blustealer | 8c29dcbfb5e613983b4f84112d18d69f99c5c7d2c7e76a9b473327412fc74af8

General

Target

BTC PAYMENTSCOPY_____________________________.jpg.exe
Size

743KB
MD5

d5d26738ed73d191556fc5640b43ed39
SHA1

eaec7a86cbe18f9eb5099ca390e43562701f6d29
SHA256

d254826085eaada20b9ab3803fdf88d2326ffcb2e90b36d3fbb129fce1cfed5a
SHA512

475c358c8353daac6efe9212bc649ce22197d38f32e6d63543896f77d420ca50717468e32b92dd975d685ef193624ee96bcac958da6265658748ed483f454529
SSDEEP

12288:I1Wl8T5+M63xjmevfUu+2EYhsJZ2uEYpplNw:IA24dx0Yrmps

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.sabaint.me
Port:
587
Username:
[email protected]
Password:
regina1983-

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 1 IoCs

pid	Process
2432	PASSWORDSNET4.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	BTC PAYMENTSCOPY_____________________________.jpg.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 2096	2732	BTC PAYMENTSCOPY_____________________________.jpg.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	BTC PAYMENTSCOPY_____________________________.jpg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2732	BTC PAYMENTSCOPY_____________________________.jpg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2096	BTC PAYMENTSCOPY_____________________________.jpg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2096	BTC PAYMENTSCOPY_____________________________.jpg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2096	2732	BTC PAYMENTSCOPY_____________________________.jpg.exe	28
PID 2732 wrote to memory of 2096	2732	BTC PAYMENTSCOPY_____________________________.jpg.exe	28
PID 2732 wrote to memory of 2096	2732	BTC PAYMENTSCOPY_____________________________.jpg.exe	28
PID 2732 wrote to memory of 2096	2732	BTC PAYMENTSCOPY_____________________________.jpg.exe	28
PID 2732 wrote to memory of 2096	2732	BTC PAYMENTSCOPY_____________________________.jpg.exe	28
PID 2096 wrote to memory of 2432	2096	BTC PAYMENTSCOPY_____________________________.jpg.exe	29
PID 2096 wrote to memory of 2432	2096	BTC PAYMENTSCOPY_____________________________.jpg.exe	29
PID 2096 wrote to memory of 2432	2096	BTC PAYMENTSCOPY_____________________________.jpg.exe	29
PID 2096 wrote to memory of 2432	2096	BTC PAYMENTSCOPY_____________________________.jpg.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PASSWORDSNET4.exe

C:\Users\Admin\AppData\Local\Temp\BTC PAYMENTSCOPY_____________________________.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\BTC PAYMENTSCOPY_____________________________.jpg.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\BTC PAYMENTSCOPY_____________________________.jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\BTC PAYMENTSCOPY_____________________________.jpg.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - outlook_office_path
    - outlook_win_path
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\WHIPYL~1.ZIP

Filesize
122KB

MD5
37ac88bc53abcc353b3a93f68fb30871

SHA1
f5165c03b5de33db3704d502227bac35eae1c6c5

SHA256
7bc03158a3c0bcb001093d9d40eaf6b9a7adf14e685db68fbd9d0f135d447ebe

SHA512
01c65cbf90c2db90d0563d4a45650d4abd19e1a90bb8467f0e5a57ff1c6c377e3be8216f3324b81af58822b75a22b52f7317df985c11f3a7a45b72843134fc38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BISMIZHX_Admin.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BISMIZHX_Admin.zip

Filesize
400B

MD5
968aeeb2c522aef3a845d25f00d78ec7

SHA1
d3877273bf3a2a8fe1f604ed1992b0c587a32a3b

SHA256
39dda61e7d593544ca54f5d649ef78988e9ca09b45548c41f90b11ef661c07b1

SHA512
566a28f706ff5f85329a94408655d3ea9c55e989ad84f918b99c2250af1c088a472b822821d1680c1609da5cdd0c2a30ab3c3ee10d594dcf8031a522715ecc7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

Filesize
311B

MD5
c92d9276382593041f7e49a7d464c1eb

SHA1
95397cb6923efd68eb999090d4db22933a6b9898

SHA256
994168444365220d36919391510ae30ac05312aab3a9c1181efbdd18090a4c81

SHA512
daa26c946d57d64f9236bb0a8ac5607a5eb342ef4729b6b27de11df06d94db3d8a6b9ae9dc5cbe74ae9f82ab4a4c6e4dd28b99a4efda379a35e7ec3f40c9bd23

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

Filesize
156KB

MD5
0c3c728a9b4376e014bc97f7b1da74f0

SHA1
de2253d0c3e02ea9d27ae6f46082cec9d0164a02

SHA256
05f0ac30ce02bc3608d957b40896240ae750da01393f4e26a8951fc7987959ca

SHA512
f610ae81854bc99086f139833b7d16b7e7634f53ef1125dc97d01611ec46c262e1f87dde31aa47a19e17a81334c4f25b4096d8e255460e3446bf45d656f5f81c

Download Submit
memory/2096-89-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2096-95-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/2096-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2096-117-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/2096-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2096-115-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2096-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2432-82-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-88-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-83-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/2432-81-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/2732-4-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2732-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2732-1-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing