blustealer | e87f217deed61518ae6844502a46ea3a33bfcb735050678e6c3a22acde573552

General

Target

RFQ 10050395.exe
Size

733KB
MD5

208b8885063f4562e1e181c63f155bd1
SHA1

b0071008c3ae769433c6c71acd49c80a4b5a853d
SHA256

a47f1b1a2995865a081e270569e3cb0857d3af3759c2e06b72e3f418e9611a87
SHA512

96f48b489308904e883c004514cc0cd33cfeb893f03e4f9d9454b88c95c991cad2b9773040c4a9d08d524d0f79cf7232e4cc81352ea0a0100c4c7dbf99c5e3f7
SSDEEP

12288:2oskPRxliW1b0LxY7GM2NPdqysk6iQrWE8Y8Ll1ytjkJhLIsbpGNjFLSlaE3y69U:2oskPRrhbi22hdqyMWEPgylkJhbbpalp

Score

10^/10

blustealer collection discovery stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5330579892:AAHDIOXrD-d-pMU_JI4pPczBI962-9fokRs/sendMessage?chat_id=1494890429

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Blustealer family
blustealer

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2324	1736	RFQ 10050395.exe	30
PID 2324 set thread context of 3040	2324	RFQ 10050395.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ 10050395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ 10050395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	RFQ 10050395.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 1736 wrote to memory of 2324	1736	RFQ 10050395.exe	30
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31
PID 2324 wrote to memory of 3040	2324	RFQ 10050395.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - outlook_office_path
    - outlook_win_path
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000FD0000-0x000000000108C000-memory.dmp

Filesize
752KB

Download
memory/1736-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-3-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/1736-4-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1736-5-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-6-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1736-7-0x0000000004D40000-0x0000000004DE8000-memory.dmp

Filesize
672KB

Download
memory/1736-8-0x00000000051D0000-0x0000000005244000-memory.dmp

Filesize
464KB

Download
memory/1736-22-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-19-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-10-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3040-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-26-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/3040-23-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/3040-30-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/3040-28-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/3040-31-0x0000000073AEE000-0x0000000073AEF000-memory.dmp

Filesize
4KB

Download
memory/3040-32-0x0000000004CB0000-0x0000000004D6C000-memory.dmp

Filesize
752KB

Download
memory/3040-33-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-34-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing