304e5be150aca87f071e47a5d025
SHA1

6c981d077f980958f4d5a405928eee3385545778
SHA256

78a20f7c54434dd382b55ca3256778ef987ba1035d5e91c9d0d25c9d801f8add
SHA512

adba0407db594918a044ab2d148975b1e4bfcf74a22f1a5b5f7a149eb491d8dc1d278593198f9898327fcf6da37b93f387b0544629a1fc2a1e330e49828ad229
SSDEEP

12288:CTU+bmzUri3pwCCtfE95OJmufAW5Gn5vX4LEjYj9qfU9nAZz0fI+KvnVbnc8/FMm:C9mzp3cfFJmun4nt5kASAJ0fFKvnpnrT

Score

10^/10

blustealer zgrat persistence rat stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.xyz
Port:
587
Username:
shunyuan@budgetn.xyz
Password:
r[]w2e=V+]AV

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4196-9-0x00000000070C0000-0x0000000007136000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-10-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-11-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-13-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-15-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-17-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-19-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-21-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-23-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-25-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-27-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-29-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-31-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-33-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-35-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-37-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-39-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-41-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-43-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-45-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-47-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-49-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-51-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-53-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-55-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-57-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-59-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-61-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-63-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-65-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-67-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-71-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-69-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4196-73-0x00000000070C0000-0x000000000712F000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\note\\notepad.exe\""	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

description	pid	process	target process
PID 4196 set thread context of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

pid process

4196 f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
4196 f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4196 f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

pid process

4148 f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

pid	process
4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

pid	process
4148	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

description	pid	process	target process
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
PID 4196 wrote to memory of 4148	4196	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe	f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f1ec304e5be150aca87f071e47a5d025_JaffaCakes118.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4148-2354-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4148-2357-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4196-37-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-2-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4196-4-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4196-5-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/4196-6-0x0000000006B50000-0x0000000006BFA000-memory.dmp

Filesize
680KB

Download
memory/4196-7-0x0000000006C80000-0x0000000006CF6000-memory.dmp

Filesize
472KB

Download
memory/4196-8-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4196-9-0x00000000070C0000-0x0000000007136000-memory.dmp

Filesize
472KB

Download
memory/4196-10-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-11-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-13-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-15-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-17-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-19-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-21-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-23-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-0-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4196-27-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-29-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-31-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-33-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-35-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-41-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-3-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/4196-25-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-43-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-45-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-47-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-49-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-51-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-53-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-55-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-57-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-59-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-61-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-63-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-65-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-67-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-71-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-69-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-73-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-545-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4196-2347-0x0000000007250000-0x000000000726E000-memory.dmp

Filesize
120KB

Download
memory/4196-2353-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4196-39-0x00000000070C0000-0x000000000712F000-memory.dmp

Filesize
444KB

Download
memory/4196-1-0x0000000000600000-0x00000000006B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads