blustealer | 6b45587225d63562c0ac77d9134974686ff612743ce70b0c12183970275198b4

General

Target

f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe
Size

2.3MB
MD5

f3ae5084244b18b1eb956fd8729b39db
SHA1

50b0e84f2fc1be5c852747e721056b0b95162ecb
SHA256

6b45587225d63562c0ac77d9134974686ff612743ce70b0c12183970275198b4
SHA512

31e964428c51c120c913be3cccd092607605adf2856ef22d83424a6c71c889c7284de617df8cbbec1e9a469a8d1602148cbf5f8a9dd7e0cafc966e5156352bf7
SSDEEP

12288:s2MN/vK6kaQ0iN9M+LTcQQ++fNvZl2eXNPnrEdrE:00n4+LYz++fflxXN/odo

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
budgetn.xyz
Port:
587
Username:
[email protected]
Password:
r[]w2e=V+]AV

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2776	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2300	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3208	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	87
PID 2816 wrote to memory of 3208	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	87
PID 2816 wrote to memory of 3208	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	87
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 2300	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	89
PID 2816 wrote to memory of 3916	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	94
PID 2816 wrote to memory of 3916	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	94
PID 2816 wrote to memory of 3916	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	94
PID 2816 wrote to memory of 4544	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	96
PID 2816 wrote to memory of 4544	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	96
PID 2816 wrote to memory of 4544	2816	f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe	96
PID 3916 wrote to memory of 2776	3916	cmd.exe	98
PID 3916 wrote to memory of 2776	3916	cmd.exe	98
PID 3916 wrote to memory of 2776	3916	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  PID:3208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\noot\noot.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f3ae5084244b18b1eb956fd8729b39db_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\noot\noot.exe"
  2⤵
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-6-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2300-8-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2300-11-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2816-0-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2816-1-0x0000000000430000-0x000000000068E000-memory.dmp

Filesize
2.4MB

Download
memory/2816-2-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/2816-3-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/2816-4-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2816-5-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/2816-12-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2816-13-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads