MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a4d18bc01f4c5857b32c7ae2ffe7ec90ff5d4e4bf312f8048bb85706f5fbff5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BluStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	1a4d18bc01f4c5857b32c7ae2ffe7ec90ff5d4e4bf312f8048bb85706f5fbff5
SHA3-384 hash:	a7028ef3e5cfcfbd3b66169ee124789b5f1b7b989f46679acafd3f5404f670a7f9a5e757569acb15cbd3e7199b50fcf4
SHA1 hash:	e662ca8610953c0c7e90a161162d3e1b03e29442
MD5 hash:	f13711fcb52a6025e97a2bf85d9d4643
humanhash:	fish-fish-venus-london
File name:	RFQ# 6000163267.exe
Download:	download sample
Signature	BluStealer Create hunting rule
File size:	932'352 bytes
First seen:	2022-11-17 16:57:59 UTC
Last seen:	2022-11-17 18:48:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:gy/5dJbw9j6QSpvsRecLAzAd/AHjZnbCkI:P/5k9GQSpCecLCKMjZnbCkI
Threatray	2'941 similar samples on MalwareBazaar
TLSH	T182157CE96893796EE5B9B36D55F1A850CBB348324EC0AE2441683DC55D339D3B022EFC
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13097/50/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	BluStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ# 6000163267.exe

Verdict:

Malicious activity

Analysis date:

2022-11-17 17:15:54 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/be6f39ec-6fc4-4311-829b-e168cc6b9f63

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/335487/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.23451.989.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

hacktool packed

Link:

https://www.filescan.io/uploads/6376682307c3f5e84a01a755/reports/023a6510-ecf1-4af6-a7eb-f835e2652e14/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c9b60e9a-b918-4a9b-92b9-656f41a166b5

Result

Threat name:

BluStealer, ThunderFox Stealer, a310Logg

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1115957

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected a310Logger

Yara detected AntiVM3

Yara detected BluStealer

Yara detected Telegram RAT

Yara detected ThunderFox Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a4d18bc01f4c5857b32c7ae2ffe7ec90ff5d4e4bf312f8048bb85706f5fbff5/

Threat name:

Win32.Trojan.Taskun

Status:

Malicious

First seen:

2022-11-17 11:59:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=djgrrpab6tcyk6zsy6xc77t6zeh7lvhex4ys7acixocxa327x72q._file

Verdict:

malicious

BluStealer

579c3138028884421849a6d210996f27da317f22d228a98d9bd0704786090498

BluStealer

6c912191a6853ca9717c37053a4ab7014d6980e48d846a8c777e7ee056cf4a56

BluStealer

7d2679d585d5fd6b476830fea23e3d0ddc831476e40464cee74743a2c853b81e

BluStealer

90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e

BluStealer

9ee2d324d8076b2b924ebdfbc678165a46089b8e413b292da28f6e9724e657a2

BluStealer

a99ad6c50cd5ec1409151d618216ea2616d10d8e3959f8f3067b257b172efa4b

BluStealer

+ 2'931 additional samples on MalwareBazaar

Result

Malware family:

blustealer

Score:

10/10

Tags:

family:blustealer collection stealer

Link:

https://tria.ge/reports/221117-vgt89afa56/

Behaviour

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

BluStealer

Malware Config

C2 Extraction:

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e13934a6-73ef-4f00-b4d3-4745f61c0a9c

Unpacked files

SH256 hash:

fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c

MD5 hash:

d2ec533f8b40a8224d79c87c2291f943

SHA1 hash:

f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

7df9c980617dfb38b5d08ef8552f1df6b35f34989b8f41995dc8f4b689adaddf

MD5 hash:

01c8a4827a89676752b1da11abf4d337

SHA1 hash:

59f705fb9ee5dc324321f1b5f6c7d73084206544

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

a4b55247b3e10d05aad24505daa475ce6ec27682337857a6cf0031aacf2a155c

MD5 hash:

494a605ec14a0bd14ad3db0eed037454

SHA1 hash:

fe244e37cb29ba0c6b6a1744d91ec05a6194f726

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

3a2a36b243b0578ed8131a0825a7b248f46a3b9c58229c90e02c5d8a2505e128

MD5 hash:

75d9cb73ab54d73be2ce766619e7fc92

SHA1 hash:

c141335684dcf72e79e4205d9b7a1430fc385ccb

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

6fcbfef69cded48d704ee66685f4c7be143cd0659a0d51a2a58976adfb9bda46

MD5 hash:

bf1a563db2ed647357b321f33af951da

SHA1 hash:

87969a2e69d62c8066631478c5d0fd5c9688cb65

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52

MD5 hash:

1f2a6c02dcf9aa00a28a5039fb5b8ce0

SHA1 hash:

1ef480867d39b98368af7586a8e6ba38c0c3893a

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

SH256 hash:

1a4d18bc01f4c5857b32c7ae2ffe7ec90ff5d4e4bf312f8048bb85706f5fbff5

MD5 hash:

f13711fcb52a6025e97a2bf85d9d4643

SHA1 hash:

e662ca8610953c0c7e90a161162d3e1b03e29442

Link:

https://www.unpac.me/results/bbf021b3-2f91-4164-a91e-19ef97bd42e0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a4d18bc01f4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BluStealer

exe 1a4d18bc01f4c5857b32c7ae2ffe7ec90ff5d4e4bf312f8048bb85706f5fbff5

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/335487/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample