blustealer | 674a7b749bea309b2f9157e187a92fc0da9ce79b3a9ee4f3c85e6b58dd961789

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
Size

1.5MB
MD5

fda687e3f7ee2e46c4094d557f137ff8
SHA1

f1e13dd8b5f869045bdc15de6303e5cfcc7c4cff
SHA256

674a7b749bea309b2f9157e187a92fc0da9ce79b3a9ee4f3c85e6b58dd961789
SHA512

d47b72db111b19669d8bf5575fedc11bb01ff220b0929b09dd061efd612f55093d708fe5007f0e60732defd5de6868e898fba55270b0fa449f5ab766097109e0
SSDEEP

24576:/WN565751UbTCg1XJ2qg4rSs3S1KqFHTwfs89UrmMnfk/iQ2+S0d:/q65rUbTCg1wFsqBZMfsaU9fk/Pj

Score

10^/10

blustealer stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.starkgulf.com
Port:
587
Username:
info@starkgulf.com
Password:
info123#

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Suspicious use of SetThreadContext 1 IoCs

Processes:

fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

description	pid	process	target process
PID 4444 set thread context of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

pid process

3628 fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

pid	process
3628	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

description	pid	process	target process
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
PID 4444 wrote to memory of 3628	4444	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe	fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda687e3f7ee2e46c4094d557f137ff8_JaffaCakes118.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3628-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3628-20-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3628-15-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4444-8-0x0000000002FE0000-0x0000000002FF8000-memory.dmp

Filesize
96KB

Download
memory/4444-10-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/4444-5-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/4444-6-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/4444-7-0x00000000059D0000-0x0000000005A26000-memory.dmp

Filesize
344KB

Download
memory/4444-0-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4444-9-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4444-4-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/4444-11-0x0000000001620000-0x00000000016FE000-memory.dmp

Filesize
888KB

Download
memory/4444-12-0x00000000012C0000-0x0000000001332000-memory.dmp

Filesize
456KB

Download
memory/4444-3-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-2-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/4444-19-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4444-1-0x0000000000B50000-0x0000000000CE0000-memory.dmp

Filesize
1.6MB

Download