Overview

overview

10

Static

static

3

BTC PAYMEN...pg.exe

windows7-x64

10

BTC PAYMEN...pg.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb3e712f3ad196b3fab60639e83c6e93_JaffaCakes118

  • Size

    369KB

  • Sample

    240419-1q7htsge43

  • MD5

    fb3e712f3ad196b3fab60639e83c6e93

  • SHA1

    7f6353a0c0eb2a0844cd4f80ad4d5253ed818053

  • SHA256

    8c29dcbfb5e613983b4f84112d18d69f99c5c7d2c7e76a9b473327412fc74af8

  • SHA512

    00c7e1ddcdaa78a3e0d6f96d992e002f16eb8afeab2f489763842d7fbc6a018ae8bc2e9679c514771f064f9d89b57986a0acefc23c02d2cbcb56296f9bcf5068

  • SSDEEP

    6144:y8ZesQBI/E+zdCdCWeiuuNw017j7OWAUf75WXgiIV63N1Dp8U+9cw413crFnTlvQ:y8g4/EeUwNW54giJ3NNx+9cw4kJZ2uEN

Score
10/10
blustealercollectionspywarestealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.sabaint.me
  • Port:
    587
  • Username:
    blessxup@sabaint.me
  • Password:
    regina1983-

Targets

    • Target

      BTC PAYMENTSCOPY_____________________________.jpg.exe

    • Size

      743KB

    • MD5

      d5d26738ed73d191556fc5640b43ed39

    • SHA1

      eaec7a86cbe18f9eb5099ca390e43562701f6d29

    • SHA256

      d254826085eaada20b9ab3803fdf88d2326ffcb2e90b36d3fbb129fce1cfed5a

    • SHA512

      475c358c8353daac6efe9212bc649ce22197d38f32e6d63543896f77d420ca50717468e32b92dd975d685ef193624ee96bcac958da6265658748ed483f454529

    • SSDEEP

      12288:I1Wl8T5+M63xjmevfUu+2EYhsJZ2uEYpplNw:IA24dx0Yrmps

    Score
    10/10
    blustealercollectionspywarestealer

    • BluStealer

      A Modular information stealer written in Visual Basic.

      stealerblustealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

2
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks